Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Scancontract103.exe

Overview

General Information

Sample Name:Scancontract103.exe
Analysis ID:713039
MD5:9d2a2b596cd979fc9674824d2aa731df
SHA1:015e8ae0f838e0fba35643297530a5b9a66e4186
SHA256:c4a2c953833c8d6b5d2ef71b997700559ecc9f23573d89072d205f963e46956c
Tags:exeNanoCoreRAT
Infos:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Sigma detected: Scheduled temp file as task from temp location
Multi AV Scanner detection for domain / URL
Yara detected Nanocore RAT
Protects its processes via BreakOnTermination flag
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large strings
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • Scancontract103.exe (PID: 3732 cmdline: "C:\Users\user\Desktop\Scancontract103.exe" MD5: 9D2A2B596CD979FC9674824D2AA731DF)
    • Scancontract103.exe (PID: 1760 cmdline: {path} MD5: 9D2A2B596CD979FC9674824D2AA731DF)
      • schtasks.exe (PID: 2636 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpCA7.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 2300 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp1090.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Scancontract103.exe (PID: 6052 cmdline: C:\Users\user\Desktop\Scancontract103.exe 0 MD5: 9D2A2B596CD979FC9674824D2AA731DF)
  • dhcpmon.exe (PID: 5308 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: 9D2A2B596CD979FC9674824D2AA731DF)
    • dhcpmon.exe (PID: 4632 cmdline: {path} MD5: 9D2A2B596CD979FC9674824D2AA731DF)
    • dhcpmon.exe (PID: 2576 cmdline: {path} MD5: 9D2A2B596CD979FC9674824D2AA731DF)
  • dhcpmon.exe (PID: 1012 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 9D2A2B596CD979FC9674824D2AA731DF)
    • dhcpmon.exe (PID: 2300 cmdline: {path} MD5: 9D2A2B596CD979FC9674824D2AA731DF)
    • dhcpmon.exe (PID: 5420 cmdline: {path} MD5: 9D2A2B596CD979FC9674824D2AA731DF)
    • dhcpmon.exe (PID: 408 cmdline: {path} MD5: 9D2A2B596CD979FC9674824D2AA731DF)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "c5cb65e3-79c3-43dc-bde0-43ed679c", "Group": "Default", "Domain1": "79.134.225.6", "Domain2": "", "Port": 60110, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.547986042.0000000005900000.00000004.08000000.00040000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xe75:$x1: NanoCore.ClientPluginHost
  • 0xe8f:$x2: IClientNetworkHost
00000006.00000002.547986042.0000000005900000.00000004.08000000.00040000.00000000.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xe75:$x2: NanoCore.ClientPluginHost
  • 0x1261:$s3: PipeExists
  • 0x1136:$s4: PipeCreated
  • 0xeb0:$s5: IClientLoggingHost
00000006.00000002.547986042.0000000005900000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
  • 0xe38:$x2: NanoCore.ClientPlugin
  • 0xe75:$x3: NanoCore.ClientPluginHost
  • 0xe5a:$i1: IClientApp
  • 0xe4e:$i2: IClientData
  • 0xe29:$i3: IClientNetwork
  • 0xec3:$i4: IClientAppHost
  • 0xe65:$i5: IClientDataHost
  • 0xeb0:$i6: IClientLoggingHost
  • 0xe8f:$i7: IClientNetworkHost
  • 0xea2:$i8: IClientUIHost
  • 0xed2:$i9: IClientNameObjectCollection
  • 0xef7:$i10: IClientReadOnlyNameObjectCollection
  • 0xe41:$s1: ClientPlugin
  • 0x177c:$s1: ClientPlugin
  • 0x1789:$s1: ClientPlugin
  • 0x11f9:$s6: get_ClientSettings
  • 0x1249:$s7: get_Connected
00000006.00000002.547986042.0000000005900000.00000004.08000000.00040000.00000000.sdmpWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
  • 0xe75:$a1: NanoCore.ClientPluginHost
  • 0xe38:$a2: NanoCore.ClientPlugin
  • 0x120c:$b1: get_BuilderSettings
  • 0xec3:$b4: IClientAppHost
  • 0x127d:$b6: AddHostEntry
  • 0x12ec:$b7: LogClientException
  • 0x1261:$b8: PipeExists
  • 0xeb0:$b9: IClientLoggingHost
00000010.00000002.400735152.000000000334B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    Click to see the 49 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    20.2.Scancontract103.exe.33695a4.0.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    20.2.Scancontract103.exe.33695a4.0.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    20.2.Scancontract103.exe.33695a4.0.raw.unpackMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
    • 0xe38:$x2: NanoCore.ClientPlugin
    • 0xe75:$x3: NanoCore.ClientPluginHost
    • 0xe5a:$i1: IClientApp
    • 0xe4e:$i2: IClientData
    • 0xe29:$i3: IClientNetwork
    • 0xec3:$i4: IClientAppHost
    • 0xe65:$i5: IClientDataHost
    • 0xeb0:$i6: IClientLoggingHost
    • 0xe8f:$i7: IClientNetworkHost
    • 0xea2:$i8: IClientUIHost
    • 0xed2:$i9: IClientNameObjectCollection
    • 0xef7:$i10: IClientReadOnlyNameObjectCollection
    • 0xe41:$s1: ClientPlugin
    • 0x177c:$s1: ClientPlugin
    • 0x1789:$s1: ClientPlugin
    • 0x11f9:$s6: get_ClientSettings
    • 0x1249:$s7: get_Connected
    20.2.Scancontract103.exe.33695a4.0.raw.unpackWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
    • 0xe75:$a1: NanoCore.ClientPluginHost
    • 0xe38:$a2: NanoCore.ClientPlugin
    • 0x120c:$b1: get_BuilderSettings
    • 0xec3:$b4: IClientAppHost
    • 0x127d:$b6: AddHostEntry
    • 0x12ec:$b7: LogClientException
    • 0x1261:$b8: PipeExists
    • 0xeb0:$b9: IClientLoggingHost
    21.2.dhcpmon.exe.2dc9658.0.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    Click to see the 69 entries

    Sigma Signatures

    AV Detection

    barindex
    Sigma detected: NanoCore
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Scancontract103.exe, ProcessId: 1760, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    E-Banking Fraud

    barindex
    Sigma detected: NanoCore
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Scancontract103.exe, ProcessId: 1760, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Persistence and Installation Behavior

    barindex
    Sigma detected: Scheduled temp file as task from temp location
    Source: Process startedAuthor: Joe Security: Data: Command: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpCA7.tmp, CommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpCA7.tmp, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: {path}, ParentImage: C:\Users\user\Desktop\Scancontract103.exe, ParentProcessId: 1760, ParentProcessName: Scancontract103.exe, ProcessCommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpCA7.tmp, ProcessId: 2636, ProcessName: schtasks.exe

    Stealing of Sensitive Information

    barindex
    Sigma detected: NanoCore
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Scancontract103.exe, ProcessId: 1760, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Remote Access Functionality

    barindex
    Sigma detected: NanoCore
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Scancontract103.exe, ProcessId: 1760, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: Scancontract103.exeVirustotal: Detection: 40%Perma Link
    Multi AV Scanner detection for domain / URL
    Source: 79.134.225.6Virustotal: Detection: 6%Perma Link
    Yara detected Nanocore RAT
    Source: Yara matchFile source: 20.2.Scancontract103.exe.434b7be.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 6.2.Scancontract103.exe.5910000.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 6.2.Scancontract103.exe.5910000.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 6.0.Scancontract103.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 6.2.Scancontract103.exe.5914629.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Scancontract103.exe.3631550.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.2.Scancontract103.exe.43505f4.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Scancontract103.exe.3631550.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.2.Scancontract103.exe.43505f4.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Scancontract103.exe.37a0a00.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.2.Scancontract103.exe.4354c1d.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000006.00000000.299936604.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000002.442532353.0000000004309000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.308527260.0000000003571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.530169744.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.548040807.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000015.00000002.443127439.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.311167352.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000002.440811827.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: Scancontract103.exe PID: 3732, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: Scancontract103.exe PID: 1760, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: Scancontract103.exe PID: 5588, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2576, type: MEMORYSTR
    Machine Learning detection for sample
    Source: Scancontract103.exeJoe Sandbox ML: detected
    Machine Learning detection for dropped file
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
    Source: 6.0.Scancontract103.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 6.2.Scancontract103.exe.5910000.4.unpackAvira: Label: TR/NanoCore.fadte
    Source: 00000014.00000002.442532353.0000000004309000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "c5cb65e3-79c3-43dc-bde0-43ed679c", "Group": "Default", "Domain1": "79.134.225.6", "Domain2": "", "Port": 60110, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
    Source: Scancontract103.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: Scancontract103.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

