Loading ...

Play interactive tourEdit tour

Analysis Report eabass ).exe

Overview

General Information

Sample Name:eabass ).exe
Analysis ID:319577
MD5:e104111a29db150134fe6a812f54b691
SHA1:b64fd544542b623f37778ede23ae39ca508ed868
SHA256:563803e4673863857f98356d9d8177b4d1afb49e8eb839e80e4f6e416e7f1083
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • eabass ).exe (PID: 1144 cmdline: 'C:\Users\user\Desktop\eabass ).exe' MD5: E104111A29DB150134FE6A812F54B691)
    • schtasks.exe (PID: 4624 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iZjPEbxRTQJTJj' /XML 'C:\Users\user\AppData\Local\Temp\tmpEFB4.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • eabass ).exe (PID: 2408 cmdline: C:\Users\user\Desktop\eabass ).exe MD5: E104111A29DB150134FE6A812F54B691)
    • eabass ).exe (PID: 4676 cmdline: C:\Users\user\Desktop\eabass ).exe MD5: E104111A29DB150134FE6A812F54B691)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["104.207.150.47"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xa7925:$x1: NanoCore.ClientPluginHost
  • 0xda145:$x1: NanoCore.ClientPluginHost
  • 0xa7962:$x2: IClientNetworkHost
  • 0xda182:$x2: IClientNetworkHost
  • 0xab495:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0xddcb5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xa768d:$a: NanoCore
    • 0xa769d:$a: NanoCore
    • 0xa78d1:$a: NanoCore
    • 0xa78e5:$a: NanoCore
    • 0xa7925:$a: NanoCore
    • 0xd9ead:$a: NanoCore
    • 0xd9ebd:$a: NanoCore
    • 0xda0f1:$a: NanoCore
    • 0xda105:$a: NanoCore
    • 0xda145:$a: NanoCore
    • 0xa76ec:$b: ClientPlugin
    • 0xa78ee:$b: ClientPlugin
    • 0xa792e:$b: ClientPlugin
    • 0xd9f0c:$b: ClientPlugin
    • 0xda10e:$b: ClientPlugin
    • 0xda14e:$b: ClientPlugin
    • 0xa7813:$c: ProjectData
    • 0xda033:$c: ProjectData
    • 0xa821a:$d: DESCrypto
    • 0xdaa3a:$d: DESCrypto
    • 0xafbe6:$e: KeepAlive
    00000004.00000002.616576592.0000000003E8D000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        Click to see the 9 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.eabass ).exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        4.2.eabass ).exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xff05:$x1: NanoCore Client.exe
        • 0x1018d:$x2: NanoCore.ClientPluginHost
        • 0x117c6:$s1: PluginCommand
        • 0x117ba:$s2: FileCommand
        • 0x1266b:$s3: PipeExists
        • 0x18422:$s4: PipeCreated
        • 0x101b7:$s5: IClientLoggingHost
        4.2.eabass ).exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          4.2.eabass ).exe.400000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
          • 0xfef5:$a: NanoCore
          • 0xff05:$a: NanoCore
          • 0x10139:$a: NanoCore
          • 0x1014d:$a: NanoCore
          • 0x1018d:$a: NanoCore
          • 0xff54:$b: ClientPlugin
          • 0x10156:$b: ClientPlugin
          • 0x10196:$b: ClientPlugin
          • 0x1007b:$c: ProjectData
          • 0x10a82:$d: DESCrypto
          • 0x1844e:$e: KeepAlive
          • 0x1643c:$g: LogClientMessage
          • 0x12637:$i: get_Connected
          • 0x10db8:$j: #=q
          • 0x10de8:$j: #=q
          • 0x10e04:$j: #=q
          • 0x10e34:$j: #=q
          • 0x10e50:$j: #=q
          • 0x10e6c:$j: #=q
          • 0x10e9c:$j: #=q
          • 0x10eb8:$j: #=q

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\eabass ).exe, ProcessId: 4676, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iZjPEbxRTQJTJj' /XML 'C:\Users\user\AppData\Local\Temp\tmpEFB4.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iZjPEbxRTQJTJj' /XML 'C:\Users\user\AppData\Local\Temp\tmpEFB4.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\eabass ).exe' , ParentImage: C:\Users\user\Desktop\eabass ).exe, ParentProcessId: 1144, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iZjPEbxRTQJTJj' /XML 'C:\Users\user\AppData\Local\Temp\tmpEFB4.tmp', ProcessId: 4624

