Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Scancontract103.exe

Overview

General Information

Sample Name:Scancontract103.exe
Analysis ID:713039
MD5:9d2a2b596cd979fc9674824d2aa731df
SHA1:015e8ae0f838e0fba35643297530a5b9a66e4186
SHA256:c4a2c953833c8d6b5d2ef71b997700559ecc9f23573d89072d205f963e46956c
Tags:exeNanoCoreRAT
Infos:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Sigma detected: Scheduled temp file as task from temp location
Multi AV Scanner detection for domain / URL
Yara detected Nanocore RAT
Protects its processes via BreakOnTermination flag
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large strings
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • Scancontract103.exe (PID: 3732 cmdline: "C:\Users\user\Desktop\Scancontract103.exe" MD5: 9D2A2B596CD979FC9674824D2AA731DF)
    • Scancontract103.exe (PID: 1760 cmdline: {path} MD5: 9D2A2B596CD979FC9674824D2AA731DF)
      • schtasks.exe (PID: 2636 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpCA7.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 2300 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp1090.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Scancontract103.exe (PID: 6052 cmdline: C:\Users\user\Desktop\Scancontract103.exe 0 MD5: 9D2A2B596CD979FC9674824D2AA731DF)
  • dhcpmon.exe (PID: 5308 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: 9D2A2B596CD979FC9674824D2AA731DF)
    • dhcpmon.exe (PID: 4632 cmdline: {path} MD5: 9D2A2B596CD979FC9674824D2AA731DF)
    • dhcpmon.exe (PID: 2576 cmdline: {path} MD5: 9D2A2B596CD979FC9674824D2AA731DF)
  • dhcpmon.exe (PID: 1012 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 9D2A2B596CD979FC9674824D2AA731DF)
    • dhcpmon.exe (PID: 2300 cmdline: {path} MD5: 9D2A2B596CD979FC9674824D2AA731DF)
    • dhcpmon.exe (PID: 5420 cmdline: {path} MD5: 9D2A2B596CD979FC9674824D2AA731DF)
    • dhcpmon.exe (PID: 408 cmdline: {path} MD5: 9D2A2B596CD979FC9674824D2AA731DF)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "c5cb65e3-79c3-43dc-bde0-43ed679c", "Group": "Default", "Domain1": "79.134.225.6", "Domain2": "", "Port": 60110, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.547986042.0000000005900000.00000004.08000000.00040000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xe75:$x1: NanoCore.ClientPluginHost
  • 0xe8f:$x2: IClientNetworkHost
00000006.00000002.547986042.0000000005900000.00000004.08000000.00040000.00000000.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xe75:$x2: NanoCore.ClientPluginHost
  • 0x1261:$s3: PipeExists
  • 0x1136:$s4: PipeCreated
  • 0xeb0:$s5: IClientLoggingHost
00000006.00000002.547986042.0000000005900000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
  • 0xe38:$x2: NanoCore.ClientPlugin
  • 0xe75:$x3: NanoCore.ClientPluginHost
  • 0xe5a:$i1: IClientApp
  • 0xe4e:$i2: IClientData
  • 0xe29:$i3: IClientNetwork
  • 0xec3:$i4: IClientAppHost
  • 0xe65:$i5: IClientDataHost
  • 0xeb0:$i6: IClientLoggingHost
  • 0xe8f:$i7: IClientNetworkHost
  • 0xea2:$i8: IClientUIHost
  • 0xed2:$i9: IClientNameObjectCollection
  • 0xef7:$i10: IClientReadOnlyNameObjectCollection
  • 0xe41:$s1: ClientPlugin
  • 0x177c:$s1: ClientPlugin
  • 0x1789:$s1: ClientPlugin
  • 0x11f9:$s6: get_ClientSettings
  • 0x1249:$s7: get_Connected
00000006.00000002.547986042.0000000005900000.00000004.08000000.00040000.00000000.sdmpWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
  • 0xe75:$a1: NanoCore.ClientPluginHost
  • 0xe38:$a2: NanoCore.ClientPlugin
  • 0x120c:$b1: get_BuilderSettings
  • 0xec3:$b4: IClientAppHost
  • 0x127d:$b6: AddHostEntry
  • 0x12ec:$b7: LogClientException
  • 0x1261:$b8: PipeExists
  • 0xeb0:$b9: IClientLoggingHost
00000010.00000002.400735152.000000000334B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    Click to see the 49 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    20.2.Scancontract103.exe.33695a4.0.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    20.2.Scancontract103.exe.33695a4.0.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    20.2.Scancontract103.exe.33695a4.0.raw.unpackMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
    • 0xe38:$x2: NanoCore.ClientPlugin
    • 0xe75:$x3: NanoCore.ClientPluginHost
    • 0xe5a:$i1: IClientApp
    • 0xe4e:$i2: IClientData
    • 0xe29:$i3: IClientNetwork
    • 0xec3:$i4: IClientAppHost
    • 0xe65:$i5: IClientDataHost
    • 0xeb0:$i6: IClientLoggingHost
    • 0xe8f:$i7: IClientNetworkHost
    • 0xea2:$i8: IClientUIHost
    • 0xed2:$i9: IClientNameObjectCollection
    • 0xef7:$i10: IClientReadOnlyNameObjectCollection
    • 0xe41:$s1: ClientPlugin
    • 0x177c:$s1: ClientPlugin
    • 0x1789:$s1: ClientPlugin
    • 0x11f9:$s6: get_ClientSettings
    • 0x1249:$s7: get_Connected
    20.2.Scancontract103.exe.33695a4.0.raw.unpackWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
    • 0xe75:$a1: NanoCore.ClientPluginHost
    • 0xe38:$a2: NanoCore.ClientPlugin
    • 0x120c:$b1: get_BuilderSettings
    • 0xec3:$b4: IClientAppHost
    • 0x127d:$b6: AddHostEntry
    • 0x12ec:$b7: LogClientException
    • 0x1261:$b8: PipeExists
    • 0xeb0:$b9: IClientLoggingHost
    21.2.dhcpmon.exe.2dc9658.0.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    Click to see the 69 entries

    Sigma Signatures

    AV Detection

    barindex
    Sigma detected: NanoCore
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Scancontract103.exe, ProcessId: 1760, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    E-Banking Fraud

    barindex
    Sigma detected: NanoCore
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Scancontract103.exe, ProcessId: 1760, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Persistence and Installation Behavior

    barindex
    Sigma detected: Scheduled temp file as task from temp location
    Source: Process startedAuthor: Joe Security: Data: Command: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpCA7.tmp, CommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpCA7.tmp, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: {path}, ParentImage: C:\Users\user\Desktop\Scancontract103.exe, ParentProcessId: 1760, ParentProcessName: Scancontract103.exe, ProcessCommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpCA7.tmp, ProcessId: 2636, ProcessName: schtasks.exe

    Stealing of Sensitive Information

    barindex
    Sigma detected: NanoCore
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Scancontract103.exe, ProcessId: 1760, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Remote Access Functionality

    barindex
    Sigma detected: NanoCore
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Scancontract103.exe, ProcessId: 1760, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: Scancontract103.exeVirustotal: Detection: 40%Perma Link
    Multi AV Scanner detection for domain / URL
    Source: 79.134.225.6Virustotal: Detection: 6%Perma Link
    Yara detected Nanocore RAT
    Source: Yara matchFile source: 20.2.Scancontract103.exe.434b7be.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 6.2.Scancontract103.exe.5910000.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 6.2.Scancontract103.exe.5910000.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 6.0.Scancontract103.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 6.2.Scancontract103.exe.5914629.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Scancontract103.exe.3631550.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.2.Scancontract103.exe.43505f4.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Scancontract103.exe.3631550.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.2.Scancontract103.exe.43505f4.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Scancontract103.exe.37a0a00.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.2.Scancontract103.exe.4354c1d.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000006.00000000.299936604.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000002.442532353.0000000004309000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.308527260.0000000003571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.530169744.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.548040807.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000015.00000002.443127439.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.311167352.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000002.440811827.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: Scancontract103.exe PID: 3732, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: Scancontract103.exe PID: 1760, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: Scancontract103.exe PID: 5588, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2576, type: MEMORYSTR
    Machine Learning detection for sample
    Source: Scancontract103.exeJoe Sandbox ML: detected
    Machine Learning detection for dropped file
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
    Source: 6.0.Scancontract103.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 6.2.Scancontract103.exe.5910000.4.unpackAvira: Label: TR/NanoCore.fadte
    Source: 00000014.00000002.442532353.0000000004309000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "c5cb65e3-79c3-43dc-bde0-43ed679c", "Group": "Default", "Domain1": "79.134.225.6", "Domain2": "", "Port": 60110, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
    Source: Scancontract103.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: Scancontract103.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

    Networking

    barindex
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs:
    Source: Malware configuration extractorURLs: 79.134.225.6
    Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
    Source: Joe Sandbox ViewIP Address: 79.134.225.6 79.134.225.6
    Source: global trafficTCP traffic: 192.168.2.3:49707 -> 79.134.225.6:60110
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: Scancontract103.exe, 00000000.00000003.265302103.000000000598D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://en.wikip
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
    Source: Scancontract103.exe, 00000006.00000002.530169744.0000000002E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: Scancontract103.exe, 00000000.00000003.266935495.0000000005989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
    Source: Scancontract103.exe, 00000000.00000003.269009492.00000000059C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
    Source: Scancontract103.exe, 00000000.00000003.301534585.0000000005980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.commv
    Source: Scancontract103.exe, 00000000.00000003.301534585.0000000005980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comoitu
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
    Source: Scancontract103.exe, 00000000.00000003.260309270.00000000059A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comc
    Source: Scancontract103.exe, 00000000.00000003.263528849.0000000005986000.00000004.00000800.00020000.00000000.sdmp, Scancontract103.exe, 00000000.00000003.263806579.000000000598E000.00000004.00000800.00020000.00000000.sdmp, Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmp, Scancontract103.exe, 00000000.00000003.263335099.0000000005985000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
    Source: Scancontract103.exe, 00000000.00000003.263335099.0000000005985000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cna-d
    Source: Scancontract103.exe, 00000000.00000003.263335099.0000000005985000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cntyp9
    Source: Scancontract103.exe, 00000000.00000003.272557005.00000000059C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
    Source: Scancontract103.exe, 00000000.00000003.266747836.00000000059C6000.00000004.00000800.00020000.00000000.sdmp, Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
    Source: dhcpmon.exe, 00000010.00000002.390909200.00000000016B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
    Source: Scancontract103.exe, 00000014.00000002.442532353.0000000004309000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevices

    E-Banking Fraud

    barindex
    Yara detected Nanocore RAT
    Source: Yara matchFile source: 20.2.Scancontract103.exe.434b7be.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 6.2.Scancontract103.exe.5910000.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 6.2.Scancontract103.exe.5910000.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 6.0.Scancontract103.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 6.2.Scancontract103.exe.5914629.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Scancontract103.exe.3631550.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.2.Scancontract103.exe.43505f4.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Scancontract103.exe.3631550.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.2.Scancontract103.exe.43505f4.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Scancontract103.exe.37a0a00.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.2.Scancontract103.exe.4354c1d.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000006.00000000.299936604.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000002.442532353.0000000004309000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.308527260.0000000003571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.530169744.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.548040807.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000015.00000002.443127439.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.311167352.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000002.440811827.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: Scancontract103.exe PID: 3732, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: Scancontract103.exe PID: 1760, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: Scancontract103.exe PID: 5588, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2576, type: MEMORYSTR

    Operating System Destruction

    barindex
    Protects its processes via BreakOnTermination flag
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: 01 00 00 00 Jump to behavior

