Loading ...

Play interactive tourEdit tour

Analysis Report REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exe

Overview

General Information

Sample Name:REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exe
MD5:a5bd9e3cc6651ae37285c31746150cc7
SHA1:3acbc4a061956069e94b81a3fa2daeed989f8046
SHA256:4221dc8f521313f343deefd093db3767e6732a284725bdba5ec51ce2a42b1cc7

Most interesting Screenshot:

Detection

Nanocore GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious icon found
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected GuLoader
Yara detected Nanocore RAT
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exe (PID: 5168 cmdline: 'C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exe' MD5: A5BD9E3CC6651AE37285C31746150CC7)
    • RegAsm.exe (PID: 5792 cmdline: 'C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
    • RegAsm.exe (PID: 5884 cmdline: 'C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • conhost.exe (PID: 4396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 4852 cmdline: 'schtasks.exe' /create /f /tn 'WPA Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp46B4.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 3932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5176 cmdline: 'schtasks.exe' /create /f /tn 'WPA Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp48C9.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RegAsm.exe (PID: 4116 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0 MD5: 529695608EAFBED00ACA9E61EF333A7C)
    • conhost.exe (PID: 4924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • wpasv.exe (PID: 3760 cmdline: 'C:\Program Files (x86)\WPA Service\wpasv.exe' 0 MD5: 529695608EAFBED00ACA9E61EF333A7C)
    • conhost.exe (PID: 4568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • DISCERNERHEBEOSTEOTOM.exe (PID: 3900 cmdline: 'C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exe' MD5: A5BD9E3CC6651AE37285C31746150CC7)
    • RegAsm.exe (PID: 4644 cmdline: 'C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
    • RegAsm.exe (PID: 3924 cmdline: 'C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • conhost.exe (PID: 4804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • wpasv.exe (PID: 4548 cmdline: 'C:\Program Files (x86)\WPA Service\wpasv.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
    • conhost.exe (PID: 5488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • DISCERNERHEBEOSTEOTOM.exe (PID: 5244 cmdline: 'C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exe' MD5: A5BD9E3CC6651AE37285C31746150CC7)
    • RegAsm.exe (PID: 3992 cmdline: 'C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • conhost.exe (PID: 5440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["255.255.255.255", "172.217.23.97"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.1522741820.0000000001710000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x5b0b:$x1: NanoCore.ClientPluginHost
  • 0x5b44:$x2: IClientNetworkHost
00000003.00000002.1522741820.0000000001710000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x5b0b:$x2: NanoCore.ClientPluginHost
  • 0x5c0f:$s4: PipeCreated
  • 0x5b25:$s5: IClientLoggingHost
00000003.00000002.1518093577.0000000000F90000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x16e3:$x1: NanoCore.ClientPluginHost
  • 0x171c:$x2: IClientNetworkHost
00000003.00000002.1518093577.0000000000F90000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x16e3:$x2: NanoCore.ClientPluginHost
  • 0x1800:$s4: PipeCreated
  • 0x16fd:$s5: IClientLoggingHost
00000003.00000002.1523320238.0000000001780000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x5b99:$x1: NanoCore.ClientPluginHost
  • 0x5bb3:$x2: IClientNetworkHost
Click to see the 40 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
3.2.RegAsm.exe.1760000.11.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1deb:$x1: NanoCore.ClientPluginHost
  • 0x1e24:$x2: IClientNetworkHost
3.2.RegAsm.exe.1760000.11.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x1deb:$x2: NanoCore.ClientPluginHost
  • 0x1f36:$s4: PipeCreated
  • 0x1e05:$s5: IClientLoggingHost
3.2.RegAsm.exe.f00000.0.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xe75:$x1: NanoCore.ClientPluginHost
  • 0xe8f:$x2: IClientNetworkHost
3.2.RegAsm.exe.f00000.0.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xe75:$x2: NanoCore.ClientPluginHost
  • 0x1261:$s3: PipeExists
  • 0x1136:$s4: PipeCreated
  • 0xeb0:$s5: IClientLoggingHost
3.2.RegAsm.exe.f90000.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x16e3:$x1: NanoCore.ClientPluginHost
  • 0x171c:$x2: IClientNetworkHost
Click to see the 47 entries

Sigma Overview


System Summary:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ProcessId: 5884, TargetFilename: C:\Users\user\AppData\Roaming\59407D34-C8C5-44DF-A766-BA8A11CB1CB0\run.dat
Sigma detected: Scheduled temp file as task from temp locationShow sources
Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'WPA Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp46B4.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'WPA Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp46B4.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exe' , ParentImage: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ParentProcessId: 5884, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'WPA Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp46B4.tmp', ProcessId: 4852

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Found malware configurationShow sources
Source: RegAsm.exe.3924.18.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["255.255.255.255", "172.217.23.97"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
Multi AV Scanner detection for domain / URLShow sources
Source: earthtradeint.duckdns.orgVirustotal: Detection: 8%Perma Link
Source: earthtradeint.theworkpc.comVirustotal: Detection: 18%Perma Link
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeVirustotal: Detection: 11%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeVirustotal: Detection: 11%Perma Link
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 00000003.00000002.1517554727.0000000000F20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.1525636754.0000000020E70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.1525119277.000000001FE70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1536501402.0000000021090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5884, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3924, type: MEMORY
Source: Yara matchFile source: 3.2.RegAsm.exe.f20000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.RegAsm.exe.f20000.1.raw.unpack, type: UNPACKEDPE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]3_2_00FA8C48
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]3_2_00FA8C46
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4x nop then mov esp, ebp3_2_00FA4BA8

Networking:

barindex
Uses dynamic DNS servicesShow sources
Source: unknownDNS query: name: earthtradeint.duckdns.org
Source: global trafficTCP traffic: 192.168.2.6:49937 -> 23.105.131.240:53488
Source: global trafficTCP traffic: 192.168.2.6:49945 -> 216.38.2.213:53488
Source: Joe Sandbox ViewIP Address: 172.217.23.97 172.217.23.97
Source: Joe Sandbox ViewASN Name: unknown unknown
Source: Joe Sandbox ViewASN Name: unknown unknown
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_2239370A WSARecv,3_2_2239370A
Source: unknownDNS traffic detected: queries for: doc-04-6o-docs.googleusercontent.com
Source: RegAsm.exe, 00000003.00000002.1523135191.0000000001750000.00000004.00000001.sdmpString found in binary or memory: http://google.com
Source: RegAsm.exe, 00000003.00000002.1519752020.0000000001300000.00000040.00000001.sdmp, RegAsm.exe, 00000012.00000002.1501573809.0000000001000000.00000040.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1Qj9DFF7ZxFPuLewUCJ-IeiklNfqzT_yd
Source: unknownNetwork traffic detected: HTTP traffic on port 49946 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49935 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49935
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49946

Source: wpasv.exe, 0000000B.00000002.1222812054.00000000006F0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: RegAsm.exe, 00000003.00000002.1517554727.0000000000F20000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 00000003.00000002.1517554727.0000000000F20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.1525636754.0000000020E70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.1525119277.000000001FE70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1536501402.0000000021090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5884, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3924, type: MEMORY
Source: Yara matchFile source: 3.2.RegAsm.exe.f20000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.RegAsm.exe.f20000.1.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000003.00000002.1522741820.0000000001710000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.1518093577.0000000000F90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.1523320238.0000000001780000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.1523261337.0000000001760000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.1524436330.00000000017E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.1523135191.0000000001750000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.1523054337.0000000001730000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.1517953328.0000000000F80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.1516959778.0000000000F00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.1522589814.00000000016F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.1523700398.00000000017B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.1517554727.0000000000F20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.1525636754.0000000020E70000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.1523078339.0000000001740000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.1525119277.000000001FE70000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.1523597815.00000000017A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.1534618048.0000000020090000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000003.1496655150.0000000021489000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.1536501402.0000000021090000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegAsm.exe PID: 5884, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegAsm.exe PID: 3924, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.RegAsm.exe.1760000.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.RegAsm.exe.f00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.RegAsm.exe.f90000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.RegAsm.exe.1780000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.RegAsm.exe.f20000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.RegAsm.exe.1760000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.RegAsm.exe.1710000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.RegAsm.exe.17e0000.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.RegAsm.exe.1750000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.RegAsm.exe.1710000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.RegAsm.exe.17a0000.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.RegAsm.exe.1750000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.RegAsm.exe.17e0000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.RegAsm.exe.1730000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.RegAsm.exe.16f0000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.RegAsm.exe.1730000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.RegAsm.exe.f80000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.RegAsm.exe.f80000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.RegAsm.exe.1780000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.RegAsm.exe.16f0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.RegAsm.exe.17a0000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.RegAsm.exe.1740000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.RegAsm.exe.17b0000.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.RegAsm.exe.f20000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.RegAsm.exe.17b0000.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Potential malicious icon foundShow sources
Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess Stats: CPU usage > 98%
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02063659 NtWriteVirtualMemory,0_2_02063659
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_013005A9 EnumWindows,NtSetInformationThread,3_2_013005A9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_0130987F NtSetInformationThread,3_2_0130987F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_01309440 NtProtectVirtualMemory,3_2_01309440
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_01309936 NtSetInformationThread,3_2_01309936
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_01309962 NtSetInformationThread,3_2_01309962
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_0130095E NtSetInformationThread,3_2_0130095E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_01309992 NtSetInformationThread,3_2_01309992
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_013099CE NtSetInformationThread,3_2_013099CE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_0130082E NtSetInformationThread,3_2_0130082E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_01309C5A NtSetInformationThread,3_2_01309C5A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_01309CB6 NtSetInformationThread,3_2_01309CB6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_01300892 NtSetInformationThread,3_2_01300892
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_0130989A NtSetInformationThread,3_2_0130989A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_01309C86 NtSetInformationThread,3_2_01309C86
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_013008FE NtSetInformationThread,3_2_013008FE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_013098FE NtSetInformationThread,3_2_013098FE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_01309CEE NtSetInformationThread,3_2_01309CEE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_013008CA NtSetInformationThread,3_2_013008CA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_01309B3A NtSetInformationThread,3_2_01309B3A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_0130072E NtSetInformationThread,3_2_0130072E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_01309B06 NtSetInformationThread,3_2_01309B06
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_01309B72 NtSetInformationThread,3_2_01309B72
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_01300766 NtSetInformationThread,3_2_01300766
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_01300796 NtSetInformationThread,3_2_01300796
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_013007FA NtSetInformationThread,3_2_013007FA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_01309BFE NtSetInformationThread,3_2_01309BFE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_01309BC6 NtSetInformationThread,3_2_01309BC6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_013007CE NtSetInformationThread,3_2_013007CE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_01309A36 NtSetInformationThread,3_2_01309A36
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_01309A02 NtSetInformationThread,3_2_01309A02
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_01309A66 NtSetInformationThread,3_2_01309A66
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_01309A9E NtSetInformationThread,3_2_01309A9E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_013006FA NtSetInformationThread,3_2_013006FA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_01309ACE NtSetInformationThread,3_2_01309ACE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_22391BB2 NtQuerySystemInformation,3_2_22391BB2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_22391B77 NtQuerySystemInformation,3_2_22391B77
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_010005A9 NtSetInformationThread,18_2_010005A9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01009440 NtProtectVirtualMemory,18_2_01009440
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_0100987F NtSetInformationThread,18_2_0100987F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01009936 NtSetInformationThread,18_2_01009936
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_0100095E NtSetInformationThread,18_2_0100095E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01009962 NtSetInformationThread,18_2_01009962
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01009992 NtSetInformationThread,18_2_01009992
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_010099CE NtSetInformationThread,18_2_010099CE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_0100082E NtSetInformationThread,18_2_0100082E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01009C5A NtSetInformationThread,18_2_01009C5A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01009C86 NtSetInformationThread,18_2_01009C86
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01000892 NtSetInformationThread,18_2_01000892
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_0100989A NtSetInformationThread,18_2_0100989A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01009CB6 NtSetInformationThread,18_2_01009CB6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_010008CA NtSetInformationThread,18_2_010008CA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01009CEE NtSetInformationThread,18_2_01009CEE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_010008FE NtSetInformationThread,18_2_010008FE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_010098FE NtSetInformationThread,18_2_010098FE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01009B06 NtSetInformationThread,18_2_01009B06
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_0100072E NtSetInformationThread,18_2_0100072E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01009B3A NtSetInformationThread,18_2_01009B3A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01000766 NtSetInformationThread,18_2_01000766
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01009B72 NtSetInformationThread,18_2_01009B72
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01000796 NtSetInformationThread,18_2_01000796
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01009BC6 NtSetInformationThread,18_2_01009BC6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_010007CE NtSetInformationThread,18_2_010007CE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_010007FA NtSetInformationThread,18_2_010007FA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01009BFE NtSetInformationThread,18_2_01009BFE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01009A02 NtSetInformationThread,18_2_01009A02
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01009A36 NtSetInformationThread,18_2_01009A36
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01009A66 NtSetInformationThread,18_2_01009A66
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01009A9E NtSetInformationThread,18_2_01009A9E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_01009ACE NtSetInformationThread,18_2_01009ACE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_010006FA NtSetInformationThread,18_2_010006FA
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020600020_2_02060002
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02063A000_2_02063A00
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02066C010_2_02066C01
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02067E150_2_02067E15
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02060A260_2_02060A26
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02065C240_2_02065C24
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_0206622A0_2_0206622A
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02063C280_2_02063C28
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02062E490_2_02062E49
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020656490_2_02065649
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_0206405C0_2_0206405C
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020658600_2_02065860
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020692600_2_02069260
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_0206486B0_2_0206486B
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020684700_2_02068470
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020660710_2_02066071
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_0206347C0_2_0206347C
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_0206767C0_2_0206767C
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_0206167B0_2_0206167B
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020638840_2_02063884
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02063E800_2_02063E80
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020690940_2_02069094
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020630950_2_02063095
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020694910_2_02069491
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02068A9C0_2_02068A9C
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_0206249D0_2_0206249D
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020684A00_2_020684A0
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020600AC0_2_020600AC
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020676AC0_2_020676AC
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02064CAA0_2_02064CAA
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02068EA90_2_02068EA9
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02061ABE0_2_02061ABE
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02060CC30_2_02060CC3
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02062AC10_2_02062AC1
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020670C10_2_020670C1
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020688C10_2_020688C1
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020608CC0_2_020608CC
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02067ECC0_2_02067ECC
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02066CCD0_2_02066CCD
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020620CA0_2_020620CA
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020634C80_2_020634C8
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02066EC90_2_02066EC9
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02067AC90_2_02067AC9
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020672D50_2_020672D5
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020600DC0_2_020600DC
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020692DA0_2_020692DA
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02065CE40_2_02065CE4
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020680EC0_2_020680EC
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02063CE90_2_02063CE9
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02065EF40_2_02065EF4
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02063AF00_2_02063AF0
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020642FC0_2_020642FC
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020606FA0_2_020606FA
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02068B040_2_02068B04
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02063F050_2_02063F05
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020689030_2_02068903
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02064F0B0_2_02064F0B
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020687090_2_02068709
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02065D150_2_02065D15
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02060B100_2_02060B10
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020675110_2_02067511
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_0206131C0_2_0206131C
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02062F1C0_2_02062F1C
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020691180_2_02069118
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020681230_2_02068123
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020683290_2_02068329
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02066D370_2_02066D37
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02068F340_2_02068F34
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_0206233C0_2_0206233C
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020605380_2_02060538
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02063D440_2_02063D44
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02063F400_2_02063F40
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_0206614F0_2_0206614F
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_0206754C0_2_0206754C
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_0206934C0_2_0206934C
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02061D4D0_2_02061D4D
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02061B480_2_02061B48
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020651500_2_02065150
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02060F510_2_02060F51
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020615580_2_02061558
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020691590_2_02069159
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02064F660_2_02064F66
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02066B610_2_02066B61
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02062B6D0_2_02062B6D
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02063F8F0_2_02063F8F
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_0206658D0_2_0206658D
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020611880_2_02061188
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_0206259C0_2_0206259C
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_0206219D0_2_0206219D
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02060BA70_2_02060BA7
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02065DA10_2_02065DA1
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020673A10_2_020673A1
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020671AD0_2_020671AD
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02063BB40_2_02063BB4
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020661B40_2_020661B4
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020609B10_2_020609B1
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020685BD0_2_020685BD
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020677B80_2_020677B8
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020607CA0_2_020607CA
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020635D50_2_020635D5
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020689D10_2_020689D1
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02062FD80_2_02062FD8
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02064FE70_2_02064FE7
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020683E10_2_020683E1
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020651EB0_2_020651EB
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020625E90_2_020625E9
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_020661F00_2_020661F0
Source: C:\Users\user\Desktop\REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeCode function: 0_2_02068BF00_2_02068BF0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00FA6E903_2_00FA6E90
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00FA57F83_2_00FA57F8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00FA77383_2_00FA7738
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00FA2D103_2_00FA2D10
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00FA39103_2_00FA3910
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00FA9C4F3_2_00FA9C4F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00FA39D73_2_00FA39D7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00FA8F883_2_00FA8F88
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00FA9B883_2_00FA9B88
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_00FA6F573_2_00FA6F57
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_0130A0443_2_0130A044
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_1FE929FC3_2_1FE929FC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_1FE924B03_2_1FE924B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_1FEA7AD03_2_1FEA7AD0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_2227B2A83_2_2227B2A8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_222723A03_2_222723A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_22272FA83_2_22272FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_222789D83_2_222789D8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_22279E803_2_22279E80
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_2227969F3_2_2227969F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_2227306F3_2_2227306F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 3_2_222795D83_2_222795D8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_028301B79_2_028301B7
Source: C:\Program Files (x86)\WPA Service\wpasv.exeCode function: 11_2_022E01B711_2_022E01B7
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A140113_2_021A1401
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A340113_2_021A3401
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A163B13_2_021A163B
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A063413_2_021A0634
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A262813_2_021A2628
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A522F13_2_021A522F
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A082313_2_021A0823
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A0A2613_2_021A0A26
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A422613_2_021A4226
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A2E5513_2_021A2E55
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A305513_2_021A3055
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A2A7913_2_021A2A79
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A4C7C13_2_021A4C7C
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A3C7D13_2_021A3C7D
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A0C6113_2_021A0C61
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A30BD13_2_021A30BD
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A48A113_2_021A48A1
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A00DC13_2_021A00DC
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A1ED213_2_021A1ED2
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A20CA13_2_021A20CA
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A0ACF13_2_021A0ACF
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A3CC313_2_021A3CC3
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A4CF313_2_021A4CF3
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A4B1813_2_021A4B18
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A491013_2_021A4910
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A291513_2_021A2915
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A4D3F13_2_021A4D3F
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A1F3C13_2_021A1F3C
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A233C13_2_021A233C
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A173113_2_021A1731
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A473613_2_021A4736
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A072413_2_021A0724
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A335D13_2_021A335D
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A095513_2_021A0955
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A034B13_2_021A034B
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A377713_2_021A3777
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A236D13_2_021A236D
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A3D6D13_2_021A3D6D
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A019813_2_021A0198
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A519813_2_021A5198
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A259C13_2_021A259C
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A47BF13_2_021A47BF
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A1FB113_2_021A1FB1
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A27B713_2_021A27B7
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A31AF13_2_021A31AF
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A41AD13_2_021A41AD
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A05A313_2_021A05A3
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A4BDB13_2_021A4BDB
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A2BD513_2_021A2BD5
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A21C813_2_021A21C8
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A4DF913_2_021A4DF9
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A23FE13_2_021A23FE
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A27FC13_2_021A27FC
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A2FFD13_2_021A2FFD
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A51EB13_2_021A51EB
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A15EE13_2_021A15EE
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A1DEC13_2_021A1DEC
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A3BE013_2_021A3BE0
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A4FE713_2_021A4FE7
Source: C:\Users\user\DELINQUENCIESCHIVIATI\DISCERNERHEBEOSTEOTOM.exeCode function: 13_2_021A17E513_2_021A17E5
Source: C:\Program Files (x86)\WPA Service\wpasv.exeCode function: 14_2_030E01C814_2_030E01C8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_0100A04418_2_0100A044
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_010084CA18_2_010084CA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_1FBF247818_2_1FBF2478
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_21FD2FA818_2_21FD2FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_21FD23A018_2_21FD23A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_21FD239318_2_21FD2393
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_21FD306F18_2_21FD306F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_21FD385018_2_21FD3850
Source: REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DISCERNERHEBEOSTEOTOM.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exe, 00000000.00000002.1214069117.00000000005D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exe
Source: REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exe, 00000000.00000002.1213725247.000000000042E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBackspeirshtcheevesicoce5.exe vs REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exe
Source: REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exe, 00000000.00000002.1215025945.00000000020E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBackspeirshtcheevesicoce5.exeFE2XTassive wallTassive wall vs REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exe
Source: REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exeBinary or memory string: OriginalFilenameBackspeirshtcheevesicoce5.exe vs REVISED_CONTRACT_CONFIRMATIONSubmittionBackspeirshtcheevesicoce5.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dll
Source: 00000003.00000002.1522741820.0000000001710000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.1522741820.0000000001710000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.1518093577.0000000000F90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.1518093577.0000000000F90000.00000004.00000001.sdmp, type: MEMORY</