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: eabass ).exe.4676.4.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["104.207.150.47"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
          Source: eabass ).exe.4676.4.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["104.207.150.47"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.616576592.0000000003E8D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: eabass ).exe PID: 4676, type: MEMORY
          Source: Yara matchFile source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\iZjPEbxRTQJTJj.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Roaming\iZjPEbxRTQJTJj.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: eabass ).exeJoe Sandbox ML: detected
          Source: eabass ).exeJoe Sandbox ML: detected
          Source: 4.2.eabass ).exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 4.2.eabass ).exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: global trafficTCP traffic: 192.168.2.6:49708 -> 104.207.150.47:4563
          Source: global trafficTCP traffic: 192.168.2.6:49708 -> 104.207.150.47:4563
          Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
          Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpString found in binary or memory: http://google.com
          Source: eabass ).exe, 00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpString found in binary or memory: http://google.com
          Source: eabass ).exe, 00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: eabass ).exe, 00000000.00000002.365408882.0000000000FAB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: eabass ).exe, 00000000.00000002.365408882.0000000000FAB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: eabass ).exe, 00000004.00000002.616576592.0000000003E8D000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices
          Source: eabass ).exe, 00000004.00000002.616576592.0000000003E8D000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

          E-Banking Fraud:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.616576592.0000000003E8D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: eabass ).exe PID: 4676, type: MEMORY
          Source: Yara matchFile source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: eabass ).exe PID: 4676, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: eabass ).exe PID: 4676, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: eabass ).exe PID: 4676, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: eabass ).exe PID: 4676, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: C:\Users\user\Desktop\eabass ).exeCode function: 0_2_00F7C2D00_2_00F7C2D0
          Source: C:\Users\user\Desktop\eabass ).exeCode function: 0_2_00F799F80_2_00F799F8
          Source: C:\Users\user\Desktop\eabass ).exeCode function: 0_2_00F7C2D00_2_00F7C2D0
          Source: C:\Users\user\Desktop\eabass ).exeCode function: 0_2_00F799F80_2_00F799F8
          Source: C:\Users\user\Desktop\eabass ).exeCode function: 4_2_02DAE4804_2_02DAE480
          Source: C:\Users\user\Desktop\eabass ).exeCode function: 4_2_02DAE4714_2_02DAE471
          Source: C:\Users\user\Desktop\eabass ).exeCode function: 4_2_02DABBD44_2_02DABBD4
          Source: eabass ).exeBinary or memory string: OriginalFilename vs eabass ).exe
          Source: eabass ).exe, 00000000.00000002.371035157.0000000005EFA000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWMLJ.e#c vs eabass ).exe
          Source: eabass ).exe, 00000000.00000002.372056045.0000000006760000.00000002.00000001.sdmpBinary or memory string: originalfilename vs eabass ).exe
          Source: eabass ).exe, 00000000.00000002.372056045.0000000006760000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs eabass ).exe
          Source: eabass ).exe, 00000000.00000002.371471703.0000000006660000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs eabass ).exe
          Source: eabass ).exe, 00000000.00000002.365408882.0000000000FAB000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs eabass ).exe
          Source: eabass ).exe, 00000000.00000002.370728590.0000000005E80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs eabass ).exe
          Source: eabass ).exe, 00000000.00000000.343438100.0000000000872000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWMLJ.exe6 vs eabass ).exe
          Source: eabass ).exeBinary or memory string: OriginalFilename vs eabass ).exe
          Source: eabass ).exe, 00000003.00000000.362483536.00000000001C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWMLJ.exe6 vs eabass ).exe
          Source: eabass ).exeBinary or memory string: OriginalFilename vs eabass ).exe
          Source: eabass ).exe, 00000004.00000000.363432441.00000000009A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWMLJ.exe6 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.616576592.0000000003E8D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.616576592.0000000003E8D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.616437901.0000000003E31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.616437901.0000000003E31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.616437901.0000000003E31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.612909393.000000000110A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs eabass ).exe
          Source: eabass ).exeBinary or memory string: OriginalFilenameWMLJ.exe6 vs eabass ).exe
          Source: eabass ).exeBinary or memory string: OriginalFilename vs eabass ).exe
          Source: eabass ).exe, 00000000.00000002.371035157.0000000005EFA000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWMLJ.e#c vs eabass ).exe
          Source: eabass ).exe, 00000000.00000002.372056045.0000000006760000.00000002.00000001.sdmpBinary or memory string: originalfilename vs eabass ).exe
          Source: eabass ).exe, 00000000.00000002.372056045.0000000006760000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs eabass ).exe
          Source: eabass ).exe, 00000000.00000002.371471703.0000000006660000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs eabass ).exe
          Source: eabass ).exe, 00000000.00000002.365408882.0000000000FAB000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs eabass ).exe
          Source: eabass ).exe, 00000000.00000002.370728590.0000000005E80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs eabass ).exe
          Source: eabass ).exe, 00000000.00000000.343438100.0000000000872000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWMLJ.exe6 vs eabass ).exe
          Source: eabass ).exeBinary or memory string: OriginalFilename vs eabass ).exe
          Source: eabass ).exe, 00000003.00000000.362483536.00000000001C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWMLJ.exe6 vs eabass ).exe