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: 20.2.Scancontract103.exe.33695a4.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.2.Scancontract103.exe.33695a4.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 20.2.Scancontract103.exe.33695a4.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 21.2.dhcpmon.exe.2dc9658.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 21.2.dhcpmon.exe.2dc9658.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 21.2.dhcpmon.exe.2dc9658.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 20.2.Scancontract103.exe.434b7be.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.2.Scancontract103.exe.434b7be.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 20.2.Scancontract103.exe.434b7be.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 20.2.Scancontract103.exe.434b7be.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 6.2.Scancontract103.exe.2e4d254.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 6.2.Scancontract103.exe.2e4d254.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 6.2.Scancontract103.exe.2e4d254.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 6.2.Scancontract103.exe.5900000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 6.2.Scancontract103.exe.5900000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 6.2.Scancontract103.exe.5900000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 6.2.Scancontract103.exe.5910000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 6.2.Scancontract103.exe.5910000.4.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 6.2.Scancontract103.exe.5910000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 6.2.Scancontract103.exe.5910000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 6.2.Scancontract103.exe.5910000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 6.2.Scancontract103.exe.5910000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 6.0.Scancontract103.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 6.0.Scancontract103.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 6.0.Scancontract103.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 6.0.Scancontract103.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 6.2.Scancontract103.exe.5914629.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 6.2.Scancontract103.exe.5914629.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 6.2.Scancontract103.exe.5914629.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 0.2.Scancontract103.exe.3631550.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Scancontract103.exe.3631550.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0.2.Scancontract103.exe.3631550.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0.2.Scancontract103.exe.3631550.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 20.2.Scancontract103.exe.43505f4.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.2.Scancontract103.exe.43505f4.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 20.2.Scancontract103.exe.43505f4.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 0.2.Scancontract103.exe.3631550.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Scancontract103.exe.3631550.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0.2.Scancontract103.exe.3631550.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0.2.Scancontract103.exe.3631550.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 20.2.Scancontract103.exe.43505f4.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.2.Scancontract103.exe.43505f4.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 20.2.Scancontract103.exe.43505f4.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 0.2.Scancontract103.exe.37a0a00.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Scancontract103.exe.37a0a00.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0.2.Scancontract103.exe.37a0a00.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0.2.Scancontract103.exe.37a0a00.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 20.2.Scancontract103.exe.4354c1d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.2.Scancontract103.exe.4354c1d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 20.2.Scancontract103.exe.4354c1d.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000006.00000002.547986042.0000000005900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000006.00000002.547986042.0000000005900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000006.00000002.547986042.0000000005900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000006.00000000.299936604.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000006.00000000.299936604.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000006.00000000.299936604.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000014.00000002.442532353.0000000004309000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000002.442532353.0000000004309000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000000.00000002.308527260.0000000003571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.308527260.0000000003571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.308527260.0000000003571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000006.00000002.530169744.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000006.00000002.548040807.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000006.00000002.548040807.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000006.00000002.548040807.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000015.00000002.443127439.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000015.00000002.443127439.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000000.00000002.311167352.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.311167352.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.311167352.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000014.00000002.440811827.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000002.440811827.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: Process Memory Space: Scancontract103.exe PID: 3732, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: Scancontract103.exe PID: 3732, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: Scancontract103.exe PID: 3732, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: Process Memory Space: Scancontract103.exe PID: 1760, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: Scancontract103.exe PID: 1760, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: Scancontract103.exe PID: 1760, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: Process Memory Space: Scancontract103.exe PID: 5588, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: Scancontract103.exe PID: 5588, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: Process Memory Space: dhcpmon.exe PID: 2576, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: dhcpmon.exe PID: 2576, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    .NET source code contains very large strings
    Source: Scancontract103.exe, FrmMain.csLong String: Length: 129663
    Source: 0.0.Scancontract103.exe.170000.0.unpack, FrmMain.csLong String: Length: 129663
    Source: dhcpmon.exe.6.dr, FrmMain.csLong String: Length: 129663
    Source: Scancontract103.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: 20.2.Scancontract103.exe.33695a4.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.2.Scancontract103.exe.33695a4.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.2.Scancontract103.exe.33695a4.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 20.2.Scancontract103.exe.33695a4.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 21.2.dhcpmon.exe.2dc9658.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 21.2.dhcpmon.exe.2dc9658.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 21.2.dhcpmon.exe.2dc9658.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 21.2.dhcpmon.exe.2dc9658.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 20.2.Scancontract103.exe.434b7be.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.2.Scancontract103.exe.434b7be.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.2.Scancontract103.exe.434b7be.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 20.2.Scancontract103.exe.434b7be.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 20.2.Scancontract103.exe.434b7be.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 6.2.Scancontract103.exe.2e4d254.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 6.2.Scancontract103.exe.2e4d254.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 6.2.Scancontract103.exe.2e4d254.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 6.2.Scancontract103.exe.5900000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 6.2.Scancontract103.exe.5900000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 6.2.Scancontract103.exe.5900000.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 6.2.Scancontract103.exe.5900000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 6.2.Scancontract103.exe.5910000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 6.2.Scancontract103.exe.5910000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 6.2.Scancontract103.exe.5910000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 6.2.Scancontract103.exe.5910000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 6.2.Scancontract103.exe.5910000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 6.2.Scancontract103.exe.5910000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 6.2.Scancontract103.exe.5910000.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 6.2.Scancontract103.exe.5910000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 6.0.Scancontract103.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 6.0.Scancontract103.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 6.0.Scancontract103.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 6.0.Scancontract103.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 6.0.Scancontract103.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 6.2.Scancontract103.exe.5914629.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 6.2.Scancontract103.exe.5914629.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 6.2.Scancontract103.exe.5914629.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 6.2.Scancontract103.exe.5914629.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 0.2.Scancontract103.exe.3631550.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.Scancontract103.exe.3631550.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.Scancontract103.exe.3631550.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0.2.Scancontract103.exe.3631550.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0.2.Scancontract103.exe.3631550.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 20.2.Scancontract103.exe.43505f4.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.2.Scancontract103.exe.43505f4.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.2.Scancontract103.exe.43505f4.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 20.2.Scancontract103.exe.43505f4.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 0.2.Scancontract103.exe.3631550.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.Scancontract103.exe.3631550.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.Scancontract103.exe.3631550.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0.2.Scancontract103.exe.3631550.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0.2.Scancontract103.exe.3631550.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 20.2.Scancontract103.exe.43505f4.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.2.Scancontract103.exe.43505f4.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.2.Scancontract103.exe.43505f4.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 20.2.Scancontract103.exe.43505f4.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 0.2.Scancontract103.exe.37a0a00.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.Scancontract103.exe.37a0a00.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0.2.Scancontract103.exe.37a0a00.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0.2.Scancontract103.exe.37a0a00.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 20.2.Scancontract103.exe.4354c1d.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.2.Scancontract103.exe.4354c1d.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.2.Scancontract103.exe.4354c1d.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 20.2.Scancontract103.exe.4354c1d.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000006.00000002.547986042.0000000005900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000006.00000002.547986042.0000000005900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000006.00000002.547986042.0000000005900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000006.00000002.547986042.0000000005900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000006.00000000.299936604.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000006.00000000.299936604.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000006.00000000.299936604.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000014.00000002.442532353.0000000004309000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000002.442532353.0000000004309000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000000.00000002.308527260.0000000003571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000000.00000002.308527260.0000000003571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000002.308527260.0000000003571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000006.00000002.530169744.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000006.00000002.548040807.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000006.00000002.548040807.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000006.00000002.548040807.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000006.00000002.548040807.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000015.00000002.443127439.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000015.00000002.443127439.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000000.00000002.311167352.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000000.00000002.311167352.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000002.311167352.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000014.00000002.440811827.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000002.440811827.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: Process Memory Space: Scancontract103.exe PID: 3732, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: Process Memory Space: Scancontract103.exe PID: 3732, type: MEMORYSTRMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
    Source: Process Memory Space: Scancontract103.exe PID: 3732, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: Scancontract103.exe PID: 3732, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: Process Memory Space: Scancontract103.exe PID: 1760, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: Process Memory Space: Scancontract103.exe PID: 1760, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: Scancontract103.exe PID: 1760, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: Process Memory Space: Scancontract103.exe PID: 6052, type: MEMORYSTRMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
    Source: Process Memory Space: dhcpmon.exe PID: 5308, type: MEMORYSTRMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
    Source: Process Memory Space: dhcpmon.exe PID: 1012, type: MEMORYSTRMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
    Source: Process Memory Space: Scancontract103.exe PID: 5588, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: Scancontract103.exe PID: 5588, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: Process Memory Space: dhcpmon.exe PID: 2576, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: dhcpmon.exe PID: 2576, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: C:\Users\user\Desktop\Scancontract103.exeCode function: 0_2_049FD4B40_2_049FD4B4
    Source: C:\Users\user\Desktop\Scancontract103.exeCode function: 6_2_0145E4716_2_0145E471
    Source: C:\Users\user\Desktop\Scancontract103.exeCode function: 6_2_0145E4806_2_0145E480
    Source: C:\Users\user\Desktop\Scancontract103.exeCode function: 6_2_0145BBD46_2_0145BBD4
    Source: C:\Users\user\Desktop\Scancontract103.exeCode function: 6_2_053D65506_2_053D6550
    Source: C:\Users\user\Desktop\Scancontract103.exeCode function: 6_2_053DD4E86_2_053DD4E8
    Source: C:\Users\user\Desktop\Scancontract103.exeCode function: 6_2_053D3E306_2_053D3E30
    Source: C:\Users\user\Desktop\Scancontract103.exeCode function: 6_2_053DC8D06_2_053DC8D0
    Source: C:\Users\user\Desktop\Scancontract103.exeCode function: 6_2_053D4A506_2_053D4A50
    Source: C:\Users\user\Desktop\Scancontract103.exeCode function: 6_2_053DD5A66_2_053DD5A6
    Source: C:\Users\user\Desktop\Scancontract103.exeCode function: 6_2_053D4B086_2_053D4B08
    Source: C:\Users\user\Desktop\Scancontract103.exeCode function: 6_2_053D8ED0 NtSetInformationProcess,6_2_053D8ED0
    Source: C:\Users\user\Desktop\Scancontract103.exeCode function: 6_2_053D8EC9 NtSetInformationProcess,6_2_053D8EC9
    Source: Scancontract103.exe, 00000000.00000000.254620443.0000000000172000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename8voN7Es.exe: vs Scancontract103.exe
    Source: Scancontract103.exe, 00000000.00000002.303876077.00000000025BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Scancontract103.exe
    Source: Scancontract103.exe, 00000000.00000002.311167352.00000000036BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameQuestKingdom.dllH vs Scancontract103.exe
    Source: Scancontract103.exe, 00000000.00000002.311167352.00000000036BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Scancontract103.exe
    Source: Scancontract103.exe, 00000000.00000002.326192763.00000000075A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Scancontract103.exe
    Source: Scancontract103.exe, 00000000.00000002.325921725.00000000073F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameQuestKingdom.dllH vs Scancontract103.exe
    Source: Scancontract103.exe, 00000006.00000002.530169744.0000000002E21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Scancontract103.exe
    Source: Scancontract103.exe, 00000006.00000002.546358238.0000000003EA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Scancontract103.exe
    Source: Scancontract103.exe, 00000006.00000002.548456934.0000000006360000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Scancontract103.exe
    Source: Scancontract103.exe, 0000000F.00000002.398015480.000000000438A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameQuestKingdom.dllH vs Scancontract103.exe
    Source: Scancontract103.exe, 0000000F.00000002.398402298.0000000004519000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Scancontract103.exe
    Source: Scancontract103.exe, 00000014.00000002.442532353.0000000004309000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Scancontract103.exe
    Source: Scancontract103.exe, 00000014.00000002.442532353.0000000004309000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Scancontract103.exe
    Source: Scancontract103.exe, 00000014.00000002.442532353.0000000004309000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Scancontract103.exe
    Source: Scancontract103.exe, 00000014.00000002.440811827.0000000003301000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Scancontract103.exe
    Source: Scancontract103.exe, 00000014.00000002.440811827.0000000003301000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Scancontract103.exe
    Source: Scancontract103.exeBinary or memory string: OriginalFilename8voN7Es.exe: vs Scancontract103.exe
    Source: Scancontract103.exeVirustotal: Detection: 40%
    Source: C:\Users\user\Desktop\Scancontract103.exeFile read: C:\Users\user\Desktop\Scancontract103.exeJump to behavior
    Source: Scancontract103.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Scancontract103.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\Scancontract103.exe "C:\Users\user\Desktop\Scancontract103.exe"
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess created: C:\Users\user\Desktop\Scancontract103.exe {path}
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpCA7.tmp
    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp1090.tmp
    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Users\user\Desktop\Scancontract103.exe C:\Users\user\Desktop\Scancontract103.exe 0
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess created: C:\Users\user\Desktop\Scancontract103.exe {path}
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess created: C:\Users\user\Desktop\Scancontract103.exe {path}
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess created: C:\Users\user\Desktop\Scancontract103.exe {path}Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpCA7.tmpJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp1090.tmpJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess created: C:\Users\user\Desktop\Scancontract103.exe {path}Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess created: C:\Users\user\Desktop\Scancontract103.exe {path}Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Scancontract103.exe.logJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeFile created: C:\Users\user\AppData\Local\Temp\tmpCA7.tmpJump to behavior
    Source: classification engineClassification label: mal100.troj.evad.winEXE@26/8@0/1
    Source: Scancontract103.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
    Source: C:\Users\user\Desktop\Scancontract103.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5056:120:WilError_01
    Source: C:\Users\user\Desktop\Scancontract103.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{c5cb65e3-79c3-43dc-bde0-43ed679c8c9b}
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4744:120:WilError_01
    Source: C:\Users\user\Desktop\Scancontract103.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
    Source: Scancontract103.exe, 00000000.00000003.275810844.000000000598C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: DITC Blackadder is a Trademark of International Typeface Corporation.slnt
    Source: 6.0.Scancontract103.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 6.0.Scancontract103.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
    Source: 6.0.Scancontract103.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Users\user\Desktop\Scancontract103.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: Scancontract103.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: Scancontract103.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

    Data Obfuscation

    barindex
    .NET source code contains potential unpacker
    Source: 6.0.Scancontract103.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 6.0.Scancontract103.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    .NET source code contains method to dynamically call methods (often used by packers)
    Source: Scancontract103.exe, FrmMain.cs.Net Code: NewLateBinding.LateCall(V_1, null, "Invoke", stackVariable12, null, null, null, true)
    Source: 0.0.Scancontract103.exe.170000.0.unpack, FrmMain.cs.Net Code: NewLateBinding.LateCall(V_1, null, "Invoke", stackVariable12, null, null, null, true)
    Source: dhcpmon.exe.6.dr, FrmMain.cs.Net Code: NewLateBinding.LateCall(V_1, null, "Invoke", stackVariable12, null, null, null, true)
    Source: C:\Users\user\Desktop\Scancontract103.exeCode function: 6_2_053DFC4A push FFFFFFE0h; ret 6_2_053DFC4C
    Source: initial sampleStatic PE information: section name: .text entropy: 7.0886542606348
    Source: initial sampleStatic PE information: section name: .text entropy: 7.0886542606348
    Source: 6.0.Scancontract103.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 6.0.Scancontract103.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
    Source: C:\Users\user\Desktop\Scancontract103.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

    Boot Survival

    barindex
    Uses schtasks.exe or at.exe to add and modify task schedules
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpCA7.tmp

    Hooking and other Techniques for Hiding and Protection

    barindex
    Hides that the sample has been downloaded from the Internet (zone.identifier)
    Source: C:\Users\user\Desktop\Scancontract103.exeFile opened: C:\Users\user\Desktop\Scancontract103.exe:Zone.Identifier read attributes | deleteJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion

    barindex
    Yara detected AntiVM3
    Source: Yara matchFile source: 00000010.00000002.400735152.000000000334B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.303876077.00000000025BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: Scancontract103.exe PID: 3732, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5308, type: MEMORYSTR
    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
    Source: Scancontract103.exe, 00000000.00000002.303876077.00000000025BB000.00000004.00000800.00020000.00000000.sdmp, Scancontract103.exe, 0000000F.00000002.395467089.000000000318B000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000010.00000002.400735152.000000000334B000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000011.00000002.422414740.0000000002E0B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
    Source: Scancontract103.exe, 00000000.00000002.303876077.00000000025BB000.00000004.00000800.00020000.00000000.sdmp, Scancontract103.exe, 0000000F.00000002.395467089.000000000318B000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000010.00000002.400735152.000000000334B000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000011.00000002.422414740.0000000002E0B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -2767011611056431s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -240000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -239859s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -239703s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -239594s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -239468s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -239359s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -239234s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -239109s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -238998s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -238874s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -238717s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -238500s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -238273s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -238138s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -237999s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -237856s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -237736s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -237594s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -237475s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -237359s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -237232s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -237091s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -236976s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -236859s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -236750s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -236621s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -236500s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -236374s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -236265s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -236130s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -235983s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -235859s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -235749s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -235625s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -235484s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -235328s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -235202s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -235093s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -234983s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -234859s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -234703s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -234562s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -234433s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -234311s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -234202s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -234076s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -233937s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -233797s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -233670s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -233545s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -233422s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -233296s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -233156s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5352Thread sleep time: -17524406870024063s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -240000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 2384Thread sleep count: 9421 > 30Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -236750s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -236547s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -236344s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -236218s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -236094s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -235968s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -235840s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -235681s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -235500s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -235364s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -235203s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -234995s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -234820s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -234697s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -234588s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -234453s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -234328s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -234156s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -234046s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -233937s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -233750s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -233594s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -233406s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -233203s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -233068s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -232939s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -232703s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -232500s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -232341s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -232186s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -232000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -231844s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -231703s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -231546s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -231386s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -231264s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -231154s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -231039s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -230906s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -230776s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -230639s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -230531s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -230373s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -230229s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -230094s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -229943s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -229797s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -229656s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -229515s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -229376s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -229125s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -228999s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -228797s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -228685s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -228546s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -228435s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -228297s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -228170s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -228042s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -227887s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -227750s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -227594s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -227453s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -227328s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -227201s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -227047s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -20291418481080494s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -240000s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -239703s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -239500s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -239250s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -239000s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -238844s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -238686s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -238546s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -238344s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -238203s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -238034s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -237891s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -237750s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -237619s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -237483s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -237349s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -237203s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -237000s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -236881s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -236750s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -236593s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -236466s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -236250s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -235891s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -235717s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -235531s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -235384s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -235265s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -235141s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -235000s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -234841s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -234715s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -234593s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -234426s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -234296s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -234170s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -234042s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -233856s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -233746s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -233605s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -233453s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -233302s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -233141s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -232995s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -232844s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -232733s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -232594s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -232453s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -232327s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -232141s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -231989s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -231844s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -231703s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -231573s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -231467s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -231354s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -231244s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -231109s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -230994s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -230859s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -230732s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -230587s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -230453s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -230324s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -230200s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -230060s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -229920s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -229794s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -229641s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -240000s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -239703s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -239453s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -239202s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -239088s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -238889s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -238656s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -238500s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -238356s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -238250s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -238140s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -238000s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -237844s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -237687s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -237547s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -237385s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -237250s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -237062s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -236906s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -236750s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -236547s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -236406s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -236203s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -236062s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -235887s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -235748s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -235517s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -235297s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -235186s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -235059s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -234936s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -234797s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -234652s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -234500s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -234368s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -234230s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -234086s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -233953s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -233780s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -233640s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -233511s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -233341s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -233115s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -232953s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -232794s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -232656s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -232484s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -232331s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -232213s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -232092s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -231953s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -231826s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -231656s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -231484s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -231344s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -231203s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -231073s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -230844s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -230656s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -230406s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -230203s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -229594s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -229406s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -229244s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -229053s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -228047s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 4364Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5056Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1096Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 240000Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 239859Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 239703Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 239594Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 239468Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 239359Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 239234Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 239109Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 238998Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 238874Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 238717Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 238500Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 238273Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 238138Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 237999Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 237856Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 237736Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 237594Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 237475Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 237359Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 237232Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 237091Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236976Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236859Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236750Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236621Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236500Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236374Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236265Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236130Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235983Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235859Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235749Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235625Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235484Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235328Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235202Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235093Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234983Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234859Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234703Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234562Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234433Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234311Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234202Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234076Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233937Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233797Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233670Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233545Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233422Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233296Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233156Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 240000Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236750Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236547Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236344Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236218Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236094Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235968Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235840Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235681Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235500Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235364Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235203Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234995Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234820Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234697Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234588Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234453Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234328Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234156Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234046Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233937Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233750Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233594Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233406Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233203Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233068Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 232939Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 232703Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 232500Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 232341Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 232186Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 232000Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 231844Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 231703Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 231546Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 231386Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 231264Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 231154Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 231039Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 230906Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 230776Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 230639Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 230531Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 230373Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 230229Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 230094Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 229943Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 229797Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 229656Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 229515Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 229376Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 229125Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 228999Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 228797Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 228685Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 228546Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 228435Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 228297Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 228170Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 228042Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 227887Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 227750Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 227594Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 227453Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 227328Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 227201Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 227047Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 240000Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 239703Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 239500Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 239250Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 239000Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238844Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238686Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238546Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238344Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238203Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238034Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237891Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237750Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237619Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237483Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237349Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237203Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237000Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236881Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236750Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236593Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236466Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236250Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235891Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235717Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235531Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235384Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235265Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235141Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235000Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234841Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234715Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234593Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234426Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234296Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234170Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234042Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233856Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233746Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233605Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233453Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233302Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233141Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232995Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232844Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232733Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232594Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232453Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232327Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232141Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231989Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231844Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231703Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231573Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231467Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231354Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231244Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231109Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230994Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230859Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230732Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230587Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230453Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230324Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230200Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230060Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 229920Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 229794Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 229641Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 240000Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 239703Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 239453Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 239202Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 239088Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238889Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238656Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238500Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238356Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238250Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238140Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238000Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237844Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237687Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237547Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237385Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237250Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237062Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236906Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236750Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236547Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236406Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236203Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236062Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235887Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235748Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235517Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235297Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235186Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235059Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234936Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234797Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234652Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234500Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234368Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234230Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234086Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233953Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233780Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233640Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233511Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233341Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233115Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232953Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232794Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232656Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232484Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232331Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232213Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232092Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231953Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231826Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231656Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231484Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231344Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231203Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231073Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230844Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230656Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230406Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230203Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 229594Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 229406Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 229244Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 229053Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 228047Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\Scancontract103.exeWindow / User API: threadDelayed 8928Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeWindow / User API: threadDelayed 9578Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeWindow / User API: foregroundWindowGot 675Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeWindow / User API: threadDelayed 9421Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeWindow / User API: threadDelayed 9541Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeWindow / User API: threadDelayed 9561Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 240000Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 239859Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 239703Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 239594Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 239468Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 239359Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 239234Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 239109Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 238998Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 238874Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 238717Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 238500Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 238273Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 238138Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 237999Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 237856Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 237736Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 237594Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 237475Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 237359Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 237232Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 237091Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236976Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236859Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236750Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236621Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236500Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236374Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236265Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236130Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235983Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235859Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235749Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235625Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235484Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235328Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235202Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235093Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234983Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234859Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234703Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234562Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234433Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234311Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234202Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234076Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233937Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233797Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233670Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233545Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233422Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233296Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233156Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 240000Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236750Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236547Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236344Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236218Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236094Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235968Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235840Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235681Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235500Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235364Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235203Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234995Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234820Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234697Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234588Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234453Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234328Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234156Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234046Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233937Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233750Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233594Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233406Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233203Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233068Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 232939Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 232703Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 232500Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 232341Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 232186Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 232000Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 231844Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 231703Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 231546Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 231386Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 231264Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 231154Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 231039Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 230906Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 230776Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 230639Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 230531Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 230373Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 230229Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 230094Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 229943Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 229797Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 229656Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 229515Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 229376Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 229125Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 228999Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 228797Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 228685Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 228546Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 228435Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 228297Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 228170Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 228042Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 227887Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 227750Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 227594Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 227453Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 227328Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 227201Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 227047Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 240000Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 239703Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 239500Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 239250Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 239000Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238844Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238686Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238546Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238344Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238203Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238034Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237891Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237750Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237619Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237483Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237349Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237203Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237000Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236881Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236750Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236593Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236466Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236250Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235891Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235717Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235531Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235384Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235265Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235141Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235000Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234841Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234715Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234593Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234426Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234296Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234170Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234042Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233856Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233746Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233605Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233453Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233302Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233141Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232995Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232844Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232733Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232594Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232453Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232327Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232141Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231989Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231844Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231703Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231573Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231467Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231354Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231244Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231109Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230994Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230859Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230732Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230587Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230453Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230324Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230200Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230060Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 229920Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 229794Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 229641Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 240000Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 239703Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 239453Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 239202Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 239088Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238889Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238656Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238500Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238356Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238250Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238140Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238000Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237844Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237687Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237547Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237385Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237250Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237062Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236906Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236750Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236547Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236406Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236203Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236062Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235887Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235748Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235517Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235297Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235186Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235059Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234936Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234797Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234652Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234500Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234368Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234230Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234086Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233953Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233780Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233640Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233511Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233341Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233115Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232953Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232794Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232656Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232484Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232331Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232213Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232092Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231953Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231826Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231656Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231484Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231344Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231203Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231073Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230844Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230656Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230406Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230203Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 229594Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 229406Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 229244Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 229053Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 228047Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: dhcpmon.exe, 00000011.00000002.422414740.0000000002E0B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
    Source: dhcpmon.exe, 00000011.00000002.422414740.0000000002E0B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
    Source: dhcpmon.exe, 00000011.00000002.422414740.0000000002E0B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
    Source: dhcpmon.exe, 00000011.00000002.422414740.0000000002E0B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
    Source: dhcpmon.exe, 00000011.00000002.422414740.0000000002E0B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
    Source: dhcpmon.exe, 00000011.00000002.422414740.0000000002E0B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
    Source: dhcpmon.exe, 00000011.00000002.422414740.0000000002E0B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
    Source: dhcpmon.exe, 00000011.00000002.422414740.0000000002E0B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
    Source: dhcpmon.exe, 00000011.00000002.422414740.0000000002E0B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeMemory allocated: page read and write | page guardJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Injects a PE file into a foreign processes
    Source: C:\Users\user\Desktop\Scancontract103.exeMemory written: C:\Users\user\Desktop\Scancontract103.exe base: 400000 value starts with: 4D5AJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeMemory written: C:\Users\user\Desktop\Scancontract103.exe base: 400000 value starts with: 4D5AJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5AJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5AJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess created: C:\Users\user\Desktop\Scancontract103.exe {path}Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpCA7.tmpJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp1090.tmpJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess created: C:\Users\user\Desktop\Scancontract103.exe {path}Jump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess created: C:\Users\user\Desktop\Scancontract103.exe {path}Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}Jump to behavior
    Source: Scancontract103.exe, 00000006.00000002.548631838.00000000064DD000.00000004.00000010.00020000.00000000.sdmp, Scancontract103.exe, 00000006.00000002.545166472.00000000032B7000.00000004.00000800.00020000.00000000.sdmp, Scancontract103.exe, 00000006.00000002.533870000.0000000002FE0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Users\user\Desktop\Scancontract103.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Users\user\Desktop\Scancontract103.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Users\user\Desktop\Scancontract103.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Users\user\Desktop\Scancontract103.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Stealing of Sensitive Information

    barindex
    Yara detected Nanocore RAT
    Source: Yara matchFile source: 20.2.Scancontract103.exe.434b7be.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 6.2.Scancontract103.exe.5910000.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 6.2.Scancontract103.exe.5910000.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 6.0.Scancontract103.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 6.2.Scancontract103.exe.5914629.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Scancontract103.exe.3631550.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.2.Scancontract103.exe.43505f4.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Scancontract103.exe.3631550.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.2.Scancontract103.exe.43505f4.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Scancontract103.exe.37a0a00.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.2.Scancontract103.exe.4354c1d.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000006.00000000.299936604.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000002.442532353.0000000004309000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.308527260.0000000003571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.530169744.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.548040807.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000015.00000002.443127439.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.311167352.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000002.440811827.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: Scancontract103.exe PID: 3732, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: Scancontract103.exe PID: 1760, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: Scancontract103.exe PID: 5588, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2576, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Detected Nanocore Rat
    Source: Scancontract103.exe, 00000000.00000002.308527260.0000000003571000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: Scancontract103.exe, 00000000.00000002.311167352.00000000036BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: Scancontract103.exe, 00000006.00000000.299936604.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: Scancontract103.exe, 00000006.00000002.530169744.0000000002E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: Scancontract103.exe, 00000006.00000002.530169744.0000000002E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: Scancontract103.exe, 00000014.00000002.442532353.0000000004309000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: Scancontract103.exe, 00000014.00000002.442532353.0000000004309000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: Scancontract103.exe, 00000014.00000002.440811827.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: Scancontract103.exe, 00000014.00000002.440811827.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: dhcpmon.exe, 00000015.00000002.443127439.0000000002D61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: dhcpmon.exe, 00000015.00000002.443127439.0000000002D61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Yara detected Nanocore RAT
    Source: Yara matchFile source: 20.2.Scancontract103.exe.434b7be.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 6.2.Scancontract103.exe.5910000.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 6.2.Scancontract103.exe.5910000.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 6.0.Scancontract103.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 6.2.Scancontract103.exe.5914629.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Scancontract103.exe.3631550.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.2.Scancontract103.exe.43505f4.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Scancontract103.exe.3631550.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.2.Scancontract103.exe.43505f4.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Scancontract103.exe.37a0a00.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.2.Scancontract103.exe.4354c1d.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000006.00000000.299936604.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000002.442532353.0000000004309000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.308527260.0000000003571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.530169744.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.548040807.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000015.00000002.443127439.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.311167352.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000002.440811827.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: Scancontract103.exe PID: 3732, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: Scancontract103.exe PID: 1760, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: Scancontract103.exe PID: 5588, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2576, type: MEMORYSTR

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts1
    Scheduled Task/Job    		1
    Scheduled Task/Job    		112
    Process Injection    		2
    Masquerading    		21
    Input Capture    		11
    Security Software Discovery    		Remote Services21
    Input Capture    		Exfiltration Over Other Network Medium1
    Encrypted Channel    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    Scheduled Task/Job    		1
    Disable or Modify Tools    		LSASS Memory2
    Process Discovery    		Remote Desktop Protocol11
    Archive Collected Data    		Exfiltration Over Bluetooth1
    Non-Standard Port    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
    Virtualization/Sandbox Evasion    		Security Account Manager21
    Virtualization/Sandbox Evasion    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
    Remote Access Software    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)112
    Process Injection    		NTDS1
    Application Window Discovery    		Distributed Component Object ModelInput CaptureScheduled Transfer1
    Application Layer Protocol    		SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
    Deobfuscate/Decode Files or Information    		LSA Secrets12
    System Information Discovery    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.common1
    Hidden Files and Directories    		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup Items2
    Obfuscated Files or Information    		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job22
    Software Packing    		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 713039 Sample: Scancontract103.exe Startdate: 29/09/2022 Architecture: WINDOWS Score: 100 57 Multi AV Scanner detection for domain / URL 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Sigma detected: Scheduled temp file as task from temp location 2->61 63 12 other signatures 2->63 8 Scancontract103.exe 3 2->8         started        12 dhcpmon.exe 2 2->12         started        14 dhcpmon.exe 3 2->14         started        16 Scancontract103.exe 2 2->16         started        process3 file4 53 C:\Users\user\...\Scancontract103.exe.log, ASCII 8->53 dropped 69 Uses schtasks.exe or at.exe to add and modify task schedules 8->69 71 Injects a PE file into a foreign processes 8->71 18 Scancontract103.exe 1 12 8->18         started        23 dhcpmon.exe 12->23         started        25 dhcpmon.exe 12->25         started        27 dhcpmon.exe 12->27         started        29 dhcpmon.exe 14->29         started        31 dhcpmon.exe 14->31         started        33 Scancontract103.exe 2 16->33         started        35 Scancontract103.exe 16->35         started        signatures5 process6 dnsIp7 55 79.134.225.6, 49707, 49708, 49709 FINK-TELECOM-SERVICESCH Switzerland 18->55 45 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->45 dropped 47 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 18->47 dropped 49 C:\Users\user\AppData\Local\Temp\tmpCA7.tmp, XML 18->49 dropped 51 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 18->51 dropped 65 Protects its processes via BreakOnTermination flag 18->65 67 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->67 37 schtasks.exe 1 18->37         started        39 schtasks.exe 1 18->39         started        file8 signatures9 process10 process11 41 conhost.exe 37->41         started        43 conhost.exe 39->43         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Scancontract103.exe40%VirustotalBrowse
    Scancontract103.exe100%Joe Sandbox ML

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML

    Unpacked PE Files

    SourceDetectionScannerLabelLinkDownload
    6.0.Scancontract103.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    6.2.Scancontract103.exe.5910000.4.unpack100%AviraTR/NanoCore.fadteDownload File

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    0%Avira URL Cloudsafe
    http://www.galapagosdesign.com/0%URL Reputationsafe
    http://www.fonts.comc0%URL Reputationsafe
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.founder.com.cn/cna-d0%URL Reputationsafe
    http://www.tiro.com0%URL Reputationsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://en.wikip0%URL Reputationsafe
    http://www.carterandcone.coml0%URL Reputationsafe
    http://www.sajatypeworks.com0%URL Reputationsafe
    http://www.typography.netD0%URL Reputationsafe
    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
    http://fontfabrik.com0%URL Reputationsafe
    http://www.founder.com.cn/cn0%URL Reputationsafe
    http://www.fontbureau.comoitu0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
    http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
    http://www.sandoll.co.kr0%URL Reputationsafe
    http://www.urwpp.deDPlease0%URL Reputationsafe
    http://www.zhongyicts.com.cn0%URL Reputationsafe
    79.134.225.67%VirustotalBrowse
    http://www.sakkal.com0%URL Reputationsafe
    79.134.225.60%Avira URL Cloudsafe
    http://www.founder.com.cn/cntyp90%Avira URL Cloudsafe
    http://www.fontbureau.commv0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    true
    • Avira URL Cloud: safe
    		low
    79.134.225.6true
    • 7%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://www.apache.org/licenses/LICENSE-2.0Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://www.fontbureau.comScancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://www.fontbureau.com/designersGScancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.galapagosdesign.com/Scancontract103.exe, 00000000.00000003.272557005.00000000059C6000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.fontbureau.com/designers/?Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://www.fonts.comcScancontract103.exe, 00000000.00000003.260309270.00000000059A3000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.founder.com.cn/cn/bTheScancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designers?Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.founder.com.cn/cntyp9Scancontract103.exe, 00000000.00000003.263335099.0000000005985000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.founder.com.cn/cna-dScancontract103.exe, 00000000.00000003.263335099.0000000005985000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.tiro.comScancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.fontbureau.com/designersScancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.goodfont.co.krScancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://en.wikipScancontract103.exe, 00000000.00000003.265302103.000000000598D000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.carterandcone.comlScancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.sajatypeworks.comScancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.typography.netDScancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers/cabarga.htmlNScancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.founder.com.cn/cn/cTheScancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.galapagosdesign.com/staff/dennis.htmScancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://fontfabrik.comScancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.founder.com.cn/cnScancontract103.exe, 00000000.00000003.263528849.0000000005986000.00000004.00000800.00020000.00000000.sdmp, Scancontract103.exe, 00000000.00000003.263806579.000000000598E000.00000004.00000800.00020000.00000000.sdmp, Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmp, Scancontract103.exe, 00000000.00000003.263335099.0000000005985000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers/frere-jones.htmlScancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.comoituScancontract103.exe, 00000000.00000003.301534585.0000000005980000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/DPleaseScancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers8Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.ascendercorp.com/typedesigners.htmlScancontract103.exe, 00000000.00000003.266935495.0000000005989000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fonts.comScancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.sandoll.co.krScancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.urwpp.deDPleaseScancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.zhongyicts.com.cnScancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.commvScancontract103.exe, 00000000.00000003.301534585.0000000005980000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameScancontract103.exe, 00000006.00000002.530169744.0000000002E21000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.sakkal.comScancontract103.exe, 00000000.00000003.266747836.00000000059C6000.00000004.00000800.00020000.00000000.sdmp, Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/Scancontract103.exe, 00000000.00000003.269009492.00000000059C5000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            79.134.225.6
                            		unknownSwitzerland
                            		6775FINK-TELECOM-SERVICESCHtrue

                            General Information

                            Joe Sandbox Version:36.0.0 Rainbow Opal
                            Analysis ID:713039
                            Start date and time:2022-09-29 22:57:49 +02:00
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 9m 30s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Sample file name:Scancontract103.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:27
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@26/8@0/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HDC Information:Failed
                            HCA Information:
                            • Successful, ratio: 99%
                            • Number of executed functions: 43
                            • Number of non-executed functions: 1
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                            • Excluded domains from analysis (whitelisted): fs.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report creation exceeded maximum time and may have missing disassembly code information.
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            22:58:48API Interceptor969x Sleep call for process: Scancontract103.exe modified
                            22:59:13AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                            22:59:16Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\Scancontract103.exe" s>$(Arg0)
                            22:59:16Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
                            22:59:26API Interceptor255x Sleep call for process: dhcpmon.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            79.134.225.655DHL RECEIPT DOCUMENT.jsGet hashmaliciousBrowse
                            • ablegod.hopto.org:6439/is-ready

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            FINK-TELECOM-SERVICESCHOrder#00573444985776877________________.exeGet hashmaliciousBrowse
                            • 79.134.225.7
                            INQ - O26.jarGet hashmaliciousBrowse
                            • 79.134.225.85
                            INQ - O26.jarGet hashmaliciousBrowse
                            • 79.134.225.85
                            Order_RI678922.20220926.jsGet hashmaliciousBrowse
                            • 79.134.225.83
                            IMG2022926.jsGet hashmaliciousBrowse
                            • 79.134.225.77
                            DHL_Shipment-Notification_5596073630-QURY-93838392-27273827273-courier.exeGet hashmaliciousBrowse
                            • 79.134.225.92
                            INQ-022UCI.jarGet hashmaliciousBrowse
                            • 79.134.225.85
                            INQ-022UCI.jarGet hashmaliciousBrowse
                            • 79.134.225.85
                            IMG-SCAN210922.exeGet hashmaliciousBrowse
                            • 79.134.225.75
                            Shiping Details PL BL Draft IVN-FDX54635537355.exeGet hashmaliciousBrowse
                            • 79.134.225.36
                            image2021042GFREDS12322ERDQ1DOC03027382DOC202.exeGet hashmaliciousBrowse
                            • 79.134.225.116
                            DWG spare parts 455RTMGF Model.exeGet hashmaliciousBrowse
                            • 79.134.225.115
                            Factura.exeGet hashmaliciousBrowse
                            • 79.134.225.11
                            SecuriteInfo.com.Variant.Lazy.243659.18139.7481.exeGet hashmaliciousBrowse
                            • 79.134.225.36
                            SecuriteInfo.com.Variant.Jaik.95298.16760.17387.exeGet hashmaliciousBrowse
                            • 79.134.225.115
                            mlipidpmoe.exeGet hashmaliciousBrowse
                            • 79.134.225.22
                            Payment EFT.xlsGet hashmaliciousBrowse
                            • 79.134.225.8
                            COADO 0000236 DTD.exeGet hashmaliciousBrowse
                            • 79.134.225.6
                            D2 DMF OPEN PARTUPS.exeGet hashmaliciousBrowse
                            • 79.134.225.6
                            D2 DMF OPEN PARTUPS (2).exeGet hashmaliciousBrowse
                            • 79.134.225.27

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

                            Download File
                            Process:C:\Users\user\Desktop\Scancontract103.exe
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):854528
                            Entropy (8bit):7.084655686253337
                            Encrypted:false
                            SSDEEP:12288:sx9I2iNl/joW7EsJ2uM1DgC9tqGdpb5QyXYzvtMdADqjJ5ns:N1fEW7T4RDgvGdpHYzQjrs
                            MD5:9D2A2B596CD979FC9674824D2AA731DF
                            SHA1:015E8AE0F838E0FBA35643297530A5B9A66E4186
                            SHA-256:C4A2C953833C8D6B5D2EF71B997700559ECC9F23573D89072D205F963E46956C
                            SHA-512:768843F52697AC5A8E8FF71FF5A66BCA977CC6FAD9DA349CE77EEE431AA5252EC07187D52BCE92BD50BBCEC1A10B6CE1A9123DBAFA1E34D7A36AC2A9E511CEF3
                            Malicious:true
                            Antivirus:
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....5c..............P.................. ... ....@.. .......................`............@.....................................O.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........Z...W......;...|....a............................................(....*&..(.....*.s.........s ........s!........s"........s#........*...0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0...........~....o'....+..*.0...........~....o(....+..*.0..<........~.....().....,!r...p.....(*...o+...s,............~.....+..*.0...........~.....+..*".......*.0..&........(....r/..p~....o-...(......t$....+..*...0..&........(....rA..p~....o-...(......

                            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

                            Download File
                            Process:C:\Users\user\Desktop\Scancontract103.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):26
                            Entropy (8bit):3.95006375643621
                            Encrypted:false
                            SSDEEP:3:ggPYV:rPYV
                            MD5:187F488E27DB4AF347237FE461A079AD
                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                            Malicious:true
                            Preview:[ZoneTransfer]....ZoneId=0

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Scancontract103.exe.log

                            Download File
                            Process:C:\Users\user\Desktop\Scancontract103.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1302
                            Entropy (8bit):5.3499841584777394
                            Encrypted:false
                            SSDEEP:24:MLUE4K5E4Ks2E1qE4x84bE4KnKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxvbHKnYHKhQnoPtHoxH5
                            MD5:A7D610296B11732FD61A88BC218783AC
                            SHA1:EE89E72AF3A15DAB847055A9F9F88FD934113857
                            SHA-256:7F3A7CE69B42D8C832F0FBB57C0523D6F098DC090D39616C05277F8DB9F4F9E9
                            SHA-512:8C0AC1893FF0A7FE287D4FC650943D33D1546200A89C2A502FE9BCB11DA6227533FD8F966EE8651B7E7BD8B5EA11403AD930D022D1D75B3EAA6D24D625F779DF
                            Malicious:true
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configu

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

                            Download File
                            Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1302
                            Entropy (8bit):5.3499841584777394
                            Encrypted:false
                            SSDEEP:24:MLUE4K5E4Ks2E1qE4x84bE4KnKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxvbHKnYHKhQnoPtHoxH5
                            MD5:A7D610296B11732FD61A88BC218783AC
                            SHA1:EE89E72AF3A15DAB847055A9F9F88FD934113857
                            SHA-256:7F3A7CE69B42D8C832F0FBB57C0523D6F098DC090D39616C05277F8DB9F4F9E9
                            SHA-512:8C0AC1893FF0A7FE287D4FC650943D33D1546200A89C2A502FE9BCB11DA6227533FD8F966EE8651B7E7BD8B5EA11403AD930D022D1D75B3EAA6D24D625F779DF
                            Malicious:false
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configu

                            C:\Users\user\AppData\Local\Temp\tmp1090.tmp

                            Download File
                            Process:C:\Users\user\Desktop\Scancontract103.exe
                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                            Category:modified
                            Size (bytes):1310
                            Entropy (8bit):5.109425792877704
                            Encrypted:false
                            SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                            MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                            SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                            SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                            SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                            Malicious:false
                            Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

                            C:\Users\user\AppData\Local\Temp\tmpCA7.tmp

                            Download File
                            Process:C:\Users\user\Desktop\Scancontract103.exe
                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1305
                            Entropy (8bit):5.103232147891814
                            Encrypted:false
                            SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0hxtn:cbk4oL600QydbQxIYODOLedq3Ij
                            MD5:965D081052473031B1DA64E2A9CA6356
                            SHA1:2CE6D29C2C4C5E0AAF98B74E3661A7C8A214B554
                            SHA-256:81A542AC638DC1591CE04076330AAC190AA871FCD83AD2F3AB3C758BF6BB7713
                            SHA-512:27338E725AB8992E95A77425347AED5878829AAEBBBFF14348E610DB2F8255F812CDAA636E11B1128C1637C982C4B8E58E670FD8D4F97E6694C8A4EDE849A8B4
                            Malicious:true
                            Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                            Download File
                            Process:C:\Users\user\Desktop\Scancontract103.exe
                            File Type:Non-ISO extended-ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):8
                            Entropy (8bit):2.75
                            Encrypted:false
                            SSDEEP:3:YRH/t:Yhl
                            MD5:3D6AAF34F494EBB7AEE72D9F1E409974
                            SHA1:AB6D9E593DF00E22315A1ED553CAFA40EFEE1FBA
                            SHA-256:D1B3C5C1EB2839519CA0B0E4E5DCF6120D0A14E2D81056AC11F2057443740705
                            SHA-512:14B3475E8E166D8351CC349F62EF6B1572793E07A6ADA611C2B4412A17951D4A3D08BC757F4D8542AB98E6A9024F4873F7417B7996B6B710BA2A8A54BF6087B5
                            Malicious:true
                            Preview:.l...H

                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat

                            Download File
                            Process:C:\Users\user\Desktop\Scancontract103.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):42
                            Entropy (8bit):4.350068910616443
                            Encrypted:false
                            SSDEEP:3:oNWXp5v2GOUDu:oNWXpF2/
                            MD5:AA619EA44F715A3F4CF627DD80CFED11
                            SHA1:5BFC5B8E726014C10FD0226AFAE783DEC203CB6B
                            SHA-256:25186E981F6DA5CA846C5BC3A97592D4D39BA2F43AB7AA2A0B4088C5FA54AAB4
                            SHA-512:2255746B212D29944BDA7AFD8294D5A3E073908670BFDA9038FB68C056302F4F01B757AC22F95A72076443690B6228B73A9A94CB5383E2CE510ED98910B43DA3
                            Malicious:false
                            Preview:C:\Users\user\Desktop\Scancontract103.exe

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):7.084655686253337
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                            • Win32 Executable (generic) a (10002005/4) 49.78%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            • DOS Executable Generic (2002/1) 0.01%
                            File name:Scancontract103.exe
                            File size:854528
                            MD5:9d2a2b596cd979fc9674824d2aa731df
                            SHA1:015e8ae0f838e0fba35643297530a5b9a66e4186
                            SHA256:c4a2c953833c8d6b5d2ef71b997700559ecc9f23573d89072d205f963e46956c
                            SHA512:768843f52697ac5a8e8ff71ff5a66bca977cc6fad9da349ce77eee431aa5252ec07187d52bce92bd50bbcec1a10b6ce1a9123dbafa1e34d7a36ac2a9e511cef3
                            SSDEEP:12288:sx9I2iNl/joW7EsJ2uM1DgC9tqGdpb5QyXYzvtMdADqjJ5ns:N1fEW7T4RDgvGdpHYzQjrs
                            TLSH:11054A2429EB922CF4B69BF95FC8F8FB4C5BFA61252960F624A153468B33E05CCD1435
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....5c..............P.................. ... ....@.. .......................`............@................................

                            File Icon

                            Icon Hash:00828e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0x4d13d6
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0x63358100 [Thu Sep 29 11:26:56 2022 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                            Entrypoint Preview

                            Instruction
                            jmp dword ptr [00402000h]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0xd13840x4f.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xd20000x11ec.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xd40000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000xcf3dc0xcf400False0.697853447300965COM executable for DOS7.0886542606348IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rsrc0xd20000x11ec0x1200False0.3947482638888889data5.057459517659846IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0xd40000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountry
                            RT_VERSION0xd20900x330data
                            RT_MANIFEST0xd23d00xe15XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF, LF line terminators

                            Imports

                            DLLImport
                            mscoree.dll_CorExeMain

                            Network Behavior

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Sep 29, 2022 22:59:20.027470112 CEST4970760110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:20.040286064 CEST601104970779.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:20.590548992 CEST4970760110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:20.603280067 CEST601104970779.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:21.293834925 CEST4970760110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:21.306813955 CEST601104970779.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:26.231312990 CEST4970860110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:26.244163036 CEST601104970879.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:26.762944937 CEST4970860110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:26.775790930 CEST601104970879.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:27.372375965 CEST4970860110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:27.385637999 CEST601104970879.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:31.717842102 CEST4970960110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:31.732376099 CEST601104970979.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:32.294923067 CEST4970960110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:32.307845116 CEST601104970979.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:32.888734102 CEST4970960110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:32.901580095 CEST601104970979.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:37.211786985 CEST4971060110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:37.224678040 CEST601104971079.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:37.763921022 CEST4971060110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:37.776861906 CEST601104971079.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:38.373284101 CEST4971060110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:38.386439085 CEST601104971079.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:43.012607098 CEST4971160110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:43.025531054 CEST601104971179.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:43.592551947 CEST4971160110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:43.605590105 CEST601104971179.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:44.295752048 CEST4971160110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:44.308585882 CEST601104971179.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:48.728755951 CEST4971260110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:48.741656065 CEST601104971279.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:49.296158075 CEST4971260110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:49.309087992 CEST601104971279.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:49.983714104 CEST4971260110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:49.996527910 CEST601104971279.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:54.070527077 CEST4971360110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:54.083321095 CEST601104971379.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:54.765382051 CEST4971360110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:54.778515100 CEST601104971379.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:55.374838114 CEST4971360110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:55.387594938 CEST601104971379.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:59.943087101 CEST4971460110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:59.956547022 CEST601104971479.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:00.484608889 CEST4971460110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:00.499109030 CEST601104971479.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:01.094042063 CEST4971460110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:01.107193947 CEST601104971479.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:05.524106979 CEST4971560110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:05.537091970 CEST601104971579.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:06.082381010 CEST4971560110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:06.095248938 CEST601104971579.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:06.766412020 CEST4971560110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:06.779191971 CEST601104971579.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:10.834242105 CEST4971660110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:10.847059965 CEST601104971679.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:11.464692116 CEST4971660110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:11.477426052 CEST601104971679.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:11.985686064 CEST4971660110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:11.998442888 CEST601104971679.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:16.608930111 CEST4971760110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:16.621793032 CEST601104971779.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:17.267476082 CEST4971760110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:17.280277967 CEST601104971779.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:17.876717091 CEST4971760110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:17.890031099 CEST601104971779.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:21.904520988 CEST4971860110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:21.918123960 CEST601104971879.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:22.486566067 CEST4971860110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:22.499701023 CEST601104971879.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:23.174092054 CEST4971860110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:23.187195063 CEST601104971879.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:27.675836086 CEST4971960110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:27.688648939 CEST601104971979.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:28.205789089 CEST4971960110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:28.218532085 CEST601104971979.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:28.721540928 CEST4971960110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:28.734438896 CEST601104971979.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:32.754986048 CEST4972060110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:32.768208027 CEST601104972079.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:33.268742085 CEST4972060110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:33.281815052 CEST601104972079.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:33.784370899 CEST4972060110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:33.797348976 CEST601104972079.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:37.803364038 CEST4972160110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:37.816562891 CEST601104972179.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:38.316065073 CEST4972160110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:38.329046965 CEST601104972179.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:38.831706047 CEST4972160110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:38.844505072 CEST601104972179.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:42.998397112 CEST4972260110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:43.011187077 CEST601104972279.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:43.597734928 CEST4972260110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:43.610474110 CEST601104972279.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:44.207194090 CEST4972260110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:44.220000029 CEST601104972279.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:48.225795031 CEST4972360110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:48.238611937 CEST601104972379.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:48.754570961 CEST4972360110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:48.767365932 CEST601104972379.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:49.270056963 CEST4972360110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:49.282869101 CEST601104972379.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:53.286959887 CEST4972460110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:53.299632072 CEST601104972479.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:53.801707029 CEST4972460110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:53.814462900 CEST601104972479.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:54.317380905 CEST4972460110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:54.330388069 CEST601104972479.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:58.335747957 CEST4972560110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:58.348624945 CEST601104972579.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:58.849018097 CEST4972560110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:58.862549067 CEST601104972579.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:59.364701033 CEST4972560110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:59.377584934 CEST601104972579.134.225.6192.168.2.3
                            Sep 29, 2022 23:01:03.396958113 CEST4972660110192.168.2.379.134.225.6
                            Sep 29, 2022 23:01:03.409895897 CEST601104972679.134.225.6192.168.2.3
                            Sep 29, 2022 23:01:04.005707026 CEST4972660110192.168.2.379.134.225.6
                            Sep 29, 2022 23:01:04.018582106 CEST601104972679.134.225.6192.168.2.3
                            Sep 29, 2022 23:01:04.599524021 CEST4972660110192.168.2.379.134.225.6
                            Sep 29, 2022 23:01:04.612333059 CEST601104972679.134.225.6192.168.2.3

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:22:58:46
                            Start date:29/09/2022
                            Path:C:\Users\user\Desktop\Scancontract103.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\Scancontract103.exe"
                            Imagebase:0x170000
                            File size:854528 bytes
                            MD5 hash:9D2A2B596CD979FC9674824D2AA731DF
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.308527260.0000000003571000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.308527260.0000000003571000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.308527260.0000000003571000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.308527260.0000000003571000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.303876077.00000000025BB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.311167352.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.311167352.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.311167352.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.311167352.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                            Reputation:low

                            General

                            Target ID:6
                            Start time:22:59:07
                            Start date:29/09/2022
                            Path:C:\Users\user\Desktop\Scancontract103.exe
                            Wow64 process (32bit):true
                            Commandline:{path}
                            Imagebase:0x970000
                            File size:854528 bytes
                            MD5 hash:9D2A2B596CD979FC9674824D2AA731DF
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.547986042.0000000005900000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.547986042.0000000005900000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000006.00000002.547986042.0000000005900000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.547986042.0000000005900000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000000.299936604.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000000.299936604.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: NanoCore, Description: unknown, Source: 00000006.00000000.299936604.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000000.299936604.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.530169744.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.530169744.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.548040807.0000000005910000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.548040807.0000000005910000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.548040807.0000000005910000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000006.00000002.548040807.0000000005910000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.548040807.0000000005910000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                            Reputation:low

                            General

                            Target ID:11
                            Start time:22:59:14
                            Start date:29/09/2022
                            Path:C:\Windows\SysWOW64\schtasks.exe
                            Wow64 process (32bit):true
                            Commandline:schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpCA7.tmp
                            Imagebase:0x7ff745070000
                            File size:185856 bytes
                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:12
                            Start time:22:59:14
                            Start date:29/09/2022
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff745070000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:13
                            Start time:22:59:15
                            Start date:29/09/2022
                            Path:C:\Windows\SysWOW64\schtasks.exe
                            Wow64 process (32bit):true
                            Commandline:schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp1090.tmp
                            Imagebase:0x1160000
                            File size:185856 bytes
                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:14
                            Start time:22:59:15
                            Start date:29/09/2022
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff745070000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:15
                            Start time:22:59:16
                            Start date:29/09/2022
                            Path:C:\Users\user\Desktop\Scancontract103.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Users\user\Desktop\Scancontract103.exe 0
                            Imagebase:0xd50000
                            File size:854528 bytes
                            MD5 hash:9D2A2B596CD979FC9674824D2AA731DF
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Reputation:low

                            General

                            Target ID:16
                            Start time:22:59:16
                            Start date:29/09/2022
                            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
                            Imagebase:0xe90000
                            File size:854528 bytes
                            MD5 hash:9D2A2B596CD979FC9674824D2AA731DF
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000010.00000002.400735152.000000000334B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Antivirus matches:
                            • Detection: 100%, Joe Sandbox ML
                            Reputation:low

                            General

                            Target ID:17
                            Start time:22:59:22
                            Start date:29/09/2022
                            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
                            Imagebase:0xa70000
                            File size:854528 bytes
                            MD5 hash:9D2A2B596CD979FC9674824D2AA731DF
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:.Net C# or VB.NET
                            Reputation:low

                            General

                            Target ID:18
                            Start time:22:59:45
                            Start date:29/09/2022
                            Path:C:\Users\user\Desktop\Scancontract103.exe
                            Wow64 process (32bit):false
                            Commandline:{path}
                            Imagebase:0x2a0000
                            File size:854528 bytes
                            MD5 hash:9D2A2B596CD979FC9674824D2AA731DF
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low

                            General

                            Target ID:19
                            Start time:22:59:45
                            Start date:29/09/2022
                            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                            Wow64 process (32bit):false
                            Commandline:{path}
                            Imagebase:0x390000
                            File size:854528 bytes
                            MD5 hash:9D2A2B596CD979FC9674824D2AA731DF
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low

                            General

                            Target ID:20
                            Start time:22:59:46
                            Start date:29/09/2022
                            Path:C:\Users\user\Desktop\Scancontract103.exe
                            Wow64 process (32bit):true
                            Commandline:{path}
                            Imagebase:0xd50000
                            File size:854528 bytes
                            MD5 hash:9D2A2B596CD979FC9674824D2AA731DF
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.442532353.0000000004309000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: NanoCore, Description: unknown, Source: 00000014.00000002.442532353.0000000004309000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000014.00000002.442532353.0000000004309000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.440811827.0000000003301000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: NanoCore, Description: unknown, Source: 00000014.00000002.440811827.0000000003301000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000014.00000002.440811827.0000000003301000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                            Reputation:low

                            General

                            Target ID:21
                            Start time:22:59:46
                            Start date:29/09/2022
                            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                            Wow64 process (32bit):true
                            Commandline:{path}
                            Imagebase:0x990000
                            File size:854528 bytes
                            MD5 hash:9D2A2B596CD979FC9674824D2AA731DF
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.443127439.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: NanoCore, Description: unknown, Source: 00000015.00000002.443127439.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000015.00000002.443127439.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                            Reputation:low

                            General

                            Target ID:22
                            Start time:22:59:53
                            Start date:29/09/2022
                            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                            Wow64 process (32bit):false
                            Commandline:{path}
                            Imagebase:0x180000
                            File size:854528 bytes
                            MD5 hash:9D2A2B596CD979FC9674824D2AA731DF
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:low

                            General

                            Target ID:23
                            Start time:22:59:55
                            Start date:29/09/2022
                            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                            Wow64 process (32bit):false
                            Commandline:{path}
                            Imagebase:0x50000
                            File size:854528 bytes
                            MD5 hash:9D2A2B596CD979FC9674824D2AA731DF
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:low

                            General

                            Target ID:24
                            Start time:22:59:55
                            Start date:29/09/2022
                            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                            Wow64 process (32bit):true
                            Commandline:{path}
                            Imagebase:0x870000
                            File size:854528 bytes
                            MD5 hash:9D2A2B596CD979FC9674824D2AA731DF
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:.Net C# or VB.NET
                            Reputation:low

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:13.2%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:146
                              Total number of Limit Nodes:7
                              execution_graph 9013 49f7f98 9014 49f7fbc 9013->9014 9019 49f6cac 9014->9019 9016 49f7fc9 9017 49f6cac 2 API calls 9016->9017 9018 49f8067 9017->9018 9020 49f6cb7 9019->9020 9023 49f7bb8 9020->9023 9022 49f8125 9022->9016 9024 49f7bc3 9023->9024 9027 49f7be8 9024->9027 9026 49f8202 9026->9022 9028 49f7bf3 9027->9028 9031 49f7c18 9028->9031 9030 49f8302 9030->9026 9033 49f7c23 9031->9033 9032 49f8a5c 9032->9030 9033->9032 9036 49fcc99 9033->9036 9042 49fcca8 9033->9042 9037 49fccc9 9036->9037 9038 49fcced 9037->9038 9048 49fce48 9037->9048 9052 49fce58 9037->9052 9056 49fce15 9037->9056 9038->9032 9043 49fccc9 9042->9043 9044 49fcced 9043->9044 9045 49fce58 2 API calls 9043->9045 9046 49fce48 2 API calls 9043->9046 9047 49fce15 2 API calls 9043->9047 9044->9032 9045->9044 9046->9044 9047->9044 9049 49fce65 9048->9049 9050 49fce9f 9049->9050 9061 49fb96c 9049->9061 9050->9038 9053 49fce65 9052->9053 9054 49fce9f 9053->9054 9055 49fb96c 2 API calls 9053->9055 9054->9038 9055->9054 9057 49fce2b 9056->9057 9058 49fce73 9056->9058 9057->9038 9059 49fce9f 9058->9059 9060 49fb96c 2 API calls 9058->9060 9059->9038 9060->9059 9063 49fb977 9061->9063 9062 49fdb98 9063->9062 9065 49fd1e4 9063->9065 9066 49fd1ef 9065->9066 9067 49f7c18 2 API calls 9066->9067 9068 49fdc07 9067->9068 9071 49ff970 9068->9071 9069 49fdc40 9069->9062 9073 49ff9a1 9071->9073 9074 49ff9ee 9071->9074 9072 49ff9ad 9072->9069 9073->9072 9076 49ffcb8 9073->9076 9074->9069 9077 49fac88 LoadLibraryExW GetModuleHandleW 9076->9077 9078 49ffcc1 9077->9078 9078->9074 9079 49ffe18 9082 49ffe58 9079->9082 9080 49ffe37 9083 49ffe86 9082->9083 9084 49f7c18 2 API calls 9083->9084 9085 49ffebc 9084->9085 9085->9080 9086 49f6cd8 9087 49f6cec 9086->9087 9088 49f6cf5 9087->9088 9090 49f6f1a 9087->9090 9097 49f6fef 9090->9097 9101 49f7000 9090->9101 9105 49f7116 9090->9105 9109 49f7178 9090->9109 9114 49f70fc 9090->9114 9091 49f6f23 9091->9088 9098 49f7044 9097->9098 9099 49f713b 9098->9099 9118 49f7408 9098->9118 9102 49f7044 9101->9102 9103 49f713b 9102->9103 9104 49f7408 2 API calls 9102->9104 9103->9103 9104->9103 9106 49f7129 9105->9106 9107 49f713b 9105->9107 9108 49f7408 2 API calls 9106->9108 9108->9107 9110 49f717e 9109->9110 9131 49f76b0 9110->9131 9136 49f76c0 9110->9136 9113 49f7190 9113->9091 9115 49f70af 9114->9115 9115->9114 9116 49f713b 9115->9116 9117 49f7408 2 API calls 9115->9117 9117->9116 9119 49f7416 9118->9119 9123 49f7458 9119->9123 9127 49f7447 9119->9127 9120 49f7426 9120->9099 9124 49f7492 9123->9124 9125 49f74bc RtlEncodePointer 9124->9125 9126 49f74e5 9124->9126 9125->9126 9126->9120 9128 49f7492 9127->9128 9129 49f74bc RtlEncodePointer 9128->9129 9130 49f74e5 9128->9130 9129->9130 9130->9120 9132 49f76ce 9131->9132 9141 49f76f8 9132->9141 9145 49f7708 9132->9145 9133 49f76de 9133->9113 9137 49f76ce 9136->9137 9139 49f76f8 RtlEncodePointer 9137->9139 9140 49f7708 RtlEncodePointer 9137->9140 9138 49f76de 9138->9113 9139->9138 9140->9138 9142 49f7741 9141->9142 9143 49f7767 RtlEncodePointer 9142->9143 9144 49f7790 9142->9144 9143->9144 9144->9133 9146 49f7741 9145->9146 9147 49f7767 RtlEncodePointer 9146->9147 9148 49f7790 9146->9148 9147->9148 9148->9133 9149 49fab90 9153 49fac88 9149->9153 9161 49fac79 9149->9161 9150 49fab9f 9154 49fac9b 9153->9154 9155 49facb3 9154->9155 9169 49faf01 9154->9169 9173 49faf10 9154->9173 9155->9150 9156 49facab 9156->9155 9157 49faeb0 GetModuleHandleW 9156->9157 9158 49faedd 9157->9158 9158->9150 9162 49fac9b 9161->9162 9163 49facb3 9162->9163 9167 49faf01 LoadLibraryExW 9162->9167 9168 49faf10 LoadLibraryExW 9162->9168 9163->9150 9164 49facab 9164->9163 9165 49faeb0 GetModuleHandleW 9164->9165 9166 49faedd 9165->9166 9166->9150 9167->9164 9168->9164 9170 49faf24 9169->9170 9172 49faf49 9170->9172 9177 49f9fe8 9170->9177 9172->9156 9174 49faf24 9173->9174 9175 49faf49 9174->9175 9176 49f9fe8 LoadLibraryExW 9174->9176 9175->9156 9176->9175 9178 49fb0f0 LoadLibraryExW 9177->9178 9180 49fb169 9178->9180 9180->9172 9181 49fcf70 9182 49fcfd6 9181->9182 9186 49fd123 9182->9186 9189 49fd130 9182->9189 9183 49fd085 9187 49fd15e 9186->9187 9192 49fb9f4 9186->9192 9187->9183 9190 49fb9f4 DuplicateHandle 9189->9190 9191 49fd15e 9190->9191 9191->9183 9193 49fd5a0 DuplicateHandle 9192->9193 9194 49fd636 9193->9194 9194->9187

                              Executed Functions

                              Function 049FAC88 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 049FAECE
                              Memory Dump Source
                              • Source File: 00000000.00000002.315523585.00000000049F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049F0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_49f0000_Scancontract103.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: 4df7e2de4f5d3ee23983af6946175603d8449204b64a49cb125b5da8095aa0e3
                              • Instruction ID: 14e10d38657627c7dc0ed74df3853c1cd539745b46abcf8ead15a517389dcac3
                              • Opcode Fuzzy Hash: 4df7e2de4f5d3ee23983af6946175603d8449204b64a49cb125b5da8095aa0e3
                              • Instruction Fuzzy Hash: C67123B0A00B058FDB24DF69D84475ABBF5FF88304F008929D68ADBA50DB75F8458B91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049FB9F4 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 55 49fb9f4-49fd634 DuplicateHandle 57 49fd63d-49fd65a 55->57 58 49fd636-49fd63c 55->58 58->57
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,049FD15E,?,?,?,?,?), ref: 049FD627
                              Memory Dump Source
                              • Source File: 00000000.00000002.315523585.00000000049F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049F0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_49f0000_Scancontract103.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 6f356554d4af547d9f7bf920f72faa2c204d2b31e6f07cb9eafb63040f71f9c1
                              • Instruction ID: 9630b70a747acb16d27aa025f1a9206e54f08ebddfda0737f095e34877b2604d
                              • Opcode Fuzzy Hash: 6f356554d4af547d9f7bf920f72faa2c204d2b31e6f07cb9eafb63040f71f9c1
                              • Instruction Fuzzy Hash: 3521E7B59002099FDB10CF99D884BDEBBF8EB48324F14846AE915A7310D374A954CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049FD598 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 61 49fd598-49fd634 DuplicateHandle 62 49fd63d-49fd65a 61->62 63 49fd636-49fd63c 61->63 63->62
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,049FD15E,?,?,?,?,?), ref: 049FD627
                              Memory Dump Source
                              • Source File: 00000000.00000002.315523585.00000000049F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049F0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_49f0000_Scancontract103.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 2733c0dd6d38b98986d681b63f355cfb45f498db8f9509f5f426d19af748ace3
                              • Instruction ID: dc042f7484e89f822b54c20cef3e2fbd37af19abf008cb3ed326b282a5833bcd
                              • Opcode Fuzzy Hash: 2733c0dd6d38b98986d681b63f355cfb45f498db8f9509f5f426d19af748ace3
                              • Instruction Fuzzy Hash: 4A21E5B59012099FDB10CF9AD984ADEFBF8FB48324F14846AE919A7310D378A945CF61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049F7447 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 66 49f7447-49f749a 69 49f749c-49f749e 66->69 70 49f74a0 66->70 71 49f74a5-49f74b0 69->71 70->71 72 49f74b2-49f74e3 RtlEncodePointer 71->72 73 49f7511-49f751e 71->73 75 49f74ec-49f750c 72->75 76 49f74e5-49f74eb 72->76 75->73 76->75
                              APIs
                              • RtlEncodePointer.NTDLL(00000000), ref: 049F74D2
                              Memory Dump Source
                              • Source File: 00000000.00000002.315523585.00000000049F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049F0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_49f0000_Scancontract103.jbxd
                              Similarity
                              • API ID: EncodePointer
                              • String ID:
                              • API String ID: 2118026453-0
                              • Opcode ID: 42fddfcbc34dfd8ff8f96ad923899bdea94090d38dae28b8cd8eb2eedb14af80
                              • Instruction ID: aa26e172f0dfe9ba20f0d50ae2579ef8ddfe42ea529e138d73f21de4f8d5f671
                              • Opcode Fuzzy Hash: 42fddfcbc34dfd8ff8f96ad923899bdea94090d38dae28b8cd8eb2eedb14af80
                              • Instruction Fuzzy Hash: FB219DB29003458FEF50CFA5D9487DABFF8FB99364F108469C805A3241E779A506CF62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049F76F8 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 78 49f76f8-49f7748 call 49f7530 call 49f7588 83 49f774e 78->83 84 49f774a-49f774c 78->84 85 49f7753-49f775b 83->85 84->85 86 49f775d-49f778e RtlEncodePointer 85->86 87 49f77b7-49f77c9 85->87 89 49f7797-49f77ad 86->89 90 49f7790-49f7796 86->90 89->87 90->89
                              APIs
                              • RtlEncodePointer.NTDLL(00000000), ref: 049F777D
                              Memory Dump Source
                              • Source File: 00000000.00000002.315523585.00000000049F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049F0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_49f0000_Scancontract103.jbxd
                              Similarity
                              • API ID: EncodePointer
                              • String ID:
                              • API String ID: 2118026453-0
                              • Opcode ID: 2ba9baddbed2e2917be1d40501de5edfb5759e6d5698dfd399e110ab3b886168
                              • Instruction ID: c3a459bb75dca3d232afbd21bc1fc2d302f43ff56b8ae293b66da6e5b7f8fa84
                              • Opcode Fuzzy Hash: 2ba9baddbed2e2917be1d40501de5edfb5759e6d5698dfd399e110ab3b886168
                              • Instruction Fuzzy Hash: 6621AEB18107459FEB20DFE8DA443DABFF8FB58318F1044AAC404A7641D3386506CFA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049F9FE8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 92 49f9fe8-49fb130 94 49fb138-49fb167 LoadLibraryExW 92->94 95 49fb132-49fb135 92->95 96 49fb169-49fb16f 94->96 97 49fb170-49fb18d 94->97 95->94 96->97
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,049FAF49,00000800,00000000,00000000), ref: 049FB15A
                              Memory Dump Source
                              • Source File: 00000000.00000002.315523585.00000000049F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049F0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_49f0000_Scancontract103.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: f776177b73a57976a4f427dd5adf7e4ebe4ba576a440850a26f8f29ad6430568
                              • Instruction ID: bd08689a7267266700ce872531f7ceb564c2bb765c83207f9d3ae57af08982e1
                              • Opcode Fuzzy Hash: f776177b73a57976a4f427dd5adf7e4ebe4ba576a440850a26f8f29ad6430568
                              • Instruction Fuzzy Hash: 6A1114B29003099FDB10CF9AD844BDEFBF8EB88324F14842AE519A7200D779A545CFA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049F7458 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 100 49f7458-49f749a 103 49f749c-49f749e 100->103 104 49f74a0 100->104 105 49f74a5-49f74b0 103->105 104->105 106 49f74b2-49f74e3 RtlEncodePointer 105->106 107 49f7511-49f751e 105->107 109 49f74ec-49f750c 106->109 110 49f74e5-49f74eb 106->110 109->107 110->109
                              APIs
                              • RtlEncodePointer.NTDLL(00000000), ref: 049F74D2
                              Memory Dump Source
                              • Source File: 00000000.00000002.315523585.00000000049F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049F0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_49f0000_Scancontract103.jbxd
                              Similarity
                              • API ID: EncodePointer
                              • String ID:
                              • API String ID: 2118026453-0
                              • Opcode ID: 91e63e4e1a5f0448a3e170c9c733a5d359c867174b31d9f40bd5fe2bb88b2a78
                              • Instruction ID: 6893f74488a2428a16e23e86f00c21142ce6d28a20f745fc40fe2e875befaaca
                              • Opcode Fuzzy Hash: 91e63e4e1a5f0448a3e170c9c733a5d359c867174b31d9f40bd5fe2bb88b2a78
                              • Instruction Fuzzy Hash: 8A116AB0A003098FDF10CFA5DA4879ABFF8FB89364F108469D805A3240D779A5458FA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049F7708 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 112 49f7708-49f7739 113 49f7741-49f7748 call 49f7588 112->113 114 49f773c call 49f7530 112->114 117 49f774e 113->117 118 49f774a-49f774c 113->118 114->113 119 49f7753-49f775b 117->119 118->119 120 49f775d-49f778e RtlEncodePointer 119->120 121 49f77b7-49f77c9 119->121 123 49f7797-49f77ad 120->123 124 49f7790-49f7796 120->124 123->121 124->123
                              APIs
                              • RtlEncodePointer.NTDLL(00000000), ref: 049F777D
                              Memory Dump Source
                              • Source File: 00000000.00000002.315523585.00000000049F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049F0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_49f0000_Scancontract103.jbxd
                              Similarity
                              • API ID: EncodePointer
                              • String ID:
                              • API String ID: 2118026453-0
                              • Opcode ID: 76e6b4ca8c310cc0c791cd0fb589dbb43cfa9b02551a5035c7f6e5145a66979b
                              • Instruction ID: 04ecd4cadf05c153558bd217bc9f1b9dad6ad655ad104d9d269c3d334a238687
                              • Opcode Fuzzy Hash: 76e6b4ca8c310cc0c791cd0fb589dbb43cfa9b02551a5035c7f6e5145a66979b
                              • Instruction Fuzzy Hash: A5118BB19107498FDB20DFE9DA4479EBBF8EB98318F2044ADC509A7340D779A905CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049FB0E9 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 126 49fb0e9-49fb130 128 49fb138-49fb167 LoadLibraryExW 126->128 129 49fb132-49fb135 126->129 130 49fb169-49fb16f 128->130 131 49fb170-49fb18d 128->131 129->128 130->131
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,049FAF49,00000800,00000000,00000000), ref: 049FB15A
                              Memory Dump Source
                              • Source File: 00000000.00000002.315523585.00000000049F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049F0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_49f0000_Scancontract103.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: ff2e8509d24811f5ff07b0813ea210e4ca7e3c803a679076fa6897a80b1e2d4e
                              • Instruction ID: 54813a3e0735044750c9d9d25401bc318556871551dc2f7f83b3d64dfbd61573
                              • Opcode Fuzzy Hash: ff2e8509d24811f5ff07b0813ea210e4ca7e3c803a679076fa6897a80b1e2d4e
                              • Instruction Fuzzy Hash: DA11F6B6D00209CFDB10CFAAD944BDEFBF8AB88324F14842AD529B7640C775A545CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049FAE61 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 134 49fae61-49faea8 135 49faeaa-49faead 134->135 136 49faeb0-49faedb GetModuleHandleW 134->136 135->136 137 49faedd-49faee3 136->137 138 49faee4-49faef8 136->138 137->138
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 049FAECE
                              Memory Dump Source
                              • Source File: 00000000.00000002.315523585.00000000049F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049F0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_49f0000_Scancontract103.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: 49b6cd64a08fd3fd0a8c3507d00868501fd555be8aa7ee3b931cee6638cf4240
                              • Instruction ID: 195785aa9e52f4803a941d25f40857ad0ddea2c6c3f5e2827cf400b9125aaf31
                              • Opcode Fuzzy Hash: 49b6cd64a08fd3fd0a8c3507d00868501fd555be8aa7ee3b931cee6638cf4240
                              • Instruction Fuzzy Hash: BC1119B5C016098FDB10CF9AD844BDFFBF9EB48314F14842AD519A7600C375A546CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049FAE68 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 140 49fae68-49faea8 141 49faeaa-49faead 140->141 142 49faeb0-49faedb GetModuleHandleW 140->142 141->142 143 49faedd-49faee3 142->143 144 49faee4-49faef8 142->144 143->144
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 049FAECE
                              Memory Dump Source
                              • Source File: 00000000.00000002.315523585.00000000049F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049F0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_49f0000_Scancontract103.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: a47712f444420cc86550d251d0cb82eda726867c3c2bcee8197ed549f9029d8d
                              • Instruction ID: cc08582033eb53393d1c3bd8f8ea3eaf8afab06a64c6fa09e2a6db8ffb65f90f
                              • Opcode Fuzzy Hash: a47712f444420cc86550d251d0cb82eda726867c3c2bcee8197ed549f9029d8d
                              • Instruction Fuzzy Hash: EB11E0B6C006498FDB10CF9AD848BDFFBF8AB88324F14846AD519A7600D779A545CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Non-executed Functions

                              Function 049FD4B4 Relevance: .3, Instructions: 265COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.315523585.00000000049F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049F0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_49f0000_Scancontract103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e6a5efca7de5bf216844db657cc8acce112204b5f805bd6620d867b8c13821a5
                              • Instruction ID: 5343b6a384381218faf0d892b3509cb648ef200d0f8f4577b9a67ee5dc58a768
                              • Opcode Fuzzy Hash: e6a5efca7de5bf216844db657cc8acce112204b5f805bd6620d867b8c13821a5
                              • Instruction Fuzzy Hash: 2BA18F32E00619CFCF15DFA5C84499EBBB6FF89304B15817AEA15AB225EB31E905CB40
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Execution Graph

                              Execution Coverage:16.7%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:1.6%
                              Total number of Nodes:193
                              Total number of Limit Nodes:12
                              execution_graph 27384 53d07e9 27385 53d0816 27384->27385 27386 53d084c 27385->27386 27389 53d0898 27385->27389 27399 53d0888 27385->27399 27390 53d08a7 27389->27390 27391 53d09c9 27390->27391 27393 53d08c1 27390->27393 27397 53d0898 3 API calls 27391->27397 27398 53d0888 3 API calls 27391->27398 27392 53d08d1 27392->27386 27393->27392 27409 53d0a98 27393->27409 27414 53d0a87 27393->27414 27394 53d0a84 27394->27386 27397->27392 27398->27392 27400 53d0892 27399->27400 27404 53d08c1 27399->27404 27401 53d09c9 27400->27401 27400->27404 27405 53d0898 3 API calls 27401->27405 27406 53d0888 3 API calls 27401->27406 27402 53d0a84 27402->27386 27403 53d08d1 27403->27386 27404->27403 27407 53d0a98 3 API calls 27404->27407 27408 53d0a87 3 API calls 27404->27408 27405->27403 27406->27403 27407->27402 27408->27402 27411 53d0aa7 27409->27411 27410 53d0afc 27410->27394 27411->27410 27419 53d0b10 27411->27419 27423 53d0b00 27411->27423 27415 53d0a98 27414->27415 27416 53d0afc 27415->27416 27417 53d0b10 3 API calls 27415->27417 27418 53d0b00 3 API calls 27415->27418 27416->27394 27417->27416 27418->27416 27420 53d0b15 27419->27420 27427 53d0fc0 27420->27427 27421 53d0b24 27421->27410 27424 53d0b10 27423->27424 27426 53d0fc0 3 API calls 27424->27426 27425 53d0b24 27425->27410 27426->27425 27428 53d0fcd 27427->27428 27429 53d1123 27428->27429 27432 53d58b8 27428->27432 27435 53d58b2 27428->27435 27429->27421 27439 53d5e02 27432->27439 27436 53d58b8 27435->27436 27438 53d5e02 3 API calls 27436->27438 27437 53d58d5 27438->27437 27440 53d5e1b 27439->27440 27444 53d5ed8 27440->27444 27454 53d5ec7 27440->27454 27441 53d58d5 27465 53d1a40 27444->27465 27446 53d5f09 27446->27441 27447 53d5f05 27447->27446 27448 53d1a4c RegQueryValueExA 27447->27448 27452 53d5f31 27448->27452 27449 53d5f88 27450 53d5a48 RegCloseKey 27449->27450 27451 53d5f96 27450->27451 27451->27441 27452->27449 27453 53d1a4c RegQueryValueExA 27452->27453 27453->27449 27455 53d5ecb 27454->27455 27456 53d1a40 RegOpenKeyExA 27455->27456 27458 53d5f05 27455->27458 27456->27458 27457 53d5f09 27457->27441 27458->27457 27469 53d1a4c 27458->27469 27460 53d5f88 27461 53d5a48 RegCloseKey 27460->27461 27462 53d5f96 27461->27462 27462->27441 27463 53d5f31 27463->27460 27464 53d1a4c RegQueryValueExA 27463->27464 27464->27460 27466 53d5fc8 RegOpenKeyExA 27465->27466 27468 53d60c1 27466->27468 27471 53d6140 RegQueryValueExA 27469->27471 27472 53d6311 27471->27472 27376 145bd00 DuplicateHandle 27377 145bd96 27376->27377 27378 145fe40 SetWindowLongW 27379 145feac 27378->27379 27473 145b6d0 27474 145b6d2 GetCurrentProcess 27473->27474 27475 145b74a GetCurrentThread 27474->27475 27479 145b743 27474->27479 27476 145b787 GetCurrentProcess 27475->27476 27477 145b780 27475->27477 27478 145b7bd 27476->27478 27477->27476 27480 145b7e5 GetCurrentThreadId 27478->27480 27479->27475 27481 145b816 27480->27481 27547 14592f0 27548 14592ff 27547->27548 27551 14593d9 27547->27551 27559 14593e8 27547->27559 27552 14593fb 27551->27552 27553 1459413 27552->27553 27567 1459660 27552->27567 27571 1459670 27552->27571 27553->27548 27554 145940b 27554->27553 27555 1459610 GetModuleHandleW 27554->27555 27556 145963d 27555->27556 27556->27548 27560 14593fb 27559->27560 27561 1459413 27560->27561 27565 1459660 LoadLibraryExW 27560->27565 27566 1459670 LoadLibraryExW 27560->27566 27561->27548 27562 145940b 27562->27561 27563 1459610 GetModuleHandleW 27562->27563 27564 145963d 27563->27564 27564->27548 27565->27562 27566->27562 27569 1459670 27567->27569 27568 14596a9 27568->27554 27569->27568 27575 1458768 27569->27575 27572 1459684 27571->27572 27573 14596a9 27572->27573 27574 1458768 LoadLibraryExW 27572->27574 27573->27554 27574->27573 27576 1459850 LoadLibraryExW 27575->27576 27578 14598c9 27576->27578 27578->27568 27579 53d04c8 27580 53d0470 DispatchMessageW 27579->27580 27582 53d04d6 27579->27582 27581 53d04ac 27580->27581 27583 69a1720 27584 69a172d 27583->27584 27585 69a1731 27583->27585 27589 69a1938 27585->27589 27594 69a191e 27585->27594 27586 69a1751 27590 69a1940 27589->27590 27599 145ee00 27590->27599 27603 145edef 27590->27603 27595 69a1940 27594->27595 27597 145ee00 CreateWindowExW 27595->27597 27598 145edef CreateWindowExW 27595->27598 27596 69a195e 27596->27586 27597->27596 27598->27596 27600 145ee2a 27599->27600 27601 145eed1 27600->27601 27607 145faa0 27600->27607 27605 145ee2a 27603->27605 27604 145eed1 27604->27604 27605->27604 27606 145faa0 CreateWindowExW 27605->27606 27606->27604 27608 145fbec CreateWindowExW 27607->27608 27609 145fb8a 27607->27609 27611 145fd1c 27608->27611 27609->27601 27380 53d8a30 27381 53d8a83 DeleteFileA 27380->27381 27383 53d8b16 27381->27383 27482 1456758 27484 1456766 27482->27484 27485 1456344 27482->27485 27486 145634f 27485->27486 27489 1456394 27486->27489 27488 145688d 27488->27484 27490 145639f 27489->27490 27493 14563c4 27490->27493 27492 1456962 27492->27488 27494 14563cf 27493->27494 27497 14563f4 27494->27497 27496 1456a62 27496->27492 27499 14563ff 27497->27499 27498 14571bc 27498->27496 27499->27498 27501 145b406 27499->27501 27502 145b429 27501->27502 27503 145b44d 27502->27503 27506 145b5a9 27502->27506 27510 145b5b8 27502->27510 27503->27498 27507 145b5c5 27506->27507 27508 145b5ff 27507->27508 27514 145a0ec 27507->27514 27508->27503 27512 145b5c5 27510->27512 27511 145b5ff 27511->27503 27512->27511 27513 145a0ec 6 API calls 27512->27513 27513->27511 27515 145a0f7 27514->27515 27517 145c2f8 27515->27517 27518 145b904 27515->27518 27519 145b90f 27518->27519 27520 14563f4 6 API calls 27519->27520 27521 145c367 27520->27521 27528 145c3e0 27521->27528 27534 145c3d3 27521->27534 27522 145c375 27526 145e0f0 LoadLibraryExW GetModuleHandleW CreateWindowExW 27522->27526 27527 145e0d8 LoadLibraryExW GetModuleHandleW CreateWindowExW 27522->27527 27523 145c3a0 27523->27517 27526->27523 27527->27523 27529 145c40e 27528->27529 27531 145c437 27529->27531 27532 145c4df 27529->27532 27540 145b9a0 27529->27540 27531->27532 27533 145c4da KiUserCallbackDispatcher 27531->27533 27533->27532 27535 145c40e 27534->27535 27536 145b9a0 GetFocus 27535->27536 27537 145c4df 27535->27537 27538 145c437 27535->27538 27536->27538 27538->27537 27539 145c4da KiUserCallbackDispatcher 27538->27539 27539->27537 27541 145b9ab 27540->27541 27542 145ba14 GetFocus 27541->27542 27543 145c9f5 27541->27543 27542->27543 27543->27531 27544 53d8ed0 27545 53d8f18 NtSetInformationProcess 27544->27545 27546 53d8f52 27545->27546

                              Executed Functions

                              Function 053D8EC9 Relevance: 1.6, APIs: 1, Instructions: 53nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtSetInformationProcess.NTDLL(?,?,?,?), ref: 053D8F43
                              Memory Dump Source
                              • Source File: 00000006.00000002.547493432.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_53d0000_Scancontract103.jbxd
                              Similarity
                              • API ID: InformationProcess
                              • String ID:
                              • API String ID: 1801817001-0
                              • Opcode ID: 1a273fb14ec6c9b9ca14de9c4b135b46a5508eb424da10bd15dd68eb05c3b482
                              • Instruction ID: ebd405026db461de8d85728e195e7500d79352953051dd8f91a639b88ad2e139
                              • Opcode Fuzzy Hash: 1a273fb14ec6c9b9ca14de9c4b135b46a5508eb424da10bd15dd68eb05c3b482
                              • Instruction Fuzzy Hash: 0811E4B59042499FCB10DF9AD484BDEFBF8FB48324F10842AE959A7200D375A944CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D8ED0 Relevance: 1.6, APIs: 1, Instructions: 51nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtSetInformationProcess.NTDLL(?,?,?,?), ref: 053D8F43
                              Memory Dump Source
                              • Source File: 00000006.00000002.547493432.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_53d0000_Scancontract103.jbxd
                              Similarity
                              • API ID: InformationProcess
                              • String ID:
                              • API String ID: 1801817001-0
                              • Opcode ID: ae3e8eb00064556aa9bffc0a572677d36dfb088a2d137178a75304fe4790e4f6
                              • Instruction ID: 4682389229fcc6eecbdec8b8eeeee8c821cec0f2203ec1dd46d36471168737cc
                              • Opcode Fuzzy Hash: ae3e8eb00064556aa9bffc0a572677d36dfb088a2d137178a75304fe4790e4f6
                              • Instruction Fuzzy Hash: 8011D4B5D042499FCB10DF9AD584BDEFBF8FB48324F10842AE919A7240D779A544CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0145B6C0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 0145B730
                              • GetCurrentThread.KERNEL32 ref: 0145B76D
                              • GetCurrentProcess.KERNEL32 ref: 0145B7AA
                              • GetCurrentThreadId.KERNEL32 ref: 0145B803
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.528783561.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1450000_Scancontract103.jbxd
                              Similarity
                              • API ID: Current$ProcessThread
                              • String ID:
                              • API String ID: 2063062207-2740779761
                              • Opcode ID: 2a1fe3a33994136757bfe2bbd71578e6c5179c7e11f76b65a9716038253a07fd
                              • Instruction ID: 80023e44cfe91bcb883405865c26359cb2e8015946345d78fafbe9304c8c55ab
                              • Opcode Fuzzy Hash: 2a1fe3a33994136757bfe2bbd71578e6c5179c7e11f76b65a9716038253a07fd
                              • Instruction Fuzzy Hash: CA5154B4900249CFDB54CFAAD548BEEBBF1FF88314F28846AE409A73A1D7745844CB65
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0145B6D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 0145B730
                              • GetCurrentThread.KERNEL32 ref: 0145B76D
                              • GetCurrentProcess.KERNEL32 ref: 0145B7AA
                              • GetCurrentThreadId.KERNEL32 ref: 0145B803
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.528783561.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1450000_Scancontract103.jbxd
                              Similarity
                              • API ID: Current$ProcessThread
                              • String ID:
                              • API String ID: 2063062207-2740779761
                              • Opcode ID: c37ef8101b3b269168859d126f6d6489cc19d4ab0bccc190d46f22920509c603
                              • Instruction ID: f4320d51261925d7aca35a79d01a0c3d91e2618c640ea609acd1cdbc4ec33c49
                              • Opcode Fuzzy Hash: c37ef8101b3b269168859d126f6d6489cc19d4ab0bccc190d46f22920509c603
                              • Instruction Fuzzy Hash: EE5154B49002098FEB14CFAAD548BDEBBF1FF88314F24846AE419A73A0D7745844CF65
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0145FAA0 Relevance: 1.8, APIs: 1, Instructions: 255COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1197 145faa0-145fb88 1198 145fbec-145fc5e 1197->1198 1199 145fb8a-145fbd8 call 145da04 1197->1199 1201 145fc60-145fc66 1198->1201 1202 145fc69-145fc70 1198->1202 1203 145fbdd-145fbde 1199->1203 1201->1202 1204 145fc72-145fc78 1202->1204 1205 145fc7b-145fd1a CreateWindowExW 1202->1205 1204->1205 1207 145fd23-145fd5b 1205->1207 1208 145fd1c-145fd22 1205->1208 1212 145fd5d-145fd60 1207->1212 1213 145fd68 1207->1213 1208->1207 1212->1213 1214 145fd69 1213->1214 1214->1214
                              APIs
                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0145FD0A
                              Memory Dump Source
                              • Source File: 00000006.00000002.528783561.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1450000_Scancontract103.jbxd
                              Similarity
                              • API ID: CreateWindow
                              • String ID:
                              • API String ID: 716092398-0
                              • Opcode ID: e5878098cdbd2d2ee4e18aa7418e1a36ab32f5f4cd753ee2a0975ad61e2e0b10
                              • Instruction ID: 256bab2aa461bf1dc91c10104613ca7cf0c42f690fda328d3ce320024637f4b6
                              • Opcode Fuzzy Hash: e5878098cdbd2d2ee4e18aa7418e1a36ab32f5f4cd753ee2a0975ad61e2e0b10
                              • Instruction Fuzzy Hash: 14915E718483889FCB06CFA9C8909CDBFB1FF4A314F1981ABE884AB262D7345845CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 014593E8 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1215 14593e8-14593f0 1216 14593fb-14593fd 1215->1216 1217 14593f6 call 1458704 1215->1217 1218 1459413-1459417 1216->1218 1219 14593ff 1216->1219 1217->1216 1220 1459419-1459423 1218->1220 1221 145942b-145946c 1218->1221 1270 1459405 call 1459660 1219->1270 1271 1459405 call 1459670 1219->1271 1220->1221 1226 145946e-1459476 1221->1226 1227 1459479-1459487 1221->1227 1222 145940b-145940d 1222->1218 1225 1459548-1459608 1222->1225 1263 1459610-145963b GetModuleHandleW 1225->1263 1264 145960a-145960d 1225->1264 1226->1227 1229 1459489-145948e 1227->1229 1230 14594ab-14594ad 1227->1230 1231 1459490-1459497 call 1458710 1229->1231 1232 1459499 1229->1232 1233 14594b0-14594b7 1230->1233 1235 145949b-14594a9 1231->1235 1232->1235 1237 14594c4-14594cb 1233->1237 1238 14594b9-14594c1 1233->1238 1235->1233 1239 14594cd-14594d5 1237->1239 1240 14594d8-14594e1 call 1458720 1237->1240 1238->1237 1239->1240 1245 14594e3-14594eb 1240->1245 1246 14594ee-14594f3 1240->1246 1245->1246 1248 14594f5-14594fc 1246->1248 1249 1459511-1459515 1246->1249 1248->1249 1250 14594fe-145950e call 1458730 call 1458740 1248->1250 1268 1459518 call 1459940 1249->1268 1269 1459518 call 1459968 1249->1269 1250->1249 1253 145951b-145951e 1256 1459541-1459547 1253->1256 1257 1459520-145953e 1253->1257 1257->1256 1265 1459644-1459658 1263->1265 1266 145963d-1459643 1263->1266 1264->1263 1266->1265 1268->1253 1269->1253 1270->1222 1271->1222
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0145962E
                              Memory Dump Source
                              • Source File: 00000006.00000002.528783561.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1450000_Scancontract103.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: 627e9e8145408cd2ac14ad33e9eef03248833bbf5c2b5f32045a02c8f842ccf2
                              • Instruction ID: ee6c084b86843545b9da0d9074c7e9a85c6afec3e169850ee5e69a95d6834b5e
                              • Opcode Fuzzy Hash: 627e9e8145408cd2ac14ad33e9eef03248833bbf5c2b5f32045a02c8f842ccf2
                              • Instruction Fuzzy Hash: 10712670A00B058FD764DF6AC44075BBBF1BF89218F008A2ED58AD7B61DB35E845CB91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D1A4C Relevance: 1.7, APIs: 1, Instructions: 185registryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1272 53d1a4c-53d61ad 1275 53d61af-53d61b9 1272->1275 1276 53d61e6-53d620e 1272->1276 1275->1276 1277 53d61bb-53d61bd 1275->1277 1283 53d627f-53d6283 1276->1283 1284 53d6210-53d6237 1276->1284 1278 53d61bf-53d61c9 1277->1278 1279 53d61e0-53d61e3 1277->1279 1281 53d61cd-53d61dc 1278->1281 1282 53d61cb 1278->1282 1279->1276 1281->1281 1285 53d61de 1281->1285 1282->1281 1286 53d6285-53d62c3 1283->1286 1287 53d62c7-53d630f RegQueryValueExA 1283->1287 1294 53d6239-53d623b 1284->1294 1295 53d6267-53d626c 1284->1295 1285->1279 1286->1287 1289 53d6318-53d6326 1287->1289 1290 53d6311-53d6317 1287->1290 1291 53d633c-53d6363 1289->1291 1292 53d6328-53d6334 1289->1292 1290->1289 1302 53d6365-53d6369 1291->1302 1303 53d6373-53d6377 1291->1303 1292->1291 1298 53d625d-53d6265 1294->1298 1299 53d623d-53d6247 1294->1299 1300 53d626e-53d627a 1295->1300 1298->1300 1306 53d6249 1299->1306 1307 53d624b-53d6259 1299->1307 1300->1283 1302->1303 1309 53d636b 1302->1309 1310 53d6379-53d637d 1303->1310 1311 53d6387 1303->1311 1306->1307 1307->1307 1308 53d625b 1307->1308 1308->1298 1309->1303 1310->1311 1313 53d637f 1310->1313 1314 53d6388 1311->1314 1313->1311 1314->1314
                              APIs
                              • RegQueryValueExA.KERNELBASE(00000000,053D5F31,00020119,00000000,00000000,?), ref: 053D62FF
                              Memory Dump Source
                              • Source File: 00000006.00000002.547493432.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_53d0000_Scancontract103.jbxd
                              Similarity
                              • API ID: QueryValue
                              • String ID:
                              • API String ID: 3660427363-0
                              • Opcode ID: 973c90d7a1c22aed4b02332e9a7ebbe42f91dabed4f8c67e70c5a706caa1b183
                              • Instruction ID: 05db5ad40733dae665bf16b22e6388ab6ba064c80db9a5a24f80afd701e3fb6d
                              • Opcode Fuzzy Hash: 973c90d7a1c22aed4b02332e9a7ebbe42f91dabed4f8c67e70c5a706caa1b183
                              • Instruction Fuzzy Hash: 52714771D04209DFDB14CFA9D886BAEFBB1BF48314F148429E825A73A1DB749845CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D6136 Relevance: 1.7, APIs: 1, Instructions: 181registryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1316 53d6136-53d61ad 1318 53d61af-53d61b9 1316->1318 1319 53d61e6-53d620e 1316->1319 1318->1319 1320 53d61bb-53d61bd 1318->1320 1326 53d627f-53d6283 1319->1326 1327 53d6210-53d6237 1319->1327 1321 53d61bf-53d61c9 1320->1321 1322 53d61e0-53d61e3 1320->1322 1324 53d61cd-53d61dc 1321->1324 1325 53d61cb 1321->1325 1322->1319 1324->1324 1328 53d61de 1324->1328 1325->1324 1329 53d6285-53d62c3 1326->1329 1330 53d62c7-53d630f RegQueryValueExA 1326->1330 1337 53d6239-53d623b 1327->1337 1338 53d6267-53d626c 1327->1338 1328->1322 1329->1330 1332 53d6318-53d6326 1330->1332 1333 53d6311-53d6317 1330->1333 1334 53d633c-53d6363 1332->1334 1335 53d6328-53d6334 1332->1335 1333->1332 1345 53d6365-53d6369 1334->1345 1346 53d6373-53d6377 1334->1346 1335->1334 1341 53d625d-53d6265 1337->1341 1342 53d623d-53d6247 1337->1342 1343 53d626e-53d627a 1338->1343 1341->1343 1349 53d6249 1342->1349 1350 53d624b-53d6259 1342->1350 1343->1326 1345->1346 1352 53d636b 1345->1352 1353 53d6379-53d637d 1346->1353 1354 53d6387 1346->1354 1349->1350 1350->1350 1351 53d625b 1350->1351 1351->1341 1352->1346 1353->1354 1356 53d637f 1353->1356 1357 53d6388 1354->1357 1356->1354 1357->1357
                              APIs
                              • RegQueryValueExA.KERNELBASE(00000000,053D5F31,00020119,00000000,00000000,?), ref: 053D62FF
                              Memory Dump Source
                              • Source File: 00000006.00000002.547493432.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_53d0000_Scancontract103.jbxd
                              Similarity
                              • API ID: QueryValue
                              • String ID:
                              • API String ID: 3660427363-0
                              • Opcode ID: a0c95a8697bb95abbf0caa65d66034cfe1a254a916b1b2f18ed3e5c976513536
                              • Instruction ID: 78e42e1d075114cb3f434cc8423332b48c3b02610dbc12f8fe3df94da76cc835
                              • Opcode Fuzzy Hash: a0c95a8697bb95abbf0caa65d66034cfe1a254a916b1b2f18ed3e5c976513536
                              • Instruction Fuzzy Hash: D5715871D04209DFDB14CFA9D886BAEFBB1BF48314F148429E825AB391DB749885CF91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0145FBF8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1359 145fbf8-145fc5e 1360 145fc60-145fc66 1359->1360 1361 145fc69-145fc70 1359->1361 1360->1361 1362 145fc72-145fc78 1361->1362 1363 145fc7b-145fcb3 1361->1363 1362->1363 1364 145fcbb-145fd1a CreateWindowExW 1363->1364 1365 145fd23-145fd5b 1364->1365 1366 145fd1c-145fd22 1364->1366 1370 145fd5d-145fd60 1365->1370 1371 145fd68 1365->1371 1366->1365 1370->1371 1372 145fd69 1371->1372 1372->1372
                              APIs
                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0145FD0A
                              Memory Dump Source
                              • Source File: 00000006.00000002.528783561.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1450000_Scancontract103.jbxd
                              Similarity
                              • API ID: CreateWindow
                              • String ID:
                              • API String ID: 716092398-0
                              • Opcode ID: 36961ea44bdfe3169d5b7148b476687ae62578acd1b868e50f5e43815166c383
                              • Instruction ID: 7401393649b9ab73b0e21189c6ad90a7d2f2dd15fb65a876e6ef24d383cdd41c
                              • Opcode Fuzzy Hash: 36961ea44bdfe3169d5b7148b476687ae62578acd1b868e50f5e43815166c383
                              • Instruction Fuzzy Hash: 7141B1B1D00309DFDB14CF99D884ADEBBB5FF48314F24852AE819AB211D7749945CF91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D1A40 Relevance: 1.6, APIs: 1, Instructions: 100registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,?,?), ref: 053D60AF
                              Memory Dump Source
                              • Source File: 00000006.00000002.547493432.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_53d0000_Scancontract103.jbxd
                              Similarity
                              • API ID: Open
                              • String ID:
                              • API String ID: 71445658-0
                              • Opcode ID: 23c9c53b2ce7afb62fe44afe6b783a1dd07f85bd9f36fa98d1b1fde155069fa2
                              • Instruction ID: 21b61f63db5322f00555512366e3d614713bea8941c5cf9dc292a84d61f54b33
                              • Opcode Fuzzy Hash: 23c9c53b2ce7afb62fe44afe6b783a1dd07f85bd9f36fa98d1b1fde155069fa2
                              • Instruction Fuzzy Hash: 7E415671D04358DFCB10CFA9D885B9EFBB5BB48310F14852AE829AB240DBB49845CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D5FBC Relevance: 1.6, APIs: 1, Instructions: 99registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,?,?), ref: 053D60AF
                              Memory Dump Source
                              • Source File: 00000006.00000002.547493432.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_53d0000_Scancontract103.jbxd
                              Similarity
                              • API ID: Open
                              • String ID:
                              • API String ID: 71445658-0
                              • Opcode ID: 1a80ee714b32709c85d8790b77c16dd29c79375f6753d04cadc3405a95a17b6c
                              • Instruction ID: fdac0f882758fdf5d06ecabe8beaab5e0b8666e7daa2f4bbc90c3d06ac5fcce2
                              • Opcode Fuzzy Hash: 1a80ee714b32709c85d8790b77c16dd29c79375f6753d04cadc3405a95a17b6c
                              • Instruction Fuzzy Hash: 804169B2D04358DFCB10CFA9D886B9DFBF1BF48300F14852AE824A7240DBB49845CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D8A30 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
                              Download Yara Rule
                              APIs
                              • DeleteFileA.KERNELBASE(?), ref: 053D8B04
                              Memory Dump Source
                              • Source File: 00000006.00000002.547493432.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_53d0000_Scancontract103.jbxd
                              Similarity
                              • API ID: DeleteFile
                              • String ID:
                              • API String ID: 4033686569-0
                              • Opcode ID: 84680583d0e048d707d6cbb31f3bcb1e7612582f3c1faed36b86c24a3cbc82ad
                              • Instruction ID: e9bba5ba7250085b081b966b52d03f83f28fe3a9b369e1f2597bb5d801af074f
                              • Opcode Fuzzy Hash: 84680583d0e048d707d6cbb31f3bcb1e7612582f3c1faed36b86c24a3cbc82ad
                              • Instruction Fuzzy Hash: 123137B2D102588FDB10CFA9D945B9EFBF5FB48314F148529E815A7240D7B8A846CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D8A26 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
                              Download Yara Rule
                              APIs
                              • DeleteFileA.KERNELBASE(?), ref: 053D8B04
                              Memory Dump Source
                              • Source File: 00000006.00000002.547493432.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_53d0000_Scancontract103.jbxd
                              Similarity
                              • API ID: DeleteFile
                              • String ID:
                              • API String ID: 4033686569-0
                              • Opcode ID: ea02bf79dea36cc7ba6fad5ae048924ad5f791fb7e551ee277eb395e4ce53005
                              • Instruction ID: 196d64b62577076a7de8e43087534bb79af0ab40f87256645c8802a1606d8464
                              • Opcode Fuzzy Hash: ea02bf79dea36cc7ba6fad5ae048924ad5f791fb7e551ee277eb395e4ce53005
                              • Instruction Fuzzy Hash: EB4137B2D102588FDB10CFA9D985B9DFBF1FB48314F14852AE815A7240D7B8A886CF91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D04C8 Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.547493432.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_53d0000_Scancontract103.jbxd
                              Similarity
                              • API ID: DispatchMessage
                              • String ID:
                              • API String ID: 2061451462-0
                              • Opcode ID: 5af9fab3428626652b015f0f64ec02fc01749c8d513d27a58d52ea2fa489a0b7
                              • Instruction ID: 2ccc03b3b964d958269ae6c20d86f3512b7e2720fdc5b4fbf124dcbbb6a458a8
                              • Opcode Fuzzy Hash: 5af9fab3428626652b015f0f64ec02fc01749c8d513d27a58d52ea2fa489a0b7
                              • Instruction Fuzzy Hash: 5F319C75A08208CFDB18CFA9E888BEDBBF1BF49714F1481A9D815A7361D774A844CF61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D5A58 Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegCloseKey.KERNELBASE(00000000), ref: 053D642F
                              Memory Dump Source
                              • Source File: 00000006.00000002.547493432.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_53d0000_Scancontract103.jbxd
                              Similarity
                              • API ID: Close
                              • String ID:
                              • API String ID: 3535843008-0
                              • Opcode ID: de316ea5c4d46d1da1eb337b0f1ecf5dcc108e13f28e9e05eb9e1716ba39280d
                              • Instruction ID: 9d684b68eb160c2be1142845f6978687af7592897fca45eb6313da148c4bf1ee
                              • Opcode Fuzzy Hash: de316ea5c4d46d1da1eb337b0f1ecf5dcc108e13f28e9e05eb9e1716ba39280d
                              • Instruction Fuzzy Hash: 0221ECB28083548FEB10DFA9D895BDEBFF4EB59314F50445AC445E7A41D338A840CBA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0145BCF9 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                              Download Yara Rule
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0145BD87
                              Memory Dump Source
                              • Source File: 00000006.00000002.528783561.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1450000_Scancontract103.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: b7ae0fda24cef8bf366caf191ded08cf400f6f91feaf94a711bd113256dd37da
                              • Instruction ID: c78b9550370a95707ca7c4db182f3b3e269e897f7f49abc9f4330d45830367d5
                              • Opcode Fuzzy Hash: b7ae0fda24cef8bf366caf191ded08cf400f6f91feaf94a711bd113256dd37da
                              • Instruction Fuzzy Hash: 5621D2B5901208DFDB10CF9AD884BEEBBF9EB48320F14841AE914A7311D378A955CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0145BD00 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                              Download Yara Rule
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0145BD87
                              Memory Dump Source
                              • Source File: 00000006.00000002.528783561.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1450000_Scancontract103.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: b61532eeff649457408b67387c1f84c1a0f0a0070b161d727c10cb910942b7f2
                              • Instruction ID: b495075b3b38ef858c3acf60bff465099acc3c8460f37b046515ce567a31c9e2
                              • Opcode Fuzzy Hash: b61532eeff649457408b67387c1f84c1a0f0a0070b161d727c10cb910942b7f2
                              • Instruction Fuzzy Hash: F021B3B59002099FDB10CF9AD984BDEBBF9EB48324F14841AE954A7350D378A954CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01459849 Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,014596A9,00000800,00000000,00000000), ref: 014598BA
                              Memory Dump Source
                              • Source File: 00000006.00000002.528783561.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1450000_Scancontract103.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 3bdcdc40abccecb8802421cfe88e8b5cd445f1f6299da1da019ef10572382948
                              • Instruction ID: e75cdcd3c5113db6a239770b2e81d8778b235f6349390f6dd95c9379ec70405c
                              • Opcode Fuzzy Hash: 3bdcdc40abccecb8802421cfe88e8b5cd445f1f6299da1da019ef10572382948
                              • Instruction Fuzzy Hash: B621F2B6800209DFDB10CF9AD844BDEFBF4AB88314F14842AD915A7610C778A945CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01458768 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,014596A9,00000800,00000000,00000000), ref: 014598BA
                              Memory Dump Source
                              • Source File: 00000006.00000002.528783561.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1450000_Scancontract103.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 1804853b904e9d6db460007e56e728ac22a3adc9ec9f28d84f488194525ed251
                              • Instruction ID: 38d81d9ee120b99809ef8870e2bafb0c540020513251f487bcdeedfc59d2706f
                              • Opcode Fuzzy Hash: 1804853b904e9d6db460007e56e728ac22a3adc9ec9f28d84f488194525ed251
                              • Instruction Fuzzy Hash: EC11C2B6904209DFDB10CF9AD444BDEBBF4EB88324F14842AE919A7610C379A945CFA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0145FE38 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                              Download Yara Rule
                              APIs
                              • SetWindowLongW.USER32(?,?,?), ref: 0145FE9D
                              Memory Dump Source
                              • Source File: 00000006.00000002.528783561.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1450000_Scancontract103.jbxd
                              Similarity
                              • API ID: LongWindow
                              • String ID:
                              • API String ID: 1378638983-0
                              • Opcode ID: d23a99887e7590f8e693423d7a854ca77e53a82ff99e973f14e741da1325b362
                              • Instruction ID: dd18f85dde6dfba19d71774e00030ae954de1a935f62f7ede1a8fd85ea6b4847
                              • Opcode Fuzzy Hash: d23a99887e7590f8e693423d7a854ca77e53a82ff99e973f14e741da1325b362
                              • Instruction Fuzzy Hash: EB1125B5800249CFDB10CF99D585BDEBBF8EB48324F20841AD854B7201C379A944CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 014595C8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0145962E
                              Memory Dump Source
                              • Source File: 00000006.00000002.528783561.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1450000_Scancontract103.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: 3834431282431c604a4278bd23ecc6675d2fdb97c39e698e19f1ce26ab6ceb69
                              • Instruction ID: cb312b001df0045659584a09668140b245b8ce11cc5aa0b261e8f8be0d1fa690
                              • Opcode Fuzzy Hash: 3834431282431c604a4278bd23ecc6675d2fdb97c39e698e19f1ce26ab6ceb69
                              • Instruction Fuzzy Hash: 7011E0B6C00249CFDB10CF9AD444BDFFBF8EB88224F14842AD819A7610D379A549CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D0438 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.547493432.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_53d0000_Scancontract103.jbxd
                              Similarity
                              • API ID: DispatchMessage
                              • String ID:
                              • API String ID: 2061451462-0
                              • Opcode ID: 013aa2ae8b7c751cbd0faf01a3f0bdf33992e11043456106cf79c6d73963ed63
                              • Instruction ID: 93054c1a86afdfeb43e29e88a3adf2ce1fea3ca02e258aa1c525249b74d299c7
                              • Opcode Fuzzy Hash: 013aa2ae8b7c751cbd0faf01a3f0bdf33992e11043456106cf79c6d73963ed63
                              • Instruction Fuzzy Hash: 5311F5B5C046498FCB14CF9AE544BEEFBF4BB48324F10852AD429A7350D378A545CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D5A48 Relevance: 1.5, APIs: 1, Instructions: 46registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegCloseKey.KERNELBASE(00000000), ref: 053D642F
                              Memory Dump Source
                              • Source File: 00000006.00000002.547493432.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_53d0000_Scancontract103.jbxd
                              Similarity
                              • API ID: Close
                              • String ID:
                              • API String ID: 3535843008-0
                              • Opcode ID: d4edb1ddf14e5c6e3c2ef747c9bc23b6419b87af742e5026b0790b0aa8299d17
                              • Instruction ID: 4abd008fa557ebf85cec892db1eccfc03b080bcd5a15c7ae18d34498de8a5223
                              • Opcode Fuzzy Hash: d4edb1ddf14e5c6e3c2ef747c9bc23b6419b87af742e5026b0790b0aa8299d17
                              • Instruction Fuzzy Hash: C11118B5804249CFDB10CF9AD445BDEFBF8EB48324F508419D519A7640D7B5A944CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0145FE40 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                              Download Yara Rule
                              APIs
                              • SetWindowLongW.USER32(?,?,?), ref: 0145FE9D
                              Memory Dump Source
                              • Source File: 00000006.00000002.528783561.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1450000_Scancontract103.jbxd
                              Similarity
                              • API ID: LongWindow
                              • String ID:
                              • API String ID: 1378638983-0
                              • Opcode ID: 35e5480a7f0c80dbf9b9dbeed4630c824a8c57ad5ebc15c9b0b37a2954a77020
                              • Instruction ID: 23414c6ddf79022579517b1048fc58f924ba89bd17706c93c8f6ce403ba3c19c
                              • Opcode Fuzzy Hash: 35e5480a7f0c80dbf9b9dbeed4630c824a8c57ad5ebc15c9b0b37a2954a77020
                              • Instruction Fuzzy Hash: 4911E5B5800249DFDB10CF99D585BDFBBF8EB48324F10841AD915A7741D378A944CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D63CA Relevance: 1.5, APIs: 1, Instructions: 44registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegCloseKey.KERNELBASE(00000000), ref: 053D642F
                              Memory Dump Source
                              • Source File: 00000006.00000002.547493432.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_53d0000_Scancontract103.jbxd
                              Similarity
                              • API ID: Close
                              • String ID:
                              • API String ID: 3535843008-0
                              • Opcode ID: 035c975a90912604145638fd842cb9ab8037ba2dbcea8132e47e74d38c321656
                              • Instruction ID: c7118f50957ceda2cad495d7f45bff8a6c0081b69473d2af5b722993faac2c62
                              • Opcode Fuzzy Hash: 035c975a90912604145638fd842cb9ab8037ba2dbcea8132e47e74d38c321656
                              • Instruction Fuzzy Hash: 411115B58042498FDB10CF9AD485BDEFBF8EB48324F108419D519A7240D779A544CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D0440 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.547493432.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_53d0000_Scancontract103.jbxd
                              Similarity
                              • API ID: DispatchMessage
                              • String ID:
                              • API String ID: 2061451462-0
                              • Opcode ID: daa2e9c4d82edfb1573636bcf8019ff47637074ed948f3ea75f8fe622e8507e6
                              • Instruction ID: e6906ecdea843b25dae6c4b358a49543e6d9c63a0cbc18d819fcfec790f1f0c4
                              • Opcode Fuzzy Hash: daa2e9c4d82edfb1573636bcf8019ff47637074ed948f3ea75f8fe622e8507e6
                              • Instruction Fuzzy Hash: B811D0B5C046498FDB14CF9AE548BDEFBF8EB48324F10852AD419A7240D378A544CFA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0101D4A0 Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.527081472.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_101d000_Scancontract103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 50e62f594553650df1323eb4435af4b6042597fdecfb6d97c6b1b9402700667c
                              • Instruction ID: 08fc684cb98c0db06aa7b6db400a2c6055c90b98aa2f5ae8958bda1070d62267
                              • Opcode Fuzzy Hash: 50e62f594553650df1323eb4435af4b6042597fdecfb6d97c6b1b9402700667c
                              • Instruction Fuzzy Hash: F42128B1544240DFDB01CF94D8C4B2ABFA5FB88328F24C5A9E9454B20AC77AD856C7A1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0101D3B4 Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.527081472.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_101d000_Scancontract103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d682c09122b55ec2d273ecc196588fc3994d79dd9cd9185ae88ee98f0c7f9175
                              • Instruction ID: 536c0d1cbe160b5649b5476da52a1c15c5d6a14e291f9d85d7541ac9dcc421af
                              • Opcode Fuzzy Hash: d682c09122b55ec2d273ecc196588fc3994d79dd9cd9185ae88ee98f0c7f9175
                              • Instruction Fuzzy Hash: 2E2167B1544200DFDB01CF94D8C8B6BBFA5FB88324F20C5A9E9454B20BC73AE856C7A1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0110D01C Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.527276305.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_110d000_Scancontract103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5bcb839d5621765ece0ac3e38cadcfcfa29f3d28f88474d12bdcc80c1fc680c8
                              • Instruction ID: d8b48a344f87dfcd456b24e80329e00be1a2e3810d5d8a1e14942e5097293290
                              • Opcode Fuzzy Hash: 5bcb839d5621765ece0ac3e38cadcfcfa29f3d28f88474d12bdcc80c1fc680c8
                              • Instruction Fuzzy Hash: B0212871908204DFDF1ACF94E8C0B16BB65FB84354F20C569D90D4B28AC7B6D807CA62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0101D49B Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.527081472.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_101d000_Scancontract103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cd24c802d1f0944178af6fc850af7be5c5916ca1db69a1141699bdd4730e3d2e
                              • Instruction ID: c751595411f1a4efb2372e9a9639b125b7bd8aa7c2af7a78531ee9c2f718e989
                              • Opcode Fuzzy Hash: cd24c802d1f0944178af6fc850af7be5c5916ca1db69a1141699bdd4730e3d2e
                              • Instruction Fuzzy Hash: B311B176804280CFDB12CF54D5C4B16BFB1FB84324F2486A9D9450B65BC33AD456CBA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0101D3AF Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.527081472.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_101d000_Scancontract103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cd24c802d1f0944178af6fc850af7be5c5916ca1db69a1141699bdd4730e3d2e
                              • Instruction ID: c42b3d1cda1f3c944ec18796aeb733f5823bc4d4df9db6af65938ac0171000c6
                              • Opcode Fuzzy Hash: cd24c802d1f0944178af6fc850af7be5c5916ca1db69a1141699bdd4730e3d2e
                              • Instruction Fuzzy Hash: 8011B176444280CFCB16CF54D5C4B56BFB1FB84324F24C6A9D8450B65AC33AE456CBA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0110D017 Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.527276305.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_110d000_Scancontract103.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b4fd11be75d3965515b4152d8e08f00d09ff848862d85c063b28ddaa4755cdb2
                              • Instruction ID: b00227e7343b882da5d9214faae6f7ed3d71b5e6518b9b1f69b87962a1521ad1
                              • Opcode Fuzzy Hash: b4fd11be75d3965515b4152d8e08f00d09ff848862d85c063b28ddaa4755cdb2
                              • Instruction Fuzzy Hash: 5611D075904280CFCB16CF54E5C4B15FF71FB44324F24C6AAD8094B69AC37AD44ACB62
                              Uniqueness

                              Uniqueness Score: -1.00%