    Networking

    barindex
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs:
    Source: Malware configuration extractorURLs: 79.134.225.6
    Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
    Source: Joe Sandbox ViewIP Address: 79.134.225.6 79.134.225.6
    Source: global trafficTCP traffic: 192.168.2.3:49707 -> 79.134.225.6:60110
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.6
    Source: Scancontract103.exe, 00000000.00000003.265302103.000000000598D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://en.wikip
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
    Source: Scancontract103.exe, 00000006.00000002.530169744.0000000002E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: Scancontract103.exe, 00000000.00000003.266935495.0000000005989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
    Source: Scancontract103.exe, 00000000.00000003.269009492.00000000059C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
    Source: Scancontract103.exe, 00000000.00000003.301534585.0000000005980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.commv
    Source: Scancontract103.exe, 00000000.00000003.301534585.0000000005980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comoitu
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
    Source: Scancontract103.exe, 00000000.00000003.260309270.00000000059A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comc
    Source: Scancontract103.exe, 00000000.00000003.263528849.0000000005986000.00000004.00000800.00020000.00000000.sdmp, Scancontract103.exe, 00000000.00000003.263806579.000000000598E000.00000004.00000800.00020000.00000000.sdmp, Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmp, Scancontract103.exe, 00000000.00000003.263335099.0000000005985000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
    Source: Scancontract103.exe, 00000000.00000003.263335099.0000000005985000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cna-d
    Source: Scancontract103.exe, 00000000.00000003.263335099.0000000005985000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cntyp9
    Source: Scancontract103.exe, 00000000.00000003.272557005.00000000059C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
    Source: Scancontract103.exe, 00000000.00000003.266747836.00000000059C6000.00000004.00000800.00020000.00000000.sdmp, Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
    Source: Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
    Source: dhcpmon.exe, 00000010.00000002.390909200.00000000016B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
    Source: Scancontract103.exe, 00000014.00000002.442532353.0000000004309000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevices

    E-Banking Fraud

    barindex
    Yara detected Nanocore RAT
    Source: Yara matchFile source: 20.2.Scancontract103.exe.434b7be.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 6.2.Scancontract103.exe.5910000.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 6.2.Scancontract103.exe.5910000.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 6.0.Scancontract103.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 6.2.Scancontract103.exe.5914629.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Scancontract103.exe.3631550.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.2.Scancontract103.exe.43505f4.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Scancontract103.exe.3631550.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.2.Scancontract103.exe.43505f4.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Scancontract103.exe.37a0a00.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.2.Scancontract103.exe.4354c1d.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000006.00000000.299936604.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000002.442532353.0000000004309000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.308527260.0000000003571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.530169744.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.548040807.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000015.00000002.443127439.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.311167352.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000002.440811827.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: Scancontract103.exe PID: 3732, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: Scancontract103.exe PID: 1760, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: Scancontract103.exe PID: 5588, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2576, type: MEMORYSTR

    Operating System Destruction

    barindex
    Protects its processes via BreakOnTermination flag
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: 01 00 00 00

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: 20.2.Scancontract103.exe.33695a4.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.2.Scancontract103.exe.33695a4.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 20.2.Scancontract103.exe.33695a4.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 21.2.dhcpmon.exe.2dc9658.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 21.2.dhcpmon.exe.2dc9658.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 21.2.dhcpmon.exe.2dc9658.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 20.2.Scancontract103.exe.434b7be.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.2.Scancontract103.exe.434b7be.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 20.2.Scancontract103.exe.434b7be.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 20.2.Scancontract103.exe.434b7be.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 6.2.Scancontract103.exe.2e4d254.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 6.2.Scancontract103.exe.2e4d254.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 6.2.Scancontract103.exe.2e4d254.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 6.2.Scancontract103.exe.5900000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 6.2.Scancontract103.exe.5900000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 6.2.Scancontract103.exe.5900000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 6.2.Scancontract103.exe.5910000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 6.2.Scancontract103.exe.5910000.4.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 6.2.Scancontract103.exe.5910000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 6.2.Scancontract103.exe.5910000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 6.2.Scancontract103.exe.5910000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 6.2.Scancontract103.exe.5910000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 6.0.Scancontract103.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 6.0.Scancontract103.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 6.0.Scancontract103.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 6.0.Scancontract103.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 6.2.Scancontract103.exe.5914629.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 6.2.Scancontract103.exe.5914629.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 6.2.Scancontract103.exe.5914629.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 0.2.Scancontract103.exe.3631550.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Scancontract103.exe.3631550.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0.2.Scancontract103.exe.3631550.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0.2.Scancontract103.exe.3631550.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 20.2.Scancontract103.exe.43505f4.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.2.Scancontract103.exe.43505f4.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 20.2.Scancontract103.exe.43505f4.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 0.2.Scancontract103.exe.3631550.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Scancontract103.exe.3631550.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0.2.Scancontract103.exe.3631550.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0.2.Scancontract103.exe.3631550.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 20.2.Scancontract103.exe.43505f4.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.2.Scancontract103.exe.43505f4.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 20.2.Scancontract103.exe.43505f4.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 0.2.Scancontract103.exe.37a0a00.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Scancontract103.exe.37a0a00.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0.2.Scancontract103.exe.37a0a00.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0.2.Scancontract103.exe.37a0a00.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 20.2.Scancontract103.exe.4354c1d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.2.Scancontract103.exe.4354c1d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 20.2.Scancontract103.exe.4354c1d.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000006.00000002.547986042.0000000005900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000006.00000002.547986042.0000000005900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000006.00000002.547986042.0000000005900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000006.00000000.299936604.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000006.00000000.299936604.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000006.00000000.299936604.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000014.00000002.442532353.0000000004309000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000002.442532353.0000000004309000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000000.00000002.308527260.0000000003571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.308527260.0000000003571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.308527260.0000000003571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000006.00000002.530169744.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000006.00000002.548040807.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000006.00000002.548040807.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000006.00000002.548040807.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000015.00000002.443127439.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000015.00000002.443127439.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000000.00000002.311167352.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.311167352.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.311167352.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000014.00000002.440811827.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000002.440811827.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: Process Memory Space: Scancontract103.exe PID: 3732, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: Scancontract103.exe PID: 3732, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: Scancontract103.exe PID: 3732, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: Process Memory Space: Scancontract103.exe PID: 1760, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: Scancontract103.exe PID: 1760, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: Scancontract103.exe PID: 1760, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: Process Memory Space: Scancontract103.exe PID: 5588, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: Scancontract103.exe PID: 5588, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: Process Memory Space: dhcpmon.exe PID: 2576, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: dhcpmon.exe PID: 2576, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    .NET source code contains very large strings
    Source: Scancontract103.exe, FrmMain.csLong String: Length: 129663
    Source: 0.0.Scancontract103.exe.170000.0.unpack, FrmMain.csLong String: Length: 129663
    Source: dhcpmon.exe.6.dr, FrmMain.csLong String: Length: 129663
    Source: Scancontract103.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: 20.2.Scancontract103.exe.33695a4.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.2.Scancontract103.exe.33695a4.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.2.Scancontract103.exe.33695a4.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 20.2.Scancontract103.exe.33695a4.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 21.2.dhcpmon.exe.2dc9658.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 21.2.dhcpmon.exe.2dc9658.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 21.2.dhcpmon.exe.2dc9658.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 21.2.dhcpmon.exe.2dc9658.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 20.2.Scancontract103.exe.434b7be.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.2.Scancontract103.exe.434b7be.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.2.Scancontract103.exe.434b7be.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 20.2.Scancontract103.exe.434b7be.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 20.2.Scancontract103.exe.434b7be.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 6.2.Scancontract103.exe.2e4d254.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 6.2.Scancontract103.exe.2e4d254.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 6.2.Scancontract103.exe.2e4d254.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 6.2.Scancontract103.exe.5900000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 6.2.Scancontract103.exe.5900000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 6.2.Scancontract103.exe.5900000.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 6.2.Scancontract103.exe.5900000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 6.2.Scancontract103.exe.5910000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 6.2.Scancontract103.exe.5910000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 6.2.Scancontract103.exe.5910000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 6.2.Scancontract103.exe.5910000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 6.2.Scancontract103.exe.5910000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 6.2.Scancontract103.exe.5910000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 6.2.Scancontract103.exe.5910000.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 6.2.Scancontract103.exe.5910000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 6.0.Scancontract103.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 6.0.Scancontract103.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 6.0.Scancontract103.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 6.0.Scancontract103.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 6.0.Scancontract103.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 6.2.Scancontract103.exe.5914629.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 6.2.Scancontract103.exe.5914629.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 6.2.Scancontract103.exe.5914629.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 6.2.Scancontract103.exe.5914629.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 0.2.Scancontract103.exe.3631550.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.Scancontract103.exe.3631550.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.Scancontract103.exe.3631550.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0.2.Scancontract103.exe.3631550.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0.2.Scancontract103.exe.3631550.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 20.2.Scancontract103.exe.43505f4.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.2.Scancontract103.exe.43505f4.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.2.Scancontract103.exe.43505f4.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 20.2.Scancontract103.exe.43505f4.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 0.2.Scancontract103.exe.3631550.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.Scancontract103.exe.3631550.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.Scancontract103.exe.3631550.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0.2.Scancontract103.exe.3631550.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0.2.Scancontract103.exe.3631550.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 20.2.Scancontract103.exe.43505f4.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.2.Scancontract103.exe.43505f4.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.2.Scancontract103.exe.43505f4.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 20.2.Scancontract103.exe.43505f4.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 0.2.Scancontract103.exe.37a0a00.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.Scancontract103.exe.37a0a00.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0.2.Scancontract103.exe.37a0a00.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0.2.Scancontract103.exe.37a0a00.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 20.2.Scancontract103.exe.4354c1d.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.2.Scancontract103.exe.4354c1d.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.2.Scancontract103.exe.4354c1d.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 20.2.Scancontract103.exe.4354c1d.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000006.00000002.547986042.0000000005900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000006.00000002.547986042.0000000005900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000006.00000002.547986042.0000000005900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000006.00000002.547986042.0000000005900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000006.00000000.299936604.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000006.00000000.299936604.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000006.00000000.299936604.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000014.00000002.442532353.0000000004309000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000002.442532353.0000000004309000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000000.00000002.308527260.0000000003571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000000.00000002.308527260.0000000003571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000002.308527260.0000000003571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000006.00000002.530169744.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000006.00000002.548040807.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000006.00000002.548040807.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000006.00000002.548040807.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000006.00000002.548040807.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000015.00000002.443127439.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000015.00000002.443127439.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000000.00000002.311167352.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000000.00000002.311167352.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000002.311167352.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000014.00000002.440811827.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000002.440811827.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: Process Memory Space: Scancontract103.exe PID: 3732, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: Process Memory Space: Scancontract103.exe PID: 3732, type: MEMORYSTRMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
    Source: Process Memory Space: Scancontract103.exe PID: 3732, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: Scancontract103.exe PID: 3732, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: Process Memory Space: Scancontract103.exe PID: 1760, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: Process Memory Space: Scancontract103.exe PID: 1760, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: Scancontract103.exe PID: 1760, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: Process Memory Space: Scancontract103.exe PID: 6052, type: MEMORYSTRMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
    Source: Process Memory Space: dhcpmon.exe PID: 5308, type: MEMORYSTRMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
    Source: Process Memory Space: dhcpmon.exe PID: 1012, type: MEMORYSTRMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
    Source: Process Memory Space: Scancontract103.exe PID: 5588, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: Scancontract103.exe PID: 5588, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: Process Memory Space: dhcpmon.exe PID: 2576, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: dhcpmon.exe PID: 2576, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: C:\Users\user\Desktop\Scancontract103.exeCode function: 0_2_049FD4B4
    Source: C:\Users\user\Desktop\Scancontract103.exeCode function: 6_2_0145E471
    Source: C:\Users\user\Desktop\Scancontract103.exeCode function: 6_2_0145E480
    Source: C:\Users\user\Desktop\Scancontract103.exeCode function: 6_2_0145BBD4
    Source: C:\Users\user\Desktop\Scancontract103.exeCode function: 6_2_053D6550
    Source: C:\Users\user\Desktop\Scancontract103.exeCode function: 6_2_053DD4E8
    Source: C:\Users\user\Desktop\Scancontract103.exeCode function: 6_2_053D3E30
    Source: C:\Users\user\Desktop\Scancontract103.exeCode function: 6_2_053DC8D0
    Source: C:\Users\user\Desktop\Scancontract103.exeCode function: 6_2_053D4A50
    Source: C:\Users\user\Desktop\Scancontract103.exeCode function: 6_2_053DD5A6
    Source: C:\Users\user\Desktop\Scancontract103.exeCode function: 6_2_053D4B08
    Source: C:\Users\user\Desktop\Scancontract103.exeCode function: 6_2_053D8ED0 NtSetInformationProcess,
    Source: C:\Users\user\Desktop\Scancontract103.exeCode function: 6_2_053D8EC9 NtSetInformationProcess,
    Source: Scancontract103.exe, 00000000.00000000.254620443.0000000000172000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename8voN7Es.exe: vs Scancontract103.exe
    Source: Scancontract103.exe, 00000000.00000002.303876077.00000000025BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Scancontract103.exe
    Source: Scancontract103.exe, 00000000.00000002.311167352.00000000036BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameQuestKingdom.dllH vs Scancontract103.exe
    Source: Scancontract103.exe, 00000000.00000002.311167352.00000000036BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Scancontract103.exe
    Source: Scancontract103.exe, 00000000.00000002.326192763.00000000075A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Scancontract103.exe
    Source: Scancontract103.exe, 00000000.00000002.325921725.00000000073F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameQuestKingdom.dllH vs Scancontract103.exe
    Source: Scancontract103.exe, 00000006.00000002.530169744.0000000002E21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Scancontract103.exe
    Source: Scancontract103.exe, 00000006.00000002.546358238.0000000003EA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Scancontract103.exe
    Source: Scancontract103.exe, 00000006.00000002.548456934.0000000006360000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Scancontract103.exe
    Source: Scancontract103.exe, 0000000F.00000002.398015480.000000000438A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameQuestKingdom.dllH vs Scancontract103.exe
    Source: Scancontract103.exe, 0000000F.00000002.398402298.0000000004519000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Scancontract103.exe
    Source: Scancontract103.exe, 00000014.00000002.442532353.0000000004309000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Scancontract103.exe
    Source: Scancontract103.exe, 00000014.00000002.442532353.0000000004309000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Scancontract103.exe
    Source: Scancontract103.exe, 00000014.00000002.442532353.0000000004309000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Scancontract103.exe
    Source: Scancontract103.exe, 00000014.00000002.440811827.0000000003301000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Scancontract103.exe
    Source: Scancontract103.exe, 00000014.00000002.440811827.0000000003301000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Scancontract103.exe
    Source: Scancontract103.exeBinary or memory string: OriginalFilename8voN7Es.exe: vs Scancontract103.exe
    Source: Scancontract103.exeVirustotal: Detection: 40%
    Source: C:\Users\user\Desktop\Scancontract103.exeFile read: C:\Users\user\Desktop\Scancontract103.exeJump to behavior
    Source: Scancontract103.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Scancontract103.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: unknownProcess created: C:\Users\user\Desktop\Scancontract103.exe "C:\Users\user\Desktop\Scancontract103.exe"
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess created: C:\Users\user\Desktop\Scancontract103.exe {path}
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpCA7.tmp
    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp1090.tmp
    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Users\user\Desktop\Scancontract103.exe C:\Users\user\Desktop\Scancontract103.exe 0
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess created: C:\Users\user\Desktop\Scancontract103.exe {path}
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess created: C:\Users\user\Desktop\Scancontract103.exe {path}
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess created: C:\Users\user\Desktop\Scancontract103.exe {path}
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpCA7.tmp
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp1090.tmp
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess created: C:\Users\user\Desktop\Scancontract103.exe {path}
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess created: C:\Users\user\Desktop\Scancontract103.exe {path}
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
    Source: C:\Users\user\Desktop\Scancontract103.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
    Source: C:\Users\user\Desktop\Scancontract103.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Scancontract103.exe.logJump to behavior
    Source: C:\Users\user\Desktop\Scancontract103.exeFile created: C:\Users\user\AppData\Local\Temp\tmpCA7.tmpJump to behavior
    Source: classification engineClassification label: mal100.troj.evad.winEXE@26/8@0/1
    Source: Scancontract103.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
    Source: C:\Users\user\Desktop\Scancontract103.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\Desktop\Scancontract103.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\Desktop\Scancontract103.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\Desktop\Scancontract103.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5056:120:WilError_01
    Source: C:\Users\user\Desktop\Scancontract103.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{c5cb65e3-79c3-43dc-bde0-43ed679c8c9b}
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4744:120:WilError_01
    Source: C:\Users\user\Desktop\Scancontract103.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
    Source: Scancontract103.exe, 00000000.00000003.275810844.000000000598C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: DITC Blackadder is a Trademark of International Typeface Corporation.slnt
    Source: 6.0.Scancontract103.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 6.0.Scancontract103.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
    Source: 6.0.Scancontract103.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Users\user\Desktop\Scancontract103.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
    Source: Scancontract103.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: Scancontract103.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

    Data Obfuscation

    barindex
    .NET source code contains potential unpacker
    Source: 6.0.Scancontract103.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 6.0.Scancontract103.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    .NET source code contains method to dynamically call methods (often used by packers)
    Source: Scancontract103.exe, FrmMain.cs.Net Code: NewLateBinding.LateCall(V_1, null, "Invoke", stackVariable12, null, null, null, true)
    Source: 0.0.Scancontract103.exe.170000.0.unpack, FrmMain.cs.Net Code: NewLateBinding.LateCall(V_1, null, "Invoke", stackVariable12, null, null, null, true)
    Source: dhcpmon.exe.6.dr, FrmMain.cs.Net Code: NewLateBinding.LateCall(V_1, null, "Invoke", stackVariable12, null, null, null, true)
    Source: C:\Users\user\Desktop\Scancontract103.exeCode function: 6_2_053DFC4A push FFFFFFE0h; ret
    Source: initial sampleStatic PE information: section name: .text entropy: 7.0886542606348
    Source: initial sampleStatic PE information: section name: .text entropy: 7.0886542606348
    Source: 6.0.Scancontract103.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 6.0.Scancontract103.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
    Source: C:\Users\user\Desktop\Scancontract103.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

    Boot Survival

    barindex
    Uses schtasks.exe or at.exe to add and modify task schedules
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpCA7.tmp

    Hooking and other Techniques for Hiding and Protection

    barindex
    Hides that the sample has been downloaded from the Internet (zone.identifier)
    Source: C:\Users\user\Desktop\Scancontract103.exeFile opened: C:\Users\user\Desktop\Scancontract103.exe:Zone.Identifier read attributes | delete
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion

    barindex
    Yara detected AntiVM3
    Source: Yara matchFile source: 00000010.00000002.400735152.000000000334B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.303876077.00000000025BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: Scancontract103.exe PID: 3732, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5308, type: MEMORYSTR
    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
    Source: Scancontract103.exe, 00000000.00000002.303876077.00000000025BB000.00000004.00000800.00020000.00000000.sdmp, Scancontract103.exe, 0000000F.00000002.395467089.000000000318B000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000010.00000002.400735152.000000000334B000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000011.00000002.422414740.0000000002E0B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
    Source: Scancontract103.exe, 00000000.00000002.303876077.00000000025BB000.00000004.00000800.00020000.00000000.sdmp, Scancontract103.exe, 0000000F.00000002.395467089.000000000318B000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000010.00000002.400735152.000000000334B000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000011.00000002.422414740.0000000002E0B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -2767011611056431s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -240000s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -239859s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -239703s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -239594s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -239468s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -239359s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -239234s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -239109s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -238998s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -238874s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -238717s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -238500s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -238273s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -238138s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -237999s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -237856s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -237736s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -237594s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -237475s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -237359s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -237232s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -237091s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -236976s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -236859s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -236750s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -236621s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -236500s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -236374s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -236265s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -236130s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -235983s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -235859s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -235749s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -235625s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -235484s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -235328s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -235202s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -235093s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -234983s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -234859s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -234703s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -234562s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -234433s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -234311s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -234202s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -234076s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -233937s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -233797s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -233670s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -233545s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -233422s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -233296s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5176Thread sleep time: -233156s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 5352Thread sleep time: -17524406870024063s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -240000s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 2384Thread sleep count: 9421 > 30
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -236750s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -236547s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -236344s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -236218s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -236094s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -235968s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -235840s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -235681s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -235500s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -235364s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -235203s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -234995s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -234820s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -234697s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -234588s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -234453s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -234328s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -234156s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -234046s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -233937s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -233750s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -233594s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -233406s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -233203s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -233068s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -232939s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -232703s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -232500s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -232341s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -232186s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -232000s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -231844s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -231703s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -231546s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -231386s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -231264s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -231154s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -231039s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -230906s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -230776s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -230639s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -230531s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -230373s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -230229s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -230094s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -229943s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -229797s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -229656s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -229515s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -229376s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -229125s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -228999s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -228797s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -228685s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -228546s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -228435s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -228297s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -228170s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -228042s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -227887s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -227750s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -227594s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -227453s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -227328s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -227201s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 3660Thread sleep time: -227047s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -20291418481080494s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -240000s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -239703s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -239500s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -239250s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -239000s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -238844s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -238686s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -238546s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -238344s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -238203s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -238034s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -237891s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -237750s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -237619s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -237483s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -237349s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -237203s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -237000s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -236881s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -236750s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -236593s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -236466s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -236250s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -235891s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -235717s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -235531s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -235384s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -235265s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -235141s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -235000s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -234841s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -234715s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -234593s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -234426s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -234296s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -234170s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -234042s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -233856s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -233746s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -233605s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -233453s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -233302s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -233141s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -232995s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -232844s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -232733s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -232594s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -232453s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -232327s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -232141s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -231989s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -231844s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -231703s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -231573s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -231467s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -231354s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -231244s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -231109s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -230994s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -230859s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -230732s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -230587s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -230453s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -230324s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -230200s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -230060s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -229920s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -229794s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4764Thread sleep time: -229641s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -240000s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -239703s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -239453s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -239202s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -239088s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -238889s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -238656s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -238500s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -238356s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -238250s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -238140s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -238000s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -237844s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -237687s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -237547s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -237385s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -237250s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -237062s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -236906s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -236750s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -236547s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -236406s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -236203s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -236062s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -235887s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -235748s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -235517s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -235297s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -235186s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -235059s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -234936s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -234797s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -234652s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -234500s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -234368s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -234230s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -234086s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -233953s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -233780s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -233640s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -233511s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -233341s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -233115s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -232953s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -232794s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -232656s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -232484s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -232331s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -232213s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -232092s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -231953s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -231826s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -231656s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -231484s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -231344s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -231203s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -231073s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -230844s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -230656s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -230406s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -230203s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -229594s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -229406s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -229244s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -229053s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1360Thread sleep time: -228047s >= -30000s
    Source: C:\Users\user\Desktop\Scancontract103.exe TID: 4364Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5056Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1096Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 240000
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 239859
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 239703
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 239594
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 239468
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 239359
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 239234
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 239109
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 238998
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 238874
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 238717
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 238500
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 238273
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 238138
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 237999
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 237856
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 237736
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 237594
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 237475
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 237359
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 237232
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 237091
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236976
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236859
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236750
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236621
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236500
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236374
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236265
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236130
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235983
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235859
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235749
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235625
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235484
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235328
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235202
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235093
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234983
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234859
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234703
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234562
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234433
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234311
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234202
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234076
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233937
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233797
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233670
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233545
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233422
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233296
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233156
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 240000
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236750
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236547
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236344
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236218
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236094
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235968
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235840
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235681
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235500
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235364
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235203
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234995
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234820
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234697
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234588
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234453
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234328
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234156
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234046
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233937
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233750
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233594
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233406
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233203
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233068
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 232939
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 232703
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 232500
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 232341
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 232186
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 232000
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 231844
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 231703
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 231546
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 231386
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 231264
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 231154
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 231039
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 230906
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 230776
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 230639
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 230531
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 230373
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 230229
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 230094
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 229943
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 229797
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 229656
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 229515
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 229376
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 229125
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 228999
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 228797
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 228685
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 228546
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 228435
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 228297
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 228170
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 228042
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 227887
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 227750
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 227594
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 227453
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 227328
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 227201
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 227047
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 240000
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 239703
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 239500
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 239250
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 239000
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238844
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238686
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238546
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238344
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238203
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238034
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237891
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237750
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237619
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237483
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237349
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237203
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237000
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236881
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236750
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236593
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236466
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236250
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235891
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235717
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235531
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235384
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235265
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235141
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235000
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234841
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234715
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234593
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234426
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234296
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234170
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234042
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233856
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233746
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233605
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233453
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233302
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233141
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232995
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232844
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232733
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232594
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232453
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232327
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232141
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231989
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231844
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231703
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231573
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231467
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231354
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231244
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231109
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230994
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230859
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230732
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230587
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230453
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230324
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230200
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230060
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 229920
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 229794
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 229641
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 240000
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 239703
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 239453
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 239202
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 239088
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238889
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238656
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238500
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238356
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238250
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238140
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238000
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237844
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237687
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237547
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237385
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237250
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237062
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236906
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236750
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236547
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236406
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236203
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236062
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235887
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235748
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235517
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235297
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235186
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235059
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234936
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234797
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234652
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234500
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234368
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234230
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234086
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233953
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233780
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233640
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233511
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233341
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233115
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232953
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232794
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232656
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232484
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232331
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232213
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232092
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231953
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231826
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231656
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231484
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231344
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231203
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231073
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230844
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230656
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230406
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230203
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 229594
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 229406
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 229244
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 229053
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 228047
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\Scancontract103.exeWindow / User API: threadDelayed 8928
    Source: C:\Users\user\Desktop\Scancontract103.exeWindow / User API: threadDelayed 9578
    Source: C:\Users\user\Desktop\Scancontract103.exeWindow / User API: foregroundWindowGot 675
    Source: C:\Users\user\Desktop\Scancontract103.exeWindow / User API: threadDelayed 9421
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeWindow / User API: threadDelayed 9541
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeWindow / User API: threadDelayed 9561
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess information queried: ProcessInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 240000
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 239859
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 239703
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 239594
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 239468
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 239359
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 239234
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 239109
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 238998
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 238874
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 238717
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 238500
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 238273
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 238138
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 237999
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 237856
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 237736
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 237594
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 237475
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 237359
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 237232
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 237091
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236976
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236859
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236750
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236621
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236500
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236374
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236265
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236130
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235983
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235859
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235749
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235625
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235484
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235328
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235202
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235093
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234983
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234859
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234703
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234562
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234433
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234311
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234202
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234076
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233937
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233797
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233670
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233545
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233422
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233296
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233156
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 240000
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236750
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236547
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236344
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236218
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 236094
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235968
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235840
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235681
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235500
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235364
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 235203
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234995
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234820
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234697
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234588
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234453
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234328
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234156
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 234046
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233937
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233750
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233594
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233406
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233203
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 233068
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 232939
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 232703
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 232500
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 232341
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 232186
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 232000
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 231844
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 231703
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 231546
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 231386
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 231264
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 231154
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 231039
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 230906
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 230776
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 230639
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 230531
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 230373
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 230229
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 230094
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 229943
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 229797
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 229656
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 229515
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 229376
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 229125
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 228999
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 228797
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 228685
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 228546
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 228435
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 228297
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 228170
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 228042
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 227887
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 227750
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 227594
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 227453
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 227328
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 227201
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 227047
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 240000
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 239703
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 239500
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 239250
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 239000
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238844
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238686
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238546
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238344
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238203
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238034
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237891
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237750
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237619
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237483
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237349
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237203
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237000
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236881
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236750
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236593
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236466
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236250
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235891
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235717
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235531
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235384
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235265
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235141
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235000
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234841
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234715
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234593
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234426
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234296
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234170
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234042
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233856
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233746
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233605
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233453
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233302
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233141
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232995
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232844
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232733
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232594
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232453
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232327
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232141
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231989
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231844
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231703
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231573
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231467
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231354
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231244
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231109
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230994
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230859
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230732
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230587
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230453
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230324
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230200
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230060
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 229920
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 229794
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 229641
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 240000
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 239703
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 239453
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 239202
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 239088
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238889
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238656
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238500
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238356
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238250
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238140
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 238000
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237844
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237687
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237547
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237385
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237250
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 237062
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236906
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236750
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236547
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236406
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236203
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 236062
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235887
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235748
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235517
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235297
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235186
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 235059
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234936
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234797
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234652
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234500
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234368
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234230
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 234086
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233953
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233780
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233640
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233511
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233341
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 233115
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232953
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232794
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232656
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232484
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232331
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232213
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 232092
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231953
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231826
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231656
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231484
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231344
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231203
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 231073
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230844
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230656
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230406
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 230203
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 229594
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 229406
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 229244
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 229053
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 228047
    Source: C:\Users\user\Desktop\Scancontract103.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: dhcpmon.exe, 00000011.00000002.422414740.0000000002E0B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
    Source: dhcpmon.exe, 00000011.00000002.422414740.0000000002E0B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
    Source: dhcpmon.exe, 00000011.00000002.422414740.0000000002E0B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
    Source: dhcpmon.exe, 00000011.00000002.422414740.0000000002E0B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
    Source: dhcpmon.exe, 00000011.00000002.422414740.0000000002E0B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
    Source: dhcpmon.exe, 00000011.00000002.422414740.0000000002E0B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
    Source: dhcpmon.exe, 00000011.00000002.422414740.0000000002E0B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
    Source: dhcpmon.exe, 00000011.00000002.422414740.0000000002E0B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
    Source: dhcpmon.exe, 00000011.00000002.422414740.0000000002E0B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess token adjusted: Debug
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess token adjusted: Debug
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess token adjusted: Debug
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess token adjusted: Debug
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: Debug
    Source: C:\Users\user\Desktop\Scancontract103.exeMemory allocated: page read and write | page guard

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Injects a PE file into a foreign processes
    Source: C:\Users\user\Desktop\Scancontract103.exeMemory written: C:\Users\user\Desktop\Scancontract103.exe base: 400000 value starts with: 4D5A
    Source: C:\Users\user\Desktop\Scancontract103.exeMemory written: C:\Users\user\Desktop\Scancontract103.exe base: 400000 value starts with: 4D5A
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess created: C:\Users\user\Desktop\Scancontract103.exe {path}
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpCA7.tmp
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp1090.tmp
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess created: C:\Users\user\Desktop\Scancontract103.exe {path}
    Source: C:\Users\user\Desktop\Scancontract103.exeProcess created: C:\Users\user\Desktop\Scancontract103.exe {path}
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
    Source: Scancontract103.exe, 00000006.00000002.548631838.00000000064DD000.00000004.00000010.00020000.00000000.sdmp, Scancontract103.exe, 00000006.00000002.545166472.00000000032B7000.00000004.00000800.00020000.00000000.sdmp, Scancontract103.exe, 00000006.00000002.533870000.0000000002FE0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Users\user\Desktop\Scancontract103.exe VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Users\user\Desktop\Scancontract103.exe VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Users\user\Desktop\Scancontract103.exe VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Users\user\Desktop\Scancontract103.exe VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Users\user\Desktop\Scancontract103.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

    Stealing of Sensitive Information

    barindex
    Yara detected Nanocore RAT
    Source: Yara matchFile source: 20.2.Scancontract103.exe.434b7be.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 6.2.Scancontract103.exe.5910000.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 6.2.Scancontract103.exe.5910000.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 6.0.Scancontract103.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 6.2.Scancontract103.exe.5914629.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Scancontract103.exe.3631550.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.2.Scancontract103.exe.43505f4.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Scancontract103.exe.3631550.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.2.Scancontract103.exe.43505f4.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Scancontract103.exe.37a0a00.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.2.Scancontract103.exe.4354c1d.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000006.00000000.299936604.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000002.442532353.0000000004309000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.308527260.0000000003571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.530169744.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.548040807.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000015.00000002.443127439.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.311167352.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000002.440811827.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: Scancontract103.exe PID: 3732, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: Scancontract103.exe PID: 1760, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: Scancontract103.exe PID: 5588, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2576, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Detected Nanocore Rat
    Source: Scancontract103.exe, 00000000.00000002.308527260.0000000003571000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: Scancontract103.exe, 00000000.00000002.311167352.00000000036BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: Scancontract103.exe, 00000006.00000000.299936604.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: Scancontract103.exe, 00000006.00000002.530169744.0000000002E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: Scancontract103.exe, 00000006.00000002.530169744.0000000002E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: Scancontract103.exe, 00000014.00000002.442532353.0000000004309000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: Scancontract103.exe, 00000014.00000002.442532353.0000000004309000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: Scancontract103.exe, 00000014.00000002.440811827.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: Scancontract103.exe, 00000014.00000002.440811827.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: dhcpmon.exe, 00000015.00000002.443127439.0000000002D61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: dhcpmon.exe, 00000015.00000002.443127439.0000000002D61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Yara detected Nanocore RAT
    Source: Yara matchFile source: 20.2.Scancontract103.exe.434b7be.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 6.2.Scancontract103.exe.5910000.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 6.2.Scancontract103.exe.5910000.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 6.0.Scancontract103.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 6.2.Scancontract103.exe.5914629.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Scancontract103.exe.3631550.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.2.Scancontract103.exe.43505f4.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Scancontract103.exe.3631550.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.2.Scancontract103.exe.43505f4.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Scancontract103.exe.37a0a00.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.2.Scancontract103.exe.4354c1d.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000006.00000000.299936604.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000002.442532353.0000000004309000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.308527260.0000000003571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.530169744.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.548040807.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000015.00000002.443127439.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.311167352.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000002.440811827.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: Scancontract103.exe PID: 3732, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: Scancontract103.exe PID: 1760, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: Scancontract103.exe PID: 5588, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2576, type: MEMORYSTR

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts1
    Scheduled Task/Job    		1
    Scheduled Task/Job    		112
    Process Injection    		2
    Masquerading    		21
    Input Capture    		11
    Security Software Discovery    		Remote Services21
    Input Capture    		Exfiltration Over Other Network Medium1
    Encrypted Channel    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    Scheduled Task/Job    		1
    Disable or Modify Tools    		LSASS Memory2
    Process Discovery    		Remote Desktop Protocol11
    Archive Collected Data    		Exfiltration Over Bluetooth1
    Non-Standard Port    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
    Virtualization/Sandbox Evasion    		Security Account Manager21
    Virtualization/Sandbox Evasion    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
    Remote Access Software    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)112
    Process Injection    		NTDS1
    Application Window Discovery    		Distributed Component Object ModelInput CaptureScheduled Transfer1
    Application Layer Protocol    		SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
    Deobfuscate/Decode Files or Information    		LSA Secrets12
    System Information Discovery    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.common1
    Hidden Files and Directories    		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup Items2
    Obfuscated Files or Information    		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job22
    Software Packing    		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 713039 Sample: Scancontract103.exe Startdate: 29/09/2022 Architecture: WINDOWS Score: 100 57 Multi AV Scanner detection for domain / URL 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Sigma detected: Scheduled temp file as task from temp location 2->61 63 12 other signatures 2->63 8 Scancontract103.exe 3 2->8         started        12 dhcpmon.exe 2 2->12         started        14 dhcpmon.exe 3 2->14         started        16 Scancontract103.exe 2 2->16         started        process3 file4 53 C:\Users\user\...\Scancontract103.exe.log, ASCII 8->53 dropped 69 Uses schtasks.exe or at.exe to add and modify task schedules 8->69 71 Injects a PE file into a foreign processes 8->71 18 Scancontract103.exe 1 12 8->18         started        23 dhcpmon.exe 12->23         started        25 dhcpmon.exe 12->25         started        27 dhcpmon.exe 12->27         started        29 dhcpmon.exe 14->29         started        31 dhcpmon.exe 14->31         started        33 Scancontract103.exe 2 16->33         started        35 Scancontract103.exe 16->35         started        signatures5 process6 dnsIp7 55 79.134.225.6, 49707, 49708, 49709 FINK-TELECOM-SERVICESCH Switzerland 18->55 45 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->45 dropped 47 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 18->47 dropped 49 C:\Users\user\AppData\Local\Temp\tmpCA7.tmp, XML 18->49 dropped 51 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 18->51 dropped 65 Protects its processes via BreakOnTermination flag 18->65 67 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->67 37 schtasks.exe 1 18->37         started        39 schtasks.exe 1 18->39         started        file8 signatures9 process10 process11 41 conhost.exe 37->41         started        43 conhost.exe 39->43         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Scancontract103.exe40%VirustotalBrowse
    Scancontract103.exe100%Joe Sandbox ML

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML

    Unpacked PE Files

    SourceDetectionScannerLabelLinkDownload
    6.0.Scancontract103.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    6.2.Scancontract103.exe.5910000.4.unpack100%AviraTR/NanoCore.fadteDownload File

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    0%Avira URL Cloudsafe
    http://www.galapagosdesign.com/0%URL Reputationsafe
    http://www.fonts.comc0%URL Reputationsafe
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.founder.com.cn/cna-d0%URL Reputationsafe
    http://www.tiro.com0%URL Reputationsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://en.wikip0%URL Reputationsafe
    http://www.carterandcone.coml0%URL Reputationsafe
    http://www.sajatypeworks.com0%URL Reputationsafe
    http://www.typography.netD0%URL Reputationsafe
    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
    http://fontfabrik.com0%URL Reputationsafe
    http://www.founder.com.cn/cn0%URL Reputationsafe
    http://www.fontbureau.comoitu0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
    http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
    http://www.sandoll.co.kr0%URL Reputationsafe
    http://www.urwpp.deDPlease0%URL Reputationsafe
    http://www.zhongyicts.com.cn0%URL Reputationsafe
    79.134.225.67%VirustotalBrowse
    http://www.sakkal.com0%URL Reputationsafe
    79.134.225.60%Avira URL Cloudsafe
    http://www.founder.com.cn/cntyp90%Avira URL Cloudsafe
    http://www.fontbureau.commv0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    true
    • Avira URL Cloud: safe
    		low
    79.134.225.6true
    • 7%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://www.apache.org/licenses/LICENSE-2.0Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://www.fontbureau.comScancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://www.fontbureau.com/designersGScancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.galapagosdesign.com/Scancontract103.exe, 00000000.00000003.272557005.00000000059C6000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.fontbureau.com/designers/?Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://www.fonts.comcScancontract103.exe, 00000000.00000003.260309270.00000000059A3000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.founder.com.cn/cn/bTheScancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designers?Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.founder.com.cn/cntyp9Scancontract103.exe, 00000000.00000003.263335099.0000000005985000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.founder.com.cn/cna-dScancontract103.exe, 00000000.00000003.263335099.0000000005985000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.tiro.comScancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.fontbureau.com/designersScancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.goodfont.co.krScancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://en.wikipScancontract103.exe, 00000000.00000003.265302103.000000000598D000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.carterandcone.comlScancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.sajatypeworks.comScancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.typography.netDScancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers/cabarga.htmlNScancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.founder.com.cn/cn/cTheScancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.galapagosdesign.com/staff/dennis.htmScancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://fontfabrik.comScancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.founder.com.cn/cnScancontract103.exe, 00000000.00000003.263528849.0000000005986000.00000004.00000800.00020000.00000000.sdmp, Scancontract103.exe, 00000000.00000003.263806579.000000000598E000.00000004.00000800.00020000.00000000.sdmp, Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmp, Scancontract103.exe, 00000000.00000003.263335099.0000000005985000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers/frere-jones.htmlScancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.comoituScancontract103.exe, 00000000.00000003.301534585.0000000005980000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/DPleaseScancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers8Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.ascendercorp.com/typedesigners.htmlScancontract103.exe, 00000000.00000003.266935495.0000000005989000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fonts.comScancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.sandoll.co.krScancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.urwpp.deDPleaseScancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.zhongyicts.com.cnScancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.commvScancontract103.exe, 00000000.00000003.301534585.0000000005980000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameScancontract103.exe, 00000006.00000002.530169744.0000000002E21000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.sakkal.comScancontract103.exe, 00000000.00000003.266747836.00000000059C6000.00000004.00000800.00020000.00000000.sdmp, Scancontract103.exe, 00000000.00000002.318121730.0000000006C12000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/Scancontract103.exe, 00000000.00000003.269009492.00000000059C5000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            79.134.225.6
                            		unknownSwitzerland
                            		6775FINK-TELECOM-SERVICESCHtrue

                            General Information

                            Joe Sandbox Version:36.0.0 Rainbow Opal
                            Analysis ID:713039
                            Start date and time:2022-09-29 22:57:49 +02:00
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 9m 30s
                            Hypervisor based Inspection enabled:false
                            Report type:light
                            Sample file name:Scancontract103.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:27
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@26/8@0/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HDC Information:Failed
                            HCA Information:
                            • Successful, ratio: 99%
                            • Number of executed functions: 0
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                            • TCP Packets have been reduced to 100
                            • Excluded domains from analysis (whitelisted): fs.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report creation exceeded maximum time and may have missing disassembly code information.
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            22:58:48API Interceptor969x Sleep call for process: Scancontract103.exe modified
                            22:59:13AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                            22:59:16Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\Scancontract103.exe" s>$(Arg0)
                            22:59:16Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
                            22:59:26API Interceptor255x Sleep call for process: dhcpmon.exe modified

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            No context

                            ASNs

                            No context

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

                            Download File
                            Process:C:\Users\user\Desktop\Scancontract103.exe
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):854528
                            Entropy (8bit):7.084655686253337
                            Encrypted:false
                            SSDEEP:12288:sx9I2iNl/joW7EsJ2uM1DgC9tqGdpb5QyXYzvtMdADqjJ5ns:N1fEW7T4RDgvGdpHYzQjrs
                            MD5:9D2A2B596CD979FC9674824D2AA731DF
                            SHA1:015E8AE0F838E0FBA35643297530A5B9A66E4186
                            SHA-256:C4A2C953833C8D6B5D2EF71B997700559ECC9F23573D89072D205F963E46956C
                            SHA-512:768843F52697AC5A8E8FF71FF5A66BCA977CC6FAD9DA349CE77EEE431AA5252EC07187D52BCE92BD50BBCEC1A10B6CE1A9123DBAFA1E34D7A36AC2A9E511CEF3
                            Malicious:true
                            Antivirus:
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....5c..............P.................. ... ....@.. .......................`............@.....................................O.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........Z...W......;...|....a............................................(....*&..(.....*.s.........s ........s!........s"........s#........*...0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0...........~....o'....+..*.0...........~....o(....+..*.0..<........~.....().....,!r...p.....(*...o+...s,............~.....+..*.0...........~.....+..*".......*.0..&........(....r/..p~....o-...(......t$....+..*...0..&........(....rA..p~....o-...(......

                            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

                            Download File
                            Process:C:\Users\user\Desktop\Scancontract103.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):26
                            Entropy (8bit):3.95006375643621
                            Encrypted:false
                            SSDEEP:3:ggPYV:rPYV
                            MD5:187F488E27DB4AF347237FE461A079AD
                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                            Malicious:true
                            Preview:[ZoneTransfer]....ZoneId=0

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Scancontract103.exe.log

                            Download File
                            Process:C:\Users\user\Desktop\Scancontract103.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1302
                            Entropy (8bit):5.3499841584777394
                            Encrypted:false
                            SSDEEP:24:MLUE4K5E4Ks2E1qE4x84bE4KnKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxvbHKnYHKhQnoPtHoxH5
                            MD5:A7D610296B11732FD61A88BC218783AC
                            SHA1:EE89E72AF3A15DAB847055A9F9F88FD934113857
                            SHA-256:7F3A7CE69B42D8C832F0FBB57C0523D6F098DC090D39616C05277F8DB9F4F9E9
                            SHA-512:8C0AC1893FF0A7FE287D4FC650943D33D1546200A89C2A502FE9BCB11DA6227533FD8F966EE8651B7E7BD8B5EA11403AD930D022D1D75B3EAA6D24D625F779DF
                            Malicious:true
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configu

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

                            Download File
                            Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1302
                            Entropy (8bit):5.3499841584777394
                            Encrypted:false
                            SSDEEP:24:MLUE4K5E4Ks2E1qE4x84bE4KnKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxvbHKnYHKhQnoPtHoxH5
                            MD5:A7D610296B11732FD61A88BC218783AC
                            SHA1:EE89E72AF3A15DAB847055A9F9F88FD934113857
                            SHA-256:7F3A7CE69B42D8C832F0FBB57C0523D6F098DC090D39616C05277F8DB9F4F9E9
                            SHA-512:8C0AC1893FF0A7FE287D4FC650943D33D1546200A89C2A502FE9BCB11DA6227533FD8F966EE8651B7E7BD8B5EA11403AD930D022D1D75B3EAA6D24D625F779DF
                            Malicious:false
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configu

                            C:\Users\user\AppData\Local\Temp\tmp1090.tmp

                            Download File
                            Process:C:\Users\user\Desktop\Scancontract103.exe
                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                            Category:modified
                            Size (bytes):1310
                            Entropy (8bit):5.109425792877704
                            Encrypted:false
                            SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                            MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                            SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                            SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                            SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                            Malicious:false
                            Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

                            C:\Users\user\AppData\Local\Temp\tmpCA7.tmp

                            Download File
                            Process:C:\Users\user\Desktop\Scancontract103.exe
                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1305
                            Entropy (8bit):5.103232147891814
                            Encrypted:false
                            SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0hxtn:cbk4oL600QydbQxIYODOLedq3Ij
                            MD5:965D081052473031B1DA64E2A9CA6356
                            SHA1:2CE6D29C2C4C5E0AAF98B74E3661A7C8A214B554
                            SHA-256:81A542AC638DC1591CE04076330AAC190AA871FCD83AD2F3AB3C758BF6BB7713
                            SHA-512:27338E725AB8992E95A77425347AED5878829AAEBBBFF14348E610DB2F8255F812CDAA636E11B1128C1637C982C4B8E58E670FD8D4F97E6694C8A4EDE849A8B4
                            Malicious:true
                            Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                            Download File
                            Process:C:\Users\user\Desktop\Scancontract103.exe
                            File Type:Non-ISO extended-ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):8
                            Entropy (8bit):2.75
                            Encrypted:false
                            SSDEEP:3:YRH/t:Yhl
                            MD5:3D6AAF34F494EBB7AEE72D9F1E409974
                            SHA1:AB6D9E593DF00E22315A1ED553CAFA40EFEE1FBA
                            SHA-256:D1B3C5C1EB2839519CA0B0E4E5DCF6120D0A14E2D81056AC11F2057443740705
                            SHA-512:14B3475E8E166D8351CC349F62EF6B1572793E07A6ADA611C2B4412A17951D4A3D08BC757F4D8542AB98E6A9024F4873F7417B7996B6B710BA2A8A54BF6087B5
                            Malicious:true
                            Preview:.l...H

                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat

                            Download File
                            Process:C:\Users\user\Desktop\Scancontract103.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):42
                            Entropy (8bit):4.350068910616443
                            Encrypted:false
                            SSDEEP:3:oNWXp5v2GOUDu:oNWXpF2/
                            MD5:AA619EA44F715A3F4CF627DD80CFED11
                            SHA1:5BFC5B8E726014C10FD0226AFAE783DEC203CB6B
                            SHA-256:25186E981F6DA5CA846C5BC3A97592D4D39BA2F43AB7AA2A0B4088C5FA54AAB4
                            SHA-512:2255746B212D29944BDA7AFD8294D5A3E073908670BFDA9038FB68C056302F4F01B757AC22F95A72076443690B6228B73A9A94CB5383E2CE510ED98910B43DA3
                            Malicious:false
                            Preview:C:\Users\user\Desktop\Scancontract103.exe

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):7.084655686253337
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                            • Win32 Executable (generic) a (10002005/4) 49.78%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            • DOS Executable Generic (2002/1) 0.01%
                            File name:Scancontract103.exe
                            File size:854528
                            MD5:9d2a2b596cd979fc9674824d2aa731df
                            SHA1:015e8ae0f838e0fba35643297530a5b9a66e4186
                            SHA256:c4a2c953833c8d6b5d2ef71b997700559ecc9f23573d89072d205f963e46956c
                            SHA512:768843f52697ac5a8e8ff71ff5a66bca977cc6fad9da349ce77eee431aa5252ec07187d52bce92bd50bbcec1a10b6ce1a9123dbafa1e34d7a36ac2a9e511cef3
                            SSDEEP:12288:sx9I2iNl/joW7EsJ2uM1DgC9tqGdpb5QyXYzvtMdADqjJ5ns:N1fEW7T4RDgvGdpHYzQjrs
                            TLSH:11054A2429EB922CF4B69BF95FC8F8FB4C5BFA61252960F624A153468B33E05CCD1435
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....5c..............P.................. ... ....@.. .......................`............@................................

                            File Icon

                            Icon Hash:00828e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0x4d13d6
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0x63358100 [Thu Sep 29 11:26:56 2022 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                            Entrypoint Preview

                            Instruction
                            jmp dword ptr [00402000h]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0xd13840x4f.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xd20000x11ec.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xd40000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000xcf3dc0xcf400False0.697853447300965COM executable for DOS7.0886542606348IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rsrc0xd20000x11ec0x1200False0.3947482638888889data5.057459517659846IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0xd40000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountry
                            RT_VERSION0xd20900x330data
                            RT_MANIFEST0xd23d00xe15XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF, LF line terminators

                            Imports

                            DLLImport
                            mscoree.dll_CorExeMain

                            Network Behavior

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Sep 29, 2022 22:59:20.027470112 CEST4970760110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:20.040286064 CEST601104970779.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:20.590548992 CEST4970760110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:20.603280067 CEST601104970779.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:21.293834925 CEST4970760110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:21.306813955 CEST601104970779.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:26.231312990 CEST4970860110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:26.244163036 CEST601104970879.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:26.762944937 CEST4970860110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:26.775790930 CEST601104970879.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:27.372375965 CEST4970860110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:27.385637999 CEST601104970879.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:31.717842102 CEST4970960110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:31.732376099 CEST601104970979.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:32.294923067 CEST4970960110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:32.307845116 CEST601104970979.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:32.888734102 CEST4970960110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:32.901580095 CEST601104970979.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:37.211786985 CEST4971060110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:37.224678040 CEST601104971079.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:37.763921022 CEST4971060110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:37.776861906 CEST601104971079.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:38.373284101 CEST4971060110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:38.386439085 CEST601104971079.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:43.012607098 CEST4971160110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:43.025531054 CEST601104971179.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:43.592551947 CEST4971160110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:43.605590105 CEST601104971179.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:44.295752048 CEST4971160110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:44.308585882 CEST601104971179.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:48.728755951 CEST4971260110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:48.741656065 CEST601104971279.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:49.296158075 CEST4971260110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:49.309087992 CEST601104971279.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:49.983714104 CEST4971260110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:49.996527910 CEST601104971279.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:54.070527077 CEST4971360110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:54.083321095 CEST601104971379.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:54.765382051 CEST4971360110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:54.778515100 CEST601104971379.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:55.374838114 CEST4971360110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:55.387594938 CEST601104971379.134.225.6192.168.2.3
                            Sep 29, 2022 22:59:59.943087101 CEST4971460110192.168.2.379.134.225.6
                            Sep 29, 2022 22:59:59.956547022 CEST601104971479.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:00.484608889 CEST4971460110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:00.499109030 CEST601104971479.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:01.094042063 CEST4971460110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:01.107193947 CEST601104971479.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:05.524106979 CEST4971560110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:05.537091970 CEST601104971579.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:06.082381010 CEST4971560110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:06.095248938 CEST601104971579.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:06.766412020 CEST4971560110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:06.779191971 CEST601104971579.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:10.834242105 CEST4971660110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:10.847059965 CEST601104971679.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:11.464692116 CEST4971660110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:11.477426052 CEST601104971679.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:11.985686064 CEST4971660110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:11.998442888 CEST601104971679.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:16.608930111 CEST4971760110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:16.621793032 CEST601104971779.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:17.267476082 CEST4971760110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:17.280277967 CEST601104971779.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:17.876717091 CEST4971760110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:17.890031099 CEST601104971779.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:21.904520988 CEST4971860110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:21.918123960 CEST601104971879.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:22.486566067 CEST4971860110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:22.499701023 CEST601104971879.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:23.174092054 CEST4971860110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:23.187195063 CEST601104971879.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:27.675836086 CEST4971960110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:27.688648939 CEST601104971979.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:28.205789089 CEST4971960110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:28.218532085 CEST601104971979.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:28.721540928 CEST4971960110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:28.734438896 CEST601104971979.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:32.754986048 CEST4972060110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:32.768208027 CEST601104972079.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:33.268742085 CEST4972060110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:33.281815052 CEST601104972079.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:33.784370899 CEST4972060110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:33.797348976 CEST601104972079.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:37.803364038 CEST4972160110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:37.816562891 CEST601104972179.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:38.316065073 CEST4972160110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:38.329046965 CEST601104972179.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:38.831706047 CEST4972160110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:38.844505072 CEST601104972179.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:42.998397112 CEST4972260110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:43.011187077 CEST601104972279.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:43.597734928 CEST4972260110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:43.610474110 CEST601104972279.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:44.207194090 CEST4972260110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:44.220000029 CEST601104972279.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:48.225795031 CEST4972360110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:48.238611937 CEST601104972379.134.225.6192.168.2.3
                            Sep 29, 2022 23:00:48.754570961 CEST4972360110192.168.2.379.134.225.6
                            Sep 29, 2022 23:00:48.767365932 CEST601104972379.134.225.6192.168.2.3

                            Statistics

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:22:58:46
                            Start date:29/09/2022
                            Path:C:\Users\user\Desktop\Scancontract103.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\Scancontract103.exe"
                            Imagebase:0x170000
                            File size:854528 bytes
                            MD5 hash:9D2A2B596CD979FC9674824D2AA731DF
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.308527260.0000000003571000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.308527260.0000000003571000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.308527260.0000000003571000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.308527260.0000000003571000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.303876077.00000000025BB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.311167352.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.311167352.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.311167352.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.311167352.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                            Reputation:low

                            General

                            Target ID:6
                            Start time:22:59:07
                            Start date:29/09/2022
                            Path:C:\Users\user\Desktop\Scancontract103.exe
                            Wow64 process (32bit):true
                            Commandline:{path}
                            Imagebase:0x970000
                            File size:854528 bytes
                            MD5 hash:9D2A2B596CD979FC9674824D2AA731DF
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.547986042.0000000005900000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.547986042.0000000005900000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000006.00000002.547986042.0000000005900000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.547986042.0000000005900000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000000.299936604.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000000.299936604.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: NanoCore, Description: unknown, Source: 00000006.00000000.299936604.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000000.299936604.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.530169744.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.530169744.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.548040807.0000000005910000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.548040807.0000000005910000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.548040807.0000000005910000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000006.00000002.548040807.0000000005910000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.548040807.0000000005910000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                            Reputation:low

                            General

                            Target ID:11
                            Start time:22:59:14
                            Start date:29/09/2022
                            Path:C:\Windows\SysWOW64\schtasks.exe
                            Wow64 process (32bit):true
                            Commandline:schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpCA7.tmp
                            Imagebase:0x7ff745070000
                            File size:185856 bytes
                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:12
                            Start time:22:59:14
                            Start date:29/09/2022
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff745070000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:13
                            Start time:22:59:15
                            Start date:29/09/2022
                            Path:C:\Windows\SysWOW64\schtasks.exe
                            Wow64 process (32bit):true
                            Commandline:schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp1090.tmp
                            Imagebase:0x1160000
                            File size:185856 bytes
                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:14
                            Start time:22:59:15
                            Start date:29/09/2022
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff745070000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:15
                            Start time:22:59:16
                            Start date:29/09/2022
                            Path:C:\Users\user\Desktop\Scancontract103.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Users\user\Desktop\Scancontract103.exe 0
                            Imagebase:0xd50000
                            File size:854528 bytes
                            MD5 hash:9D2A2B596CD979FC9674824D2AA731DF
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Reputation:low

                            General

                            Target ID:16
                            Start time:22:59:16
                            Start date:29/09/2022
                            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
                            Imagebase:0xe90000
                            File size:854528 bytes
                            MD5 hash:9D2A2B596CD979FC9674824D2AA731DF
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000010.00000002.400735152.000000000334B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Antivirus matches:
                            • Detection: 100%, Joe Sandbox ML
                            Reputation:low

                            General

                            Target ID:17
                            Start time:22:59:22
                            Start date:29/09/2022
                            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
                            Imagebase:0xa70000
                            File size:854528 bytes
                            MD5 hash:9D2A2B596CD979FC9674824D2AA731DF
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:.Net C# or VB.NET
                            Reputation:low

                            General

                            Target ID:18
                            Start time:22:59:45
                            Start date:29/09/2022
                            Path:C:\Users\user\Desktop\Scancontract103.exe
                            Wow64 process (32bit):false
                            Commandline:{path}
                            Imagebase:0x2a0000
                            File size:854528 bytes
                            MD5 hash:9D2A2B596CD979FC9674824D2AA731DF
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low

                            General

                            Target ID:19
                            Start time:22:59:45
                            Start date:29/09/2022
                            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                            Wow64 process (32bit):false
                            Commandline:{path}
                            Imagebase:0x390000
                            File size:854528 bytes
                            MD5 hash:9D2A2B596CD979FC9674824D2AA731DF
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low

                            General

                            Target ID:20
                            Start time:22:59:46
                            Start date:29/09/2022
                            Path:C:\Users\user\Desktop\Scancontract103.exe
                            Wow64 process (32bit):true
                            Commandline:{path}
                            Imagebase:0xd50000
                            File size:854528 bytes
                            MD5 hash:9D2A2B596CD979FC9674824D2AA731DF
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.442532353.0000000004309000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: NanoCore, Description: unknown, Source: 00000014.00000002.442532353.0000000004309000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000014.00000002.442532353.0000000004309000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.440811827.0000000003301000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: NanoCore, Description: unknown, Source: 00000014.00000002.440811827.0000000003301000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000014.00000002.440811827.0000000003301000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                            Reputation:low

                            General

                            Target ID:21
                            Start time:22:59:46
                            Start date:29/09/2022
                            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                            Wow64 process (32bit):true
                            Commandline:{path}
                            Imagebase:0x990000
                            File size:854528 bytes
                            MD5 hash:9D2A2B596CD979FC9674824D2AA731DF
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.443127439.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: NanoCore, Description: unknown, Source: 00000015.00000002.443127439.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000015.00000002.443127439.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                            Reputation:low

                            General

                            Target ID:22
                            Start time:22:59:53
                            Start date:29/09/2022
                            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                            Wow64 process (32bit):false
                            Commandline:{path}
                            Imagebase:0x180000
                            File size:854528 bytes
                            MD5 hash:9D2A2B596CD979FC9674824D2AA731DF
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:low

                            General

                            Target ID:23
                            Start time:22:59:55
                            Start date:29/09/2022
                            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                            Wow64 process (32bit):false
                            Commandline:{path}
                            Imagebase:0x50000
                            File size:854528 bytes
                            MD5 hash:9D2A2B596CD979FC9674824D2AA731DF
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:low

                            General

                            Target ID:24
                            Start time:22:59:55
                            Start date:29/09/2022
                            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                            Wow64 process (32bit):true
                            Commandline:{path}
                            Imagebase:0x870000
                            File size:854528 bytes
                            MD5 hash:9D2A2B596CD979FC9674824D2AA731DF
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:.Net C# or VB.NET
                            Reputation:low

                            Disassembly

                            No disassembly