          Source: eabass ).exeBinary or memory string: OriginalFilename vs eabass ).exe
          Source: eabass ).exe, 00000004.00000000.363432441.00000000009A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWMLJ.exe6 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.616576592.0000000003E8D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.616576592.0000000003E8D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.616437901.0000000003E31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.616437901.0000000003E31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.616437901.0000000003E31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.612909393.000000000110A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs eabass ).exe
          Source: eabass ).exeBinary or memory string: OriginalFilenameWMLJ.exe6 vs eabass ).exe
          Source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: eabass ).exe PID: 4676, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: eabass ).exe PID: 4676, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: eabass ).exe PID: 4676, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: eabass ).exe PID: 4676, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: eabass ).exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: iZjPEbxRTQJTJj.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: eabass ).exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: iZjPEbxRTQJTJj.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/8@0/1
          Source: C:\Users\user\Desktop\eabass ).exeFile created: C:\Users\user\AppData\Roaming\iZjPEbxRTQJTJj.exeJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeFile created: C:\Users\user\AppData\Roaming\iZjPEbxRTQJTJj.exeJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeMutant created: \Sessions\1\BaseNamedObjects\YDOIskdbwfIsJCoT
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5116:120:WilError_01
          Source: C:\Users\user\Desktop\eabass ).exeMutant created: \Sessions\1\BaseNamedObjects\Global\{076109b0-c49a-4f78-9f0c-cbcb47f22db4}
          Source: C:\Users\user\Desktop\eabass ).exeMutant created: \Sessions\1\BaseNamedObjects\YDOIskdbwfIsJCoT
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5116:120:WilError_01
          Source: C:\Users\user\Desktop\eabass ).exeMutant created: \Sessions\1\BaseNamedObjects\Global\{076109b0-c49a-4f78-9f0c-cbcb47f22db4}
          Source: C:\Users\user\Desktop\eabass ).exeFile created: C:\Users\user\AppData\Local\Temp\tmpEFB4.tmpJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeFile created: C:\Users\user\AppData\Local\Temp\tmpEFB4.tmpJump to behavior
          Source: eabass ).exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: eabass ).exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\eabass ).exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeFile read: C:\Users\user\Desktop\eabass ).exeJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeFile read: C:\Users\user\Desktop\eabass ).exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\eabass ).exe 'C:\Users\user\Desktop\eabass ).exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iZjPEbxRTQJTJj' /XML 'C:\Users\user\AppData\Local\Temp\tmpEFB4.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\eabass ).exe C:\Users\user\Desktop\eabass ).exe
          Source: unknownProcess created: C:\Users\user\Desktop\eabass ).exe C:\Users\user\Desktop\eabass ).exe
          Source: C:\Users\user\Desktop\eabass ).exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iZjPEbxRTQJTJj' /XML 'C:\Users\user\AppData\Local\Temp\tmpEFB4.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess created: C:\Users\user\Desktop\eabass ).exe C:\Users\user\Desktop\eabass ).exeJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess created: C:\Users\user\Desktop\eabass ).exe C:\Users\user\Desktop\eabass ).exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\eabass ).exe 'C:\Users\user\Desktop\eabass ).exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iZjPEbxRTQJTJj' /XML 'C:\Users\user\AppData\Local\Temp\tmpEFB4.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\eabass ).exe C:\Users\user\Desktop\eabass ).exe
          Source: unknownProcess created: C:\Users\user\Desktop\eabass ).exe C:\Users\user\Desktop\eabass ).exe
          Source: C:\Users\user\Desktop\eabass ).exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iZjPEbxRTQJTJj' /XML 'C:\Users\user\AppData\Local\Temp\tmpEFB4.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess created: C:\Users\user\Desktop\eabass ).exe C:\Users\user\Desktop\eabass ).exeJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess created: C:\Users\user\Desktop\eabass ).exe C:\Users\user\Desktop\eabass ).exeJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: eabass ).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: eabass ).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: eabass ).exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: eabass ).exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp
          Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp
          Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp
          Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp
          Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\eabass ).exeCode function: 4_2_02DAC8D9 push edx; ret 4_2_02DAC922
          Source: C:\Users\user\Desktop\eabass ).exeCode function: 4_2_02DAC8D9 push edx; ret 4_2_02DAC922
          Source: initial sampleStatic PE information: section name: .text entropy: 7.7057574273
          Source: initial sampleStatic PE information: section name: .text entropy: 7.7057574273
          Source: initial sampleStatic PE information: section name: .text entropy: 7.7057574273
          Source: initial sampleStatic PE information: section name: .text entropy: 7.7057574273
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: C:\Users\user\Desktop\eabass ).exeFile created: C:\Users\user\AppData\Roaming\iZjPEbxRTQJTJj.exeJump to dropped file
          Source: C:\Users\user\Desktop\eabass ).exeFile created: C:\Users\user\AppData\Roaming\iZjPEbxRTQJTJj.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iZjPEbxRTQJTJj' /XML 'C:\Users\user\AppData\Local\Temp\tmpEFB4.tmp'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iZjPEbxRTQJTJj' /XML 'C:\Users\user\AppData\Local\Temp\tmpEFB4.tmp'

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\eabass ).exeFile opened: C:\Users\user\Desktop\eabass ).exe:Zone.Identifier read attributes | deleteJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeFile opened: C:\Users\user\Desktop\eabass ).exe:Zone.Identifier read attributes | deleteJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion: