Loading ...

Play interactive tourEdit tour

Analysis Report eabass ).exe

Overview

General Information

Sample Name:eabass ).exe
Analysis ID:319577
MD5:e104111a29db150134fe6a812f54b691
SHA1:b64fd544542b623f37778ede23ae39ca508ed868
SHA256:563803e4673863857f98356d9d8177b4d1afb49e8eb839e80e4f6e416e7f1083
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • eabass ).exe (PID: 1144 cmdline: 'C:\Users\user\Desktop\eabass ).exe' MD5: E104111A29DB150134FE6A812F54B691)
    • schtasks.exe (PID: 4624 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iZjPEbxRTQJTJj' /XML 'C:\Users\user\AppData\Local\Temp\tmpEFB4.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • eabass ).exe (PID: 2408 cmdline: C:\Users\user\Desktop\eabass ).exe MD5: E104111A29DB150134FE6A812F54B691)
    • eabass ).exe (PID: 4676 cmdline: C:\Users\user\Desktop\eabass ).exe MD5: E104111A29DB150134FE6A812F54B691)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["104.207.150.47"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xa7925:$x1: NanoCore.ClientPluginHost
  • 0xda145:$x1: NanoCore.ClientPluginHost
  • 0xa7962:$x2: IClientNetworkHost
  • 0xda182:$x2: IClientNetworkHost
  • 0xab495:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0xddcb5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xa768d:$a: NanoCore
    • 0xa769d:$a: NanoCore
    • 0xa78d1:$a: NanoCore
    • 0xa78e5:$a: NanoCore
    • 0xa7925:$a: NanoCore
    • 0xd9ead:$a: NanoCore
    • 0xd9ebd:$a: NanoCore
    • 0xda0f1:$a: NanoCore
    • 0xda105:$a: NanoCore
    • 0xda145:$a: NanoCore
    • 0xa76ec:$b: ClientPlugin
    • 0xa78ee:$b: ClientPlugin
    • 0xa792e:$b: ClientPlugin
    • 0xd9f0c:$b: ClientPlugin
    • 0xda10e:$b: ClientPlugin
    • 0xda14e:$b: ClientPlugin
    • 0xa7813:$c: ProjectData
    • 0xda033:$c: ProjectData
    • 0xa821a:$d: DESCrypto
    • 0xdaa3a:$d: DESCrypto
    • 0xafbe6:$e: KeepAlive
    00000004.00000002.616576592.0000000003E8D000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        Click to see the 9 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.eabass ).exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        4.2.eabass ).exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xff05:$x1: NanoCore Client.exe
        • 0x1018d:$x2: NanoCore.ClientPluginHost
        • 0x117c6:$s1: PluginCommand
        • 0x117ba:$s2: FileCommand
        • 0x1266b:$s3: PipeExists
        • 0x18422:$s4: PipeCreated
        • 0x101b7:$s5: IClientLoggingHost
        4.2.eabass ).exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          4.2.eabass ).exe.400000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
          • 0xfef5:$a: NanoCore
          • 0xff05:$a: NanoCore
          • 0x10139:$a: NanoCore
          • 0x1014d:$a: NanoCore
          • 0x1018d:$a: NanoCore
          • 0xff54:$b: ClientPlugin
          • 0x10156:$b: ClientPlugin
          • 0x10196:$b: ClientPlugin
          • 0x1007b:$c: ProjectData
          • 0x10a82:$d: DESCrypto
          • 0x1844e:$e: KeepAlive
          • 0x1643c:$g: LogClientMessage
          • 0x12637:$i: get_Connected
          • 0x10db8:$j: #=q
          • 0x10de8:$j: #=q
          • 0x10e04:$j: #=q
          • 0x10e34:$j: #=q
          • 0x10e50:$j: #=q
          • 0x10e6c:$j: #=q
          • 0x10e9c:$j: #=q
          • 0x10eb8:$j: #=q

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\eabass ).exe, ProcessId: 4676, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iZjPEbxRTQJTJj' /XML 'C:\Users\user\AppData\Local\Temp\tmpEFB4.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iZjPEbxRTQJTJj' /XML 'C:\Users\user\AppData\Local\Temp\tmpEFB4.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\eabass ).exe' , ParentImage: C:\Users\user\Desktop\eabass ).exe, ParentProcessId: 1144, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iZjPEbxRTQJTJj' /XML 'C:\Users\user\AppData\Local\Temp\tmpEFB4.tmp', ProcessId: 4624

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: eabass ).exe.4676.4.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["104.207.150.47"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
          Source: eabass ).exe.4676.4.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["104.207.150.47"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.616576592.0000000003E8D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: eabass ).exe PID: 4676, type: MEMORY
          Source: Yara matchFile source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\iZjPEbxRTQJTJj.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Roaming\iZjPEbxRTQJTJj.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: eabass ).exeJoe Sandbox ML: detected
          Source: eabass ).exeJoe Sandbox ML: detected
          Source: 4.2.eabass ).exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 4.2.eabass ).exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: global trafficTCP traffic: 192.168.2.6:49708 -> 104.207.150.47:4563
          Source: global trafficTCP traffic: 192.168.2.6:49708 -> 104.207.150.47:4563
          Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
          Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpString found in binary or memory: http://google.com
          Source: eabass ).exe, 00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpString found in binary or memory: http://google.com
          Source: eabass ).exe, 00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: eabass ).exe, 00000000.00000002.365408882.0000000000FAB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: eabass ).exe, 00000000.00000002.365408882.0000000000FAB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: eabass ).exe, 00000004.00000002.616576592.0000000003E8D000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices
          Source: eabass ).exe, 00000004.00000002.616576592.0000000003E8D000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

          E-Banking Fraud:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.616576592.0000000003E8D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: eabass ).exe PID: 4676, type: MEMORY
          Source: Yara matchFile source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: eabass ).exe PID: 4676, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: eabass ).exe PID: 4676, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: eabass ).exe PID: 4676, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: eabass ).exe PID: 4676, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: C:\Users\user\Desktop\eabass ).exeCode function: 0_2_00F7C2D00_2_00F7C2D0
          Source: C:\Users\user\Desktop\eabass ).exeCode function: 0_2_00F799F80_2_00F799F8
          Source: C:\Users\user\Desktop\eabass ).exeCode function: 0_2_00F7C2D00_2_00F7C2D0
          Source: C:\Users\user\Desktop\eabass ).exeCode function: 0_2_00F799F80_2_00F799F8
          Source: C:\Users\user\Desktop\eabass ).exeCode function: 4_2_02DAE4804_2_02DAE480
          Source: C:\Users\user\Desktop\eabass ).exeCode function: 4_2_02DAE4714_2_02DAE471
          Source: C:\Users\user\Desktop\eabass ).exeCode function: 4_2_02DABBD44_2_02DABBD4
          Source: eabass ).exeBinary or memory string: OriginalFilename vs eabass ).exe
          Source: eabass ).exe, 00000000.00000002.371035157.0000000005EFA000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWMLJ.e#c vs eabass ).exe
          Source: eabass ).exe, 00000000.00000002.372056045.0000000006760000.00000002.00000001.sdmpBinary or memory string: originalfilename vs eabass ).exe
          Source: eabass ).exe, 00000000.00000002.372056045.0000000006760000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs eabass ).exe
          Source: eabass ).exe, 00000000.00000002.371471703.0000000006660000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs eabass ).exe
          Source: eabass ).exe, 00000000.00000002.365408882.0000000000FAB000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs eabass ).exe
          Source: eabass ).exe, 00000000.00000002.370728590.0000000005E80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs eabass ).exe
          Source: eabass ).exe, 00000000.00000000.343438100.0000000000872000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWMLJ.exe6 vs eabass ).exe
          Source: eabass ).exeBinary or memory string: OriginalFilename vs eabass ).exe
          Source: eabass ).exe, 00000003.00000000.362483536.00000000001C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWMLJ.exe6 vs eabass ).exe
          Source: eabass ).exeBinary or memory string: OriginalFilename vs eabass ).exe
          Source: eabass ).exe, 00000004.00000000.363432441.00000000009A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWMLJ.exe6 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.616576592.0000000003E8D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.616576592.0000000003E8D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.616437901.0000000003E31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.616437901.0000000003E31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.616437901.0000000003E31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.612909393.000000000110A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs eabass ).exe
          Source: eabass ).exeBinary or memory string: OriginalFilenameWMLJ.exe6 vs eabass ).exe
          Source: eabass ).exeBinary or memory string: OriginalFilename vs eabass ).exe
          Source: eabass ).exe, 00000000.00000002.371035157.0000000005EFA000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWMLJ.e#c vs eabass ).exe
          Source: eabass ).exe, 00000000.00000002.372056045.0000000006760000.00000002.00000001.sdmpBinary or memory string: originalfilename vs eabass ).exe
          Source: eabass ).exe, 00000000.00000002.372056045.0000000006760000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs eabass ).exe
          Source: eabass ).exe, 00000000.00000002.371471703.0000000006660000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs eabass ).exe
          Source: eabass ).exe, 00000000.00000002.365408882.0000000000FAB000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs eabass ).exe
          Source: eabass ).exe, 00000000.00000002.370728590.0000000005E80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs eabass ).exe
          Source: eabass ).exe, 00000000.00000000.343438100.0000000000872000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWMLJ.exe6 vs eabass ).exe
          Source: eabass ).exeBinary or memory string: OriginalFilename vs eabass ).exe
          Source: eabass ).exe, 00000003.00000000.362483536.00000000001C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWMLJ.exe6 vs eabass ).exe
          Source: eabass ).exeBinary or memory string: OriginalFilename vs eabass ).exe
          Source: eabass ).exe, 00000004.00000000.363432441.00000000009A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWMLJ.exe6 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.616576592.0000000003E8D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.616576592.0000000003E8D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.616437901.0000000003E31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.616437901.0000000003E31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.616437901.0000000003E31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.612909393.000000000110A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs eabass ).exe
          Source: eabass ).exeBinary or memory string: OriginalFilenameWMLJ.exe6 vs eabass ).exe
          Source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: eabass ).exe PID: 4676, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: eabass ).exe PID: 4676, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: eabass ).exe PID: 4676, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: eabass ).exe PID: 4676, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: eabass ).exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: iZjPEbxRTQJTJj.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: eabass ).exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: iZjPEbxRTQJTJj.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/8@0/1
          Source: C:\Users\user\Desktop\eabass ).exeFile created: C:\Users\user\AppData\Roaming\iZjPEbxRTQJTJj.exeJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeFile created: C:\Users\user\AppData\Roaming\iZjPEbxRTQJTJj.exeJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeMutant created: \Sessions\1\BaseNamedObjects\YDOIskdbwfIsJCoT
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5116:120:WilError_01
          Source: C:\Users\user\Desktop\eabass ).exeMutant created: \Sessions\1\BaseNamedObjects\Global\{076109b0-c49a-4f78-9f0c-cbcb47f22db4}
          Source: C:\Users\user\Desktop\eabass ).exeMutant created: \Sessions\1\BaseNamedObjects\YDOIskdbwfIsJCoT
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5116:120:WilError_01
          Source: C:\Users\user\Desktop\eabass ).exeMutant created: \Sessions\1\BaseNamedObjects\Global\{076109b0-c49a-4f78-9f0c-cbcb47f22db4}
          Source: C:\Users\user\Desktop\eabass ).exeFile created: C:\Users\user\AppData\Local\Temp\tmpEFB4.tmpJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeFile created: C:\Users\user\AppData\Local\Temp\tmpEFB4.tmpJump to behavior
          Source: eabass ).exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: eabass ).exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\eabass ).exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeFile read: C:\Users\user\Desktop\eabass ).exeJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeFile read: C:\Users\user\Desktop\eabass ).exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\eabass ).exe 'C:\Users\user\Desktop\eabass ).exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iZjPEbxRTQJTJj' /XML 'C:\Users\user\AppData\Local\Temp\tmpEFB4.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\eabass ).exe C:\Users\user\Desktop\eabass ).exe
          Source: unknownProcess created: C:\Users\user\Desktop\eabass ).exe C:\Users\user\Desktop\eabass ).exe
          Source: C:\Users\user\Desktop\eabass ).exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iZjPEbxRTQJTJj' /XML 'C:\Users\user\AppData\Local\Temp\tmpEFB4.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess created: C:\Users\user\Desktop\eabass ).exe C:\Users\user\Desktop\eabass ).exeJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess created: C:\Users\user\Desktop\eabass ).exe C:\Users\user\Desktop\eabass ).exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\eabass ).exe 'C:\Users\user\Desktop\eabass ).exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iZjPEbxRTQJTJj' /XML 'C:\Users\user\AppData\Local\Temp\tmpEFB4.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\eabass ).exe C:\Users\user\Desktop\eabass ).exe
          Source: unknownProcess created: C:\Users\user\Desktop\eabass ).exe C:\Users\user\Desktop\eabass ).exe
          Source: C:\Users\user\Desktop\eabass ).exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iZjPEbxRTQJTJj' /XML 'C:\Users\user\AppData\Local\Temp\tmpEFB4.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess created: C:\Users\user\Desktop\eabass ).exe C:\Users\user\Desktop\eabass ).exeJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess created: C:\Users\user\Desktop\eabass ).exe C:\Users\user\Desktop\eabass ).exeJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: eabass ).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: eabass ).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: eabass ).exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: eabass ).exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp
          Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp
          Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp
          Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp
          Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\eabass ).exeCode function: 4_2_02DAC8D9 push edx; ret 4_2_02DAC922
          Source: C:\Users\user\Desktop\eabass ).exeCode function: 4_2_02DAC8D9 push edx; ret 4_2_02DAC922
          Source: initial sampleStatic PE information: section name: .text entropy: 7.7057574273
          Source: initial sampleStatic PE information: section name: .text entropy: 7.7057574273
          Source: initial sampleStatic PE information: section name: .text entropy: 7.7057574273
          Source: initial sampleStatic PE information: section name: .text entropy: 7.7057574273
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: C:\Users\user\Desktop\eabass ).exeFile created: C:\Users\user\AppData\Roaming\iZjPEbxRTQJTJj.exeJump to dropped file
          Source: C:\Users\user\Desktop\eabass ).exeFile created: C:\Users\user\AppData\Roaming\iZjPEbxRTQJTJj.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iZjPEbxRTQJTJj' /XML 'C:\Users\user\AppData\Local\Temp\tmpEFB4.tmp'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iZjPEbxRTQJTJj' /XML 'C:\Users\user\AppData\Local\Temp\tmpEFB4.tmp'

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\eabass ).exeFile opened: C:\Users\user\Desktop\eabass ).exe:Zone.Identifier read attributes | deleteJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeFile opened: C:\Users\user\Desktop\eabass ).exe:Zone.Identifier read attributes | deleteJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: 00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.365991657.0000000002D09000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: eabass ).exe PID: 1144, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: eabass ).exe, 00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: eabass ).exe, 00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Source: eabass ).exe, 00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: eabass ).exe, 00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Source: C:\Users\user\Desktop\eabass ).exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeWindow / User API: threadDelayed 3030Jump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeWindow / User API: threadDelayed 6127Jump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeWindow / User API: foregroundWindowGot 631Jump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeWindow / User API: foregroundWindowGot 770Jump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeWindow / User API: threadDelayed 3030Jump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeWindow / User API: threadDelayed 6127Jump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeWindow / User API: foregroundWindowGot 631Jump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeWindow / User API: foregroundWindowGot 770Jump to behavior
          Source: C:\Users\user\Desktop\eabass ).exe TID: 576Thread sleep time: -51315s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exe TID: 3864Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exe TID: 2932Thread sleep time: -13835058055282155s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exe TID: 576Thread sleep time: -51315s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exe TID: 3864Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exe TID: 2932Thread sleep time: -13835058055282155s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: eabass ).exe, 00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: eabass ).exe, 00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: eabass ).exe, 00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id
          Source: eabass ).exe, 00000004.00000003.493728704.0000000001145000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[R
          Source: eabass ).exe, 00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: eabass ).exe, 00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: eabass ).exe, 00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: eabass ).exe, 00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id
          Source: eabass ).exe, 00000004.00000003.493728704.0000000001145000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[R
          Source: eabass ).exe, 00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\eabass ).exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iZjPEbxRTQJTJj' /XML 'C:\Users\user\AppData\Local\Temp\tmpEFB4.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess created: C:\Users\user\Desktop\eabass ).exe C:\Users\user\Desktop\eabass ).exeJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess created: C:\Users\user\Desktop\eabass ).exe C:\Users\user\Desktop\eabass ).exeJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iZjPEbxRTQJTJj' /XML 'C:\Users\user\AppData\Local\Temp\tmpEFB4.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess created: C:\Users\user\Desktop\eabass ).exe C:\Users\user\Desktop\eabass ).exeJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeProcess created: C:\Users\user\Desktop\eabass ).exe C:\Users\user\Desktop\eabass ).exeJump to behavior
          Source: eabass ).exe, 00000004.00000002.616403394.000000000342C000.00000004.00000001.sdmpBinary or memory string: Program Manager0.ze
          Source: eabass ).exe, 00000004.00000002.614010116.0000000002F3A000.00000004.00000001.sdmpBinary or memory string: Program Manager
          Source: eabass ).exe, 00000004.00000002.615264108.0000000003214000.00000004.00000001.sdmpBinary or memory string: Program ManagerHg
          Source: eabass ).exe, 00000004.00000002.613301246.00000000016B0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: eabass ).exe, 00000004.00000002.613301246.00000000016B0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: eabass ).exe, 00000004.00000002.613301246.00000000016B0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
          Source: eabass ).exe, 00000004.00000002.613301246.00000000016B0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: eabass ).exe, 00000004.00000002.616403394.000000000342C000.00000004.00000001.sdmpBinary or memory string: Program Manager0.ze
          Source: eabass ).exe, 00000004.00000002.614010116.0000000002F3A000.00000004.00000001.sdmpBinary or memory string: Program Manager
          Source: eabass ).exe, 00000004.00000002.615264108.0000000003214000.00000004.00000001.sdmpBinary or memory string: Program ManagerHg
          Source: eabass ).exe, 00000004.00000002.613301246.00000000016B0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: eabass ).exe, 00000004.00000002.613301246.00000000016B0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: eabass ).exe, 00000004.00000002.613301246.00000000016B0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
          Source: eabass ).exe, 00000004.00000002.613301246.00000000016B0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Users\user\Desktop\eabass ).exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Users\user\Desktop\eabass ).exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Users\user\Desktop\eabass ).exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Users\user\Desktop\eabass ).exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\eabass ).exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\eabass ).exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\eabass ).exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\eabass ).exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\eabass ).exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

          Stealing of Sensitive Information:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.616576592.0000000003E8D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: eabass ).exe PID: 4676, type: MEMORY
          Source: Yara matchFile source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Detected Nanocore RatShow sources
          Source: eabass ).exe, 00000004.00000002.616576592.0000000003E8D000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
          Source: eabass ).exe, 00000004.00000002.616576592.0000000003E8D000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.616576592.0000000003E8D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: eabass ).exe PID: 4676, type: MEMORY
          Source: Yara matchFile source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection12Masquerading1Input Capture21Security Software Discovery121Remote ServicesInput Capture21Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Virtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          eabass ).exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\iZjPEbxRTQJTJj.exe100%Joe Sandbox ML

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          4.2.eabass ).exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          No contacted domains info

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameeabass ).exe, 00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmpfalse
            high

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious
            104.207.150.47
            unknownUnited States
            20473AS-CHOOPAUStrue

            General Information

            Joe Sandbox Version:31.0.0 Red Diamond
            Analysis ID:319577
            Start date:18.11.2020
            Start time:13:05:45
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 8m 8s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:eabass ).exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:8
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@8/8@0/1
            EGA Information:Failed
            HDC Information:Failed
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 31
            • Number of non-executed functions: 2
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe
            Warnings:
            Show All
            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, svchost.exe
            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            13:06:45API Interceptor1000x Sleep call for process: eabass ).exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            104.207.150.47Draft BL(s) (BL No UIH000062500).exeGet hashmaliciousBrowse

              Domains

              No context

              ASN

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              AS-CHOOPAUSCpManyv2nV.exeGet hashmaliciousBrowse
              • 108.61.29.35
              ubvk0T4ceG.exeGet hashmaliciousBrowse
              • 108.61.29.35
              Hag4TPW3Ue.exeGet hashmaliciousBrowse
              • 140.82.59.108
              2q8x6yYNHj.exeGet hashmaliciousBrowse
              • 108.61.29.35
              oL9U4IbxMb.exeGet hashmaliciousBrowse
              • 95.179.229.244
              Y7i2sl4Foh.exeGet hashmaliciousBrowse
              • 140.82.59.108
              REibC3I4ju.exeGet hashmaliciousBrowse
              • 108.61.29.35
              OBg8aUeQjJ.exeGet hashmaliciousBrowse
              • 45.32.129.110
              tbzcpAZnBK.exeGet hashmaliciousBrowse
              • 66.42.54.195
              w6r8DJTtvF.exeGet hashmaliciousBrowse
              • 45.76.50.199
              fiksat.exeGet hashmaliciousBrowse
              • 45.63.107.192
              Invoice.exeGet hashmaliciousBrowse
              • 66.42.63.136
              qejrj9WOGM.exeGet hashmaliciousBrowse
              • 140.82.59.108
              http://149.129.50.37/Get hashmaliciousBrowse
              • 108.61.40.123
              RbM6WfSPbz.exeGet hashmaliciousBrowse
              • 144.202.97.5
              PI210941.exeGet hashmaliciousBrowse
              • 66.42.54.195
              document-359248421.xlsbGet hashmaliciousBrowse
              • 45.63.107.192
              http://www.viportal.coGet hashmaliciousBrowse
              • 209.250.225.52
              Amacon Order Specification Requirement.exeGet hashmaliciousBrowse
              • 149.28.117.117
              4AXKXtaavC.exeGet hashmaliciousBrowse
              • 140.82.59.108

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\eabass ).exe.log
              Process:C:\Users\user\Desktop\eabass ).exe
              File Type:ASCII text, with CRLF line terminators
              Category:modified
              Size (bytes):1314
              Entropy (8bit):5.350128552078965
              Encrypted:false
              SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
              MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
              SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
              SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
              SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
              Malicious:true
              Reputation:high, very likely benign file
              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
              C:\Users\user\AppData\Local\Temp\tmpEFB4.tmp
              Process:C:\Users\user\Desktop\eabass ).exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1659
              Entropy (8bit):5.176005492710507
              Encrypted:false
              SSDEEP:24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3Ctn:cbha7JlNQV/rydbz9I3YODOLNdq3u
              MD5:20AC5DF5C0E738DE92FB86366885E0CB
              SHA1:BF819154E2968870A6EF5E059DAE17B90A05993C
              SHA-256:01481B4B1EE586B5E2A93598F5F2ECAB905A8CA509776E0EAE5D1B95B1953988
              SHA-512:C4AB981CF70BE031AD18DE1D55B817A9114FD3AD5C771BD346CCFD63783504B9D7469F7B94662377E7B556098E1B1C6012F855E17F5C6CF514C203DD48B241FB
              Malicious:true
              Reputation:low
              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
              Process:C:\Users\user\Desktop\eabass ).exe
              File Type:data
              Category:dropped
              Size (bytes):232
              Entropy (8bit):7.024371743172393
              Encrypted:false
              SSDEEP:6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
              MD5:32D0AAE13696FF7F8AF33B2D22451028
              SHA1:EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
              SHA-256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
              SHA-512:1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
              Process:C:\Users\user\Desktop\eabass ).exe
              File Type:data
              Category:dropped
              Size (bytes):8
              Entropy (8bit):3.0
              Encrypted:false
              SSDEEP:3:u09t:uE
              MD5:F85BF482C98AF76102C8E65250639E50
              SHA1:F46E7F19C2F16FDD3EAB9D60F4064B5BBEE8D952
              SHA-256:BDE0B0543A8C7AACA18EBB5A7A2694344BBE3BFD5D2127037E7AD183B815F88B
              SHA-512:5CA469F597C2EB393D83D1B8AB7FD073E47558D8EFA251DB9D6BB6389E35E6C79B32796AF1A9592E4447F2EDC668229450E0A9C644E8D9BB157B30509159984F
              Malicious:true
              Reputation:low
              Preview: t.O....H
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
              Process:C:\Users\user\Desktop\eabass ).exe
              File Type:data
              Category:dropped
              Size (bytes):40
              Entropy (8bit):5.153055907333276
              Encrypted:false
              SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
              MD5:4E5E92E2369688041CC82EF9650EDED2
              SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
              SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
              SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
              Process:C:\Users\user\Desktop\eabass ).exe
              File Type:data
              Category:dropped
              Size (bytes):327432
              Entropy (8bit):7.99938831605763
              Encrypted:true
              SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
              MD5:7E8F4A764B981D5B82D1CC49D341E9C6
              SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
              SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
              SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
              C:\Users\user\AppData\Roaming\iZjPEbxRTQJTJj.exe
              Process:C:\Users\user\Desktop\eabass ).exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):665088
              Entropy (8bit):7.696568668619478
              Encrypted:false
              SSDEEP:12288:H6jXmxXRv6+ftJuI2TBFbsZni3lcEs2jMJ7KUZt9luz9NK3vSH:ZBvvftJuI21aZWGEsrJ7KU5M23qH
              MD5:E104111A29DB150134FE6A812F54B691
              SHA1:B64FD544542B623F37778EDE23AE39CA508ED868
              SHA-256:563803E4673863857F98356D9D8177B4D1AFB49E8EB839E80E4F6E416E7F1083
              SHA-512:12C9223B2D3FC712883CB97FDADF03CDB1EC775B8BE102C0537153C54AF4CDEB4D46DC4AAF2333627984321A424B3ABAA6A00E1E61D5480226680322BE2BA2DA
              Malicious:true
              Antivirus:
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Reputation:low
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............P.............^:... ...@....@.. ....................................@..................................:..S....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B................@:......H.......0..............`...............................................*....(!......("......(#......($......(%....*N..(....o....(&....*&..('....*.s(........s)........s*........s+........s,........*Z........o?...........*&..(@....*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{.
              C:\Users\user\AppData\Roaming\iZjPEbxRTQJTJj.exe:Zone.Identifier
              Process:C:\Users\user\Desktop\eabass ).exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:ggPYV:rPYV
              MD5:187F488E27DB4AF347237FE461A079AD
              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
              Malicious:true
              Reputation:high, very likely benign file
              Preview: [ZoneTransfer]....ZoneId=0

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Entropy (8bit):7.696568668619478
              TrID:
              • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
              • Win32 Executable (generic) a (10002005/4) 49.75%
              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
              • Windows Screen Saver (13104/52) 0.07%
              • Win16/32 Executable Delphi generic (2074/23) 0.01%
              File name:eabass ).exe
              File size:665088
              MD5:e104111a29db150134fe6a812f54b691
              SHA1:b64fd544542b623f37778ede23ae39ca508ed868
              SHA256:563803e4673863857f98356d9d8177b4d1afb49e8eb839e80e4f6e416e7f1083
              SHA512:12c9223b2d3fc712883cb97fdadf03cdb1ec775b8be102c0537153c54af4cdeb4d46dc4aaf2333627984321a424b3abaa6a00e1e61d5480226680322be2ba2da
              SSDEEP:12288:H6jXmxXRv6+ftJuI2TBFbsZni3lcEs2jMJ7KUZt9luz9NK3vSH:ZBvvftJuI21aZWGEsrJ7KU5M23qH
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............P.............^:... ...@....@.. ....................................@................................

              File Icon

              Icon Hash:00828e8e8686b000

              Static PE Info

              General

              Entrypoint:0x4a3a5e
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Time Stamp:0x5FB4FACB [Wed Nov 18 10:43:23 2020 UTC]
              TLS Callbacks:
              CLR (.Net) Version:v4.0.30319
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

              Entrypoint Preview

              Instruction
              jmp dword ptr [00402000h]
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0xa3a080x53.text
              IMAGE_DIRECTORY_ENTRY_RESOURCE0xa40000x5b0.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0xa60000xc.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x20000xa1a640xa1c00False0.81880162046data7.7057574273IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              .rsrc0xa40000x5b00x600False0.423828125data4.09731810024IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0xa60000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_VERSION0xa40a00x324data
              RT_MANIFEST0xa43c40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

              Imports

              DLLImport
              mscoree.dll_CorExeMain

              Version Infos

              DescriptionData
              Translation0x0000 0x04b0
              LegalCopyrightCopyright 2017 - 2020
              Assembly Version1.0.0.0
              InternalNameWMLJ.exe
              FileVersion1.0.0.0
              CompanyName
              LegalTrademarks
              Comments
              ProductNameCashMe Out
              ProductVersion1.0.0.0
              FileDescriptionCashMe Out
              OriginalFilenameWMLJ.exe

              Network Behavior

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Nov 18, 2020 13:06:57.161761999 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:57.342571974 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:57.342952967 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:57.434830904 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:57.620856047 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:57.621068954 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:57.854350090 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:57.855804920 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.035903931 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.065124989 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.290086985 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.290112019 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.290128946 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.290144920 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.292371988 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.472335100 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.472367048 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.472383022 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.472395897 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.472409010 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.472429037 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.472445965 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.472461939 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.472552061 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.472585917 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.652507067 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.652535915 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.652559042 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.652581930 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.652597904 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.652597904 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.652614117 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.652631044 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.652636051 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.652653933 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.652672052 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.652712107 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.653127909 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.653147936 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.653168917 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.653187037 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.653189898 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.653203964 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.653223038 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.653232098 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.653245926 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.653283119 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.653335094 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.654036999 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.832644939 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.832674026 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.832689047 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.832701921 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.832717896 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.832736969 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.832755089 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.832772970 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.832784891 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.832801104 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.832803011 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.832819939 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.832838058 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.832854986 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.832863092 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.832870960 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.832886934 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.832901001 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.832901955 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.832925081 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.832966089 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.832983971 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.833000898 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.833059072 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.833070993 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.833089113 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.833105087 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.833121061 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.833137989 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.833157063 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.833172083 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.833173990 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.833189964 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.833204985 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.833220959 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.833223104 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.833236933 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.833251953 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.833259106 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.833316088 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.834074020 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.834094048 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.834188938 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.013355017 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013382912 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013400078 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013416052 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013433933 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013453007 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013472080 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013488054 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013503075 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013519049 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013534069 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013546944 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013561964 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013577938 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013593912 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013612986 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013629913 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013645887 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013644934 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.013664961 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013683081 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013698101 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013714075 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013730049 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013730049 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.013747931 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013765097 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013763905 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.013782024 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013801098 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.013803005 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013804913 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.013822079 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013838053 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013854027 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013854027 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.013870001 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013885975 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013902903 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013906002 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.013919115 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013941050 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013959885 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013976097 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013991117 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.014008045 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.014008999 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.014024973 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.014028072 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.014041901 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.014058113 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.014074087 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.014076948 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.014079094 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.014096022 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.014096975 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.014112949 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.014127970 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.014128923 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.014144897 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.014159918 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.014193058 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.014240980 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.193996906 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194026947 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194044113 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194061041 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194077015 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194093943 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194111109 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194128990 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194149971 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194173098 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194174051 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.194189072 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194206953 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194224119 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194240093 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194262981 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194282055 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194305897 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.194307089 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194312096 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.194324017 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.194328070 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194328070 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.194338083 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.194346905 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194364071 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194379091 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.194380045 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194399118 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194418907 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194420099 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.194441080 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194447994 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.194458008 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194508076 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.194508076 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194525003 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194545031 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194562912 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194576025 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.194578886 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194595098 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194606066 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.194606066 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194618940 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194659948 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194678068 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.194679976 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194691896 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194705963 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194716930 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.194719076 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194740057 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194747925 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.194752932 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194785118 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194788933 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.194822073 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.194849014 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194864988 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194884062 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194896936 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194909096 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194922924 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194931984 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.194977999 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.194981098 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.195065022 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.374341965 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.374376059 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.374392986 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.374409914 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.374425888 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.374440908 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.374458075 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.374473095 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.374492884 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.374509096 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.374525070 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.374528885 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.374543905 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.374561071 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.374576092 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.374588013 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.374592066 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.374608040 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.374624968 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.374628067 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.374645948 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.374660015 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.374660969 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.374675989 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.374691963 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.374695063 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.374706984 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.374722958 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.374723911 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.374738932 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.374752045 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.374758005 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.374778032 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.374782085 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.374794960 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.374810934 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.374826908 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.374842882 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.374846935 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.374859095 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.374875069 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.374893904 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.374896049 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.374911070 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.374927044 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.374936104 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.374943018 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.374958992 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.374958992 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.374974012 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.374989986 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.375004053 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.375005007 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.375022888 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.375041008 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.375055075 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.375057936 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.375073910 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.375087023 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.375089884 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.375104904 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.375121117 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.375128984 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.375135899 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.375163078 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.375191927 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.555237055 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555270910 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555288076 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555305958 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555324078 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555337906 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555356026 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555358887 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.555372953 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555388927 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555404902 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555412054 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.555422068 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555440903 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.555442095 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555459976 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555468082 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.555475950 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555493116 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555500984 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.555510044 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555525064 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.555526972 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555542946 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555557966 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555567980 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.555577993 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555594921 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555610895 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555613995 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.555627108 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555645943 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555648088 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.555663109 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555674076 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.555675983 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555701971 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555708885 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.555715084 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555731058 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555743933 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.555748940 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555767059 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555790901 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.555804014 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555809021 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.555820942 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555840969 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555851936 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.555859089 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555876017 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555891991 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555893898 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.555907965 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555922985 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555938005 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555946112 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.555954933 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555974007 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.555975914 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.555994034 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.556004047 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.556010008 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.556025982 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.556031942 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.556041956 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.556061029 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.556066990 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.556077003 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.556093931 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.556097031 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.556107998 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.556123972 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.556139946 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.556148052 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.556152105 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.556169033 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.556184053 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.556195021 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.556200027 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.556215048 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.556231022 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.556231976 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.556245089 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.556257010 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.556262016 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.556272030 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.556292057 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.556299925 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.556312084 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.556328058 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.556334972 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.556387901 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:07:00.828438997 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:07:01.057490110 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:07:01.158262014 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:07:01.221275091 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:07:01.401521921 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:07:01.455667019 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:07:02.394018888 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:07:02.526644945 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:07:02.526799917 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:07:02.635665894 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:07:02.707973957 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:07:02.885337114 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:07:03.065321922 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:07:03.074836969 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:07:03.307491064 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:07:03.307563066 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:07:03.541991949 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:07:03.568476915 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:07:03.807626009 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:07:06.855432987 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:07:06.909293890 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:07:07.542937994 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:07:07.596956015 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:07:08.269853115 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:07:08.510963917 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:07:12.558495998 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:07:12.612950087 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:07:13.270932913 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:07:13.510700941 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:07:14.979717016 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:07:15.019267082 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:07:17.574034929 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:07:17.613564968 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:07:18.324237108 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:07:18.557640076 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:07:22.603364944 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:07:22.645210028 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:07:23.121356964 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:07:23.176270008 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:07:23.929029942 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:07:24.166980982 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:07:27.605043888 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:07:27.660980940 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:07:28.942126989 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:07:29.183850050 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:07:31.246042013 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:07:31.301992893 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:07:32.620984077 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:07:32.677042961 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:07:33.990916014 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:07:34.229409933 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:07:37.636065006 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:07:37.677510977 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:07:39.386665106 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:07:39.427690983 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:07:40.022921085 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:07:40.260642052 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:07:42.652491093 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:07:42.693550110 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:07:46.023226023 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:07:46.260786057 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:07:47.511949062 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:07:47.553281069 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:07:47.733180046 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:07:47.787849903 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:07:52.025150061 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:07:52.260617971 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:07:52.682951927 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:07:52.741291046 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:07:55.620557070 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:07:55.663465023 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:07:57.732888937 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:07:57.775321007 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:07:58.010735035 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:08:02.746062994 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:08:02.775481939 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:08:03.010751009 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:08:03.746368885 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:08:03.789072037 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:08:07.762662888 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:08:07.820615053 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:08:08.775537968 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:08:09.010703087 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:08:11.870919943 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:08:11.914741993 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:08:12.778213978 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:08:12.821032047 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:08:14.774955988 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:08:15.010741949 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:08:17.792593002 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:08:17.837526083 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:08:19.996078968 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:08:20.040489912 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:08:20.776110888 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:08:21.026379108 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:08:22.808532953 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:08:22.853362083 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:08:25.777239084 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:08:26.026397943 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:08:27.824832916 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:08:27.869204998 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:08:28.168114901 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:08:28.212938070 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:08:30.839217901 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:08:31.073312044 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:08:32.839497089 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:08:32.885276079 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:08:35.840270996 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:08:36.073241949 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:08:36.292980909 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:08:36.339252949 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:08:37.855861902 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:08:37.901273012 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:08:41.839793921 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:08:42.073402882 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:08:42.870902061 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:08:42.917331934 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:08:44.406486034 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:08:44.448837042 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:08:47.848838091 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:08:47.886255026 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:08:47.933500051 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:08:48.089013100 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:08:52.558649063 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:08:52.606319904 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:08:52.872068882 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:08:52.902599096 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:08:52.965061903 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:08:53.104518890 CET456349708104.207.150.47192.168.2.6

              Code Manipulations

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Start time:13:06:44
              Start date:18/11/2020
              Path:C:\Users\user\Desktop\eabass ).exe
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\Desktop\eabass ).exe'
              Imagebase:0x870000
              File size:665088 bytes
              MD5 hash:E104111A29DB150134FE6A812F54B691
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.365991657.0000000002D09000.00000004.00000001.sdmp, Author: Joe Security
              Reputation:low

              General

              Start time:13:06:52
              Start date:18/11/2020
              Path:C:\Windows\SysWOW64\schtasks.exe
              Wow64 process (32bit):true
              Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iZjPEbxRTQJTJj' /XML 'C:\Users\user\AppData\Local\Temp\tmpEFB4.tmp'
              Imagebase:0xaf0000
              File size:185856 bytes
              MD5 hash:15FF7D8324231381BAD48A052F85DF04
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Start time:13:06:52
              Start date:18/11/2020
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff61de10000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Start time:13:06:52
              Start date:18/11/2020
              Path:C:\Users\user\Desktop\eabass ).exe
              Wow64 process (32bit):false
              Commandline:C:\Users\user\Desktop\eabass ).exe
              Imagebase:0x1c0000
              File size:665088 bytes
              MD5 hash:E104111A29DB150134FE6A812F54B691
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low

              General

              Start time:13:06:53
              Start date:18/11/2020
              Path:C:\Users\user\Desktop\eabass ).exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\Desktop\eabass ).exe
              Imagebase:0x9a0000
              File size:665088 bytes
              MD5 hash:E104111A29DB150134FE6A812F54B691
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.616576592.0000000003E8D000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Disassembly

              Code Analysis

              Reset < >

                Executed Functions

                APIs
                • GetCurrentProcess.KERNEL32 ref: 00F76C18
                • GetCurrentThread.KERNEL32 ref: 00F76C55
                • GetCurrentProcess.KERNEL32 ref: 00F76C92
                • GetCurrentThreadId.KERNEL32 ref: 00F76CEB
                Memory Dump Source
                • Source File: 00000000.00000002.365302526.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                Similarity
                • API ID: Current$ProcessThread
                • String ID:
                • API String ID: 2063062207-0
                • Opcode ID: 015e8deef534f124bd7a46433d198f581021b767aba943aa4e436b7c2af60514
                • Instruction ID: e15b76202df15d6192fc7d5c34dac6707060b525c5a7a9ecc0189bf686b88fc8
                • Opcode Fuzzy Hash: 015e8deef534f124bd7a46433d198f581021b767aba943aa4e436b7c2af60514
                • Instruction Fuzzy Hash: F95143B4D007488FDB14CFAAD988BDEBBF4EB48314F20845AE419A7291D7755944CF26
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • GetCurrentProcess.KERNEL32 ref: 00F76C18
                • GetCurrentThread.KERNEL32 ref: 00F76C55
                • GetCurrentProcess.KERNEL32 ref: 00F76C92
                • GetCurrentThreadId.KERNEL32 ref: 00F76CEB
                Memory Dump Source
                • Source File: 00000000.00000002.365302526.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                Similarity
                • API ID: Current$ProcessThread
                • String ID:
                • API String ID: 2063062207-0
                • Opcode ID: 0ef1875bddee2d2ac74a95f5b1e2141898cdf495fca74a864746b5f3e4c38bbb
                • Instruction ID: 183bcf0b0252f8f7e0d7672a0c0629c2335878cb0a1e7de8f39455c3844ec773
                • Opcode Fuzzy Hash: 0ef1875bddee2d2ac74a95f5b1e2141898cdf495fca74a864746b5f3e4c38bbb
                • Instruction Fuzzy Hash: 735144B4D007498FDB14CFAAD588BDEBBF4EB48318F20845AE419A7391D7745844CF66
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • GetModuleHandleW.KERNEL32(00000000), ref: 00F7BE2E
                Memory Dump Source
                • Source File: 00000000.00000002.365302526.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: f928688971b591f63db042eef2f205679825979d532ed458f7bfb3a411159735
                • Instruction ID: 24b2aacd48efe5eee59f852e6b674ed966a300d21c19c9aa84a56ba591a51abb
                • Opcode Fuzzy Hash: f928688971b591f63db042eef2f205679825979d532ed458f7bfb3a411159735
                • Instruction Fuzzy Hash: 91813270A00B058FD724DF2AD44579ABBF1FF89314F10892EE54ADBA40DB75E8468B92
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00F7DDAA
                Memory Dump Source
                • Source File: 00000000.00000002.365302526.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                Similarity
                • API ID: CreateWindow
                • String ID:
                • API String ID: 716092398-0
                • Opcode ID: 8ae00eea65e94f5084fb7d1792f5f6258ec6360946b853a8b728636218bf3b5b
                • Instruction ID: 72a6150e8843a88bf4140137a42dd0dc69e638bf4baddd3ef722fa8947f4bf50
                • Opcode Fuzzy Hash: 8ae00eea65e94f5084fb7d1792f5f6258ec6360946b853a8b728636218bf3b5b
                • Instruction Fuzzy Hash: 8A51D0B1D00309DFDB14CFA9C884ADEBBB5BF88314F65852AE819AB210D7749985CF91
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00F7DDAA
                Memory Dump Source
                • Source File: 00000000.00000002.365302526.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                Similarity
                • API ID: CreateWindow
                • String ID:
                • API String ID: 716092398-0
                • Opcode ID: aacecc48c4395c739d8a6340fa1b3bb73dc9e29f35039635f686bf0e3c70001c
                • Instruction ID: d7509e75eabd38e7cabc3e7b7ebb1bef44593c40ece6d74f16626ec3aadf4fec
                • Opcode Fuzzy Hash: aacecc48c4395c739d8a6340fa1b3bb73dc9e29f35039635f686bf0e3c70001c
                • Instruction Fuzzy Hash: F841B0B1D003099FDB14CFA9C884ADEBBB5BF88314F65852AE819AB250D7749845CF91
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F76E67
                Memory Dump Source
                • Source File: 00000000.00000002.365302526.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: 69733463b9576dd97a57ce18f5293388d4bb93ba3cbaa087a9303f39678787aa
                • Instruction ID: f25ee7003ad23b56c400cbf3e005c97875d97d3d4751c75c55ece9f4be7ac5e2
                • Opcode Fuzzy Hash: 69733463b9576dd97a57ce18f5293388d4bb93ba3cbaa087a9303f39678787aa
                • Instruction Fuzzy Hash: 7A415775900219AFCB11CFA9D880ADEBFF9FB48320F14806AF914E7221C3359915DFA1
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F76E67
                Memory Dump Source
                • Source File: 00000000.00000002.365302526.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: b354461bfe2cc8c7b678e5be3c717f2864f8860f65e585ddcd7e35fa9c92922b
                • Instruction ID: ecf0a380be8beb58f81e66cc7e1822b00c180eb776d7200c839d3b38b1fdf13e
                • Opcode Fuzzy Hash: b354461bfe2cc8c7b678e5be3c717f2864f8860f65e585ddcd7e35fa9c92922b
                • Instruction Fuzzy Hash: D421DFB5D006089FDB10CFAAD884AEEBBF4FB48324F15845AE919A7210C374A955CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F76E67
                Memory Dump Source
                • Source File: 00000000.00000002.365302526.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: 6cd14e92ce956113481793263af2e87f961bdef1e14ec66f9e4cc2ed1176d866
                • Instruction ID: 8ad0afb35b980749a085a42efb230a9d0bf2255e31ec101cfa70e00958525970
                • Opcode Fuzzy Hash: 6cd14e92ce956113481793263af2e87f961bdef1e14ec66f9e4cc2ed1176d866
                • Instruction Fuzzy Hash: FB21D3B5D006499FDB10CFAAD884ADEBBF8FB48324F14841AE919A3310D374A954DFA5
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00F7BEA9,00000800,00000000,00000000), ref: 00F7C0BA
                Memory Dump Source
                • Source File: 00000000.00000002.365302526.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: 141fa484c66acc0f05a69d9e3d795953b1065810a95ea20e63ee320f96e3facd
                • Instruction ID: d4bf8937475253293dcbe3ab22a2b9c280bd2db3a27ef93873a92be8242e8c8e
                • Opcode Fuzzy Hash: 141fa484c66acc0f05a69d9e3d795953b1065810a95ea20e63ee320f96e3facd
                • Instruction Fuzzy Hash: AC1103B6D00208CFCB10CFAAD844BDEBBF4AB48324F10842EE519A7600C375A945CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00F7BEA9,00000800,00000000,00000000), ref: 00F7C0BA
                Memory Dump Source
                • Source File: 00000000.00000002.365302526.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: 1dfe3d39579fd81c29eeb27a37108bdec6b36e6bbdfef5136c5a5e669548a675
                • Instruction ID: 828eeafc99d686b54cbfccf5c13e3f02a15bd82cf159033b5d28c942034f6b4a
                • Opcode Fuzzy Hash: 1dfe3d39579fd81c29eeb27a37108bdec6b36e6bbdfef5136c5a5e669548a675
                • Instruction Fuzzy Hash: 941103B6D00209CFCB10DFAAC844BDEFBF4AB88324F11852EE519A7200C375A945CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • GetModuleHandleW.KERNEL32(00000000), ref: 00F7BE2E
                Memory Dump Source
                • Source File: 00000000.00000002.365302526.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: 049f307623ab0732b0396ec0ebd85b94e14e3a303f56f9a0be891c0d24870b3e
                • Instruction ID: d91f9a039164dbd9dfeeb6a8b5f602d940dd61322b56c52c15cc91d7e8f94ff7
                • Opcode Fuzzy Hash: 049f307623ab0732b0396ec0ebd85b94e14e3a303f56f9a0be891c0d24870b3e
                • Instruction Fuzzy Hash: 3611E0B5D006498FCB10CF9AD444BDEFBF4EB89324F14841AD919A7700C374A546CFA2
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • SetWindowLongW.USER32(?,?,?), ref: 00F7DF3D
                Memory Dump Source
                • Source File: 00000000.00000002.365302526.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                Similarity
                • API ID: LongWindow
                • String ID:
                • API String ID: 1378638983-0
                • Opcode ID: 3c9d81c70ac4c92123932a1d8296cb9a84d7e1702a4a3fda230be7755c3ff329
                • Instruction ID: d471138df6b94e14e36a0cd6df05ea737557a1f38317d397e242a5c7d68d87be
                • Opcode Fuzzy Hash: 3c9d81c70ac4c92123932a1d8296cb9a84d7e1702a4a3fda230be7755c3ff329
                • Instruction Fuzzy Hash: DF11F3B59002499FDB10DF9AD485BDEFBF8EF48324F10841AE91AA7300C374A945CFA2
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • SetWindowLongW.USER32(?,?,?), ref: 00F7DF3D
                Memory Dump Source
                • Source File: 00000000.00000002.365302526.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                Similarity
                • API ID: LongWindow
                • String ID:
                • API String ID: 1378638983-0
                • Opcode ID: 4f3510f8f01e73345296a6f078ed2808c39c6f2f0413aca894925877a8c720f8
                • Instruction ID: 9b0b5b1dd488ae935f67efe2fa15e72de34813140c67d929e5eaac46aa106452
                • Opcode Fuzzy Hash: 4f3510f8f01e73345296a6f078ed2808c39c6f2f0413aca894925877a8c720f8
                • Instruction Fuzzy Hash: 6211D3B59006098FDB10DF99D585BDEBBF8EB48324F14851AE919B7700C374A945CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Memory Dump Source
                • Source File: 00000000.00000002.365302526.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fe53691ab66282ef15824b370e5f2f401caad2ffef9655512a1b290a8607c9a2
                • Instruction ID: 7bc41174a5d701149e511d59afac23e9f12b4d308dc6834849d0bcfdfc69923a
                • Opcode Fuzzy Hash: fe53691ab66282ef15824b370e5f2f401caad2ffef9655512a1b290a8607c9a2
                • Instruction Fuzzy Hash: 67525AB15017068FE722CF14E8C85997BB9FB41328F948219D365BB6D8F3B4658ACF84
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000000.00000002.365302526.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ea6576b84f108990914749013c10f403cd1ee70ceb056b9ba020aea45545e233
                • Instruction ID: a85201f1a3329d7ac3620bfc3ca8fc5da5b4898f7044f4aca58a384c201c305c
                • Opcode Fuzzy Hash: ea6576b84f108990914749013c10f403cd1ee70ceb056b9ba020aea45545e233
                • Instruction Fuzzy Hash: C4A1AB32E002198FCF15DFB5C8845DEBBB2FF89300B15C16AE909AB225EB35E905DB41
                Uniqueness

                Uniqueness Score: -1.00%

                Executed Functions

                APIs
                • GetCurrentProcess.KERNEL32 ref: 02DAB730
                • GetCurrentThread.KERNEL32 ref: 02DAB76D
                • GetCurrentProcess.KERNEL32 ref: 02DAB7AA
                • GetCurrentThreadId.KERNEL32 ref: 02DAB803
                Memory Dump Source
                • Source File: 00000004.00000002.613607576.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                Similarity
                • API ID: Current$ProcessThread
                • String ID:
                • API String ID: 2063062207-0
                • Opcode ID: 33bdaf3d0e18b51c393e9428b7edfe5feb8c4c9e04bde63204a9dbeb930cd63c
                • Instruction ID: 36399e5c07150981e51fef7bf8793b57d3883de02edbb791e46fa57072e4f2da
                • Opcode Fuzzy Hash: 33bdaf3d0e18b51c393e9428b7edfe5feb8c4c9e04bde63204a9dbeb930cd63c
                • Instruction Fuzzy Hash: A05155B4A0074A8FDB14CFA9C648BDEBBF0AF49318F24889AE419A7350C7745885CF65
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • GetCurrentProcess.KERNEL32 ref: 02DAB730
                • GetCurrentThread.KERNEL32 ref: 02DAB76D
                • GetCurrentProcess.KERNEL32 ref: 02DAB7AA
                • GetCurrentThreadId.KERNEL32 ref: 02DAB803
                Memory Dump Source
                • Source File: 00000004.00000002.613607576.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                Similarity
                • API ID: Current$ProcessThread
                • String ID:
                • API String ID: 2063062207-0
                • Opcode ID: 9423e4ace05b8f141d811c50ba6dc3eee7549e9f9698f67f229fce3bd98ecf47
                • Instruction ID: 9bed96b6e4e5ecda6c555a0684ea29c13959f8585fb4ae2c6d34c5626ac093fb
                • Opcode Fuzzy Hash: 9423e4ace05b8f141d811c50ba6dc3eee7549e9f9698f67f229fce3bd98ecf47
                • Instruction Fuzzy Hash: 365146B4E007498FDB14CFAAD648BEEBBF5AF48318F20845AE419A7350C7745885CF65
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • GetModuleHandleW.KERNELBASE(00000000), ref: 02DA962E
                Memory Dump Source
                • Source File: 00000004.00000002.613607576.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: adca5444595c26d9af378d04d8cbae63948878ef2417de36eb5bfff6201ec970
                • Instruction ID: bb25b8dc7481ad6310bcd1872ca7d16c674e3a85120175dfbbcf0db366032ae8
                • Opcode Fuzzy Hash: adca5444595c26d9af378d04d8cbae63948878ef2417de36eb5bfff6201ec970
                • Instruction Fuzzy Hash: 64711370A00B058FDB24DF2AD065B9ABBF1FF88214F108A2DD58AD7B50DB74E845CB91
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02DAFD0A
                Memory Dump Source
                • Source File: 00000004.00000002.613607576.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                Similarity
                • API ID: CreateWindow
                • String ID:
                • API String ID: 716092398-0
                • Opcode ID: 158f87fb50fcffdf7f5d15b8ab64492c9db46efa232ed98374cb42c4ba8c8634
                • Instruction ID: f8d5b39f0849ccbda653188ed9a28c9f1e1469d12ee54ad458f45be4e209b808
                • Opcode Fuzzy Hash: 158f87fb50fcffdf7f5d15b8ab64492c9db46efa232ed98374cb42c4ba8c8634
                • Instruction Fuzzy Hash: 9051EEB1D003089FDF15CFA9C984ADEBBB1BF48314F24852AE819AB210D7759985CF90
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02DAFD0A
                Memory Dump Source
                • Source File: 00000004.00000002.613607576.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                Similarity
                • API ID: CreateWindow
                • String ID:
                • API String ID: 716092398-0
                • Opcode ID: 9b74789aab2e553b73d4bc9803bfe7fba131f6ab4b32a151cd4ef7d75bff699c
                • Instruction ID: e342a07ac0aa343efe23021565d6a074230a04a0b6f94b994dc6fe42fddedbb8
                • Opcode Fuzzy Hash: 9b74789aab2e553b73d4bc9803bfe7fba131f6ab4b32a151cd4ef7d75bff699c
                • Instruction Fuzzy Hash: 5241C0B1D003089FDF15CF9AC884ADEBBB5BF88314F24812AE819AB310D7759945CF90
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02DABD87
                Memory Dump Source
                • Source File: 00000004.00000002.613607576.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: b6243deef22254f25b44344ca79c13edffeb1756f8ba628501ccb795416ce35e
                • Instruction ID: 34882f6218bce1cc021915142f0d0ebcc9172e44e91431b6474d4d989214c54e
                • Opcode Fuzzy Hash: b6243deef22254f25b44344ca79c13edffeb1756f8ba628501ccb795416ce35e
                • Instruction Fuzzy Hash: A221E0B5D002089FDF10CFA9D984AEEBBF4AB48324F14841AE915A7310D378A954CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02DABD87
                Memory Dump Source
                • Source File: 00000004.00000002.613607576.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: cdd371a76c5da772b73695ec28cc2fca141389262095bada847cb9ef81b01efb
                • Instruction ID: b445f7ca27ff772675361c5edcf0703b9bad60582e77fa80acb0c086f996a258
                • Opcode Fuzzy Hash: cdd371a76c5da772b73695ec28cc2fca141389262095bada847cb9ef81b01efb
                • Instruction Fuzzy Hash: 9521C2B59002489FDF10CFAAD984ADEBBF8EB48324F14841AE955A3310D378A954CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02DA96A9,00000800,00000000,00000000), ref: 02DA98BA
                Memory Dump Source
                • Source File: 00000004.00000002.613607576.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: a7474e3e20a73cf210b443f41a1c1e2981c4a37f92438ab52e75b73d78ecf193
                • Instruction ID: 88b87c48186e5d2d0a1b9c155e2e2a3dff2b4a92ec439ba84db4d54f2016f4d5
                • Opcode Fuzzy Hash: a7474e3e20a73cf210b443f41a1c1e2981c4a37f92438ab52e75b73d78ecf193
                • Instruction Fuzzy Hash: 031103B6D002098FCB10CFAAC454ADEFBF4EB48324F14842EE915A7700C374A945CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02DA96A9,00000800,00000000,00000000), ref: 02DA98BA
                Memory Dump Source
                • Source File: 00000004.00000002.613607576.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: dfb6b32d7f4827c33e380ec0fc3bac814f2b1d84b6b53d86cb3bfbe82336c426
                • Instruction ID: a4b85d1fafe62caf38f1fa9037a8c5b32a332f8afd75c99c7c338ebddbf59979
                • Opcode Fuzzy Hash: dfb6b32d7f4827c33e380ec0fc3bac814f2b1d84b6b53d86cb3bfbe82336c426
                • Instruction Fuzzy Hash: 1011E2B6D002098FDB10CFAAC944BDEFBF4AB48324F15842AE955B7700C374A945CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • GetModuleHandleW.KERNELBASE(00000000), ref: 02DA962E
                Memory Dump Source
                • Source File: 00000004.00000002.613607576.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: 808569e89471b86cbb73c65660a5e69c85d68997bb5a191f10f96bca465b25c0
                • Instruction ID: b98e0222466345c4ba047af6aa6b1e7163e2fdb5ae2c2a66b5d4e048337a6326
                • Opcode Fuzzy Hash: 808569e89471b86cbb73c65660a5e69c85d68997bb5a191f10f96bca465b25c0
                • Instruction Fuzzy Hash: CF11E0B5D006898FCB10CF9AC544BDFFBF4AF88224F14845AD819A7710C378A545CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • SetWindowLongW.USER32(?,?,?), ref: 02DAFE9D
                Memory Dump Source
                • Source File: 00000004.00000002.613607576.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                Similarity
                • API ID: LongWindow
                • String ID:
                • API String ID: 1378638983-0
                • Opcode ID: a80f39f87d4c1c4059d137cecc61900e2bceec03f587a8739f9aff7c071c5608
                • Instruction ID: 732ff0e41f23c04322d71afbec30b06eb16ec23248b58e4b662ade01fc575237
                • Opcode Fuzzy Hash: a80f39f87d4c1c4059d137cecc61900e2bceec03f587a8739f9aff7c071c5608
                • Instruction Fuzzy Hash: 0C11DFB5900209CFDB10CF99D589BDEBBF8EB48324F10845AE958B7700C375AA44CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                APIs
                • SetWindowLongW.USER32(?,?,?), ref: 02DAFE9D
                Memory Dump Source
                • Source File: 00000004.00000002.613607576.0000000002DA0000.00000040.00000001.sdmp, Offset: 02DA0000, based on PE: false
                Similarity
                • API ID: LongWindow
                • String ID:
                • API String ID: 1378638983-0
                • Opcode ID: ee737ebbd1293dc60eb9945c77006d96910ccbd088ee47a1a2320c346dc668b5
                • Instruction ID: ba79d16a1d5d4d2c27015be1476311c51f8e1780cbb1d5b0ad4da1374ed70319
                • Opcode Fuzzy Hash: ee737ebbd1293dc60eb9945c77006d96910ccbd088ee47a1a2320c346dc668b5
                • Instruction Fuzzy Hash: 781112B59002488FDB10DF9AD985BDFFBF8EB48324F10845AE918A3700C374AA44CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000004.00000002.613265144.000000000149D000.00000040.00000001.sdmp, Offset: 0149D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9d24fca4554e7364f5471376b3d3d0039c3aa1f0c71d866c83cecd1545271e00
                • Instruction ID: c61e2a2c36d6b90fdf330e3ad9f06b77babf7ccde4fdc19a88e15db3e7242195
                • Opcode Fuzzy Hash: 9d24fca4554e7364f5471376b3d3d0039c3aa1f0c71d866c83cecd1545271e00
                • Instruction Fuzzy Hash: 522128B1904240DFDF05DF98D9C0B27BF65FB84328F24856AE9054B326C336D856CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000004.00000002.613265144.000000000149D000.00000040.00000001.sdmp, Offset: 0149D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2e6069b6941649019fef9d2f8e31d4939694f43f2c1ef760e526f91f132e1717
                • Instruction ID: 9791a2bb8acf1a7c20049abfff3ea9e7434554364bc32eb6e966f795b68211c5
                • Opcode Fuzzy Hash: 2e6069b6941649019fef9d2f8e31d4939694f43f2c1ef760e526f91f132e1717
                • Instruction Fuzzy Hash: 652121B1904200DFCF05DF94C9C0B67BF65FB84328F20C5BAE9054B216C336E856CAA1
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000004.00000002.613371427.0000000002ACD000.00000040.00000001.sdmp, Offset: 02ACD000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c7f3139ab850abd90d3e606a12b47cedccf6027361021bc7b3349446e9db07cf
                • Instruction ID: 7de787c37deabfe1c47bd4107a07203a125116e00a9a60103a12624ba39cb575
                • Opcode Fuzzy Hash: c7f3139ab850abd90d3e606a12b47cedccf6027361021bc7b3349446e9db07cf
                • Instruction Fuzzy Hash: EA21D375504640DFDB14DF28D8C0B16BB65FB84328F34C5BDE94A4B246CB36D847CA61
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000004.00000002.613371427.0000000002ACD000.00000040.00000001.sdmp, Offset: 02ACD000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3e2211ba2bcd001dcacf4fd4242912ddcd1d2e253a9b9b2c9c0d1c7c4042cb49
                • Instruction ID: d542e72148c17c7d49a5974f4c967d9161f3a1555f41998b880fa039d1775b11
                • Opcode Fuzzy Hash: 3e2211ba2bcd001dcacf4fd4242912ddcd1d2e253a9b9b2c9c0d1c7c4042cb49
                • Instruction Fuzzy Hash: F7217F755097808FCB02CF24D5D0715BF71EB46224F28C5EAD8898B657C33A984ACB62
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000004.00000002.613265144.000000000149D000.00000040.00000001.sdmp, Offset: 0149D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f3b157afdbb6b8f97dc596e66e634dfcbcf822356cd4e727a4141288e46826d7
                • Instruction ID: 45c6460d27e90e8baaa134670e40c3d6fbd944f5494684a51a7cd6c4a7363430
                • Opcode Fuzzy Hash: f3b157afdbb6b8f97dc596e66e634dfcbcf822356cd4e727a4141288e46826d7
                • Instruction Fuzzy Hash: 1211AF76804280CFDF12CF58D5C4B16BF61FB84324F2486AAD9050B626C336D45ACBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000004.00000002.613265144.000000000149D000.00000040.00000001.sdmp, Offset: 0149D000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f3b157afdbb6b8f97dc596e66e634dfcbcf822356cd4e727a4141288e46826d7
                • Instruction ID: daa106309b1596f47c738c66c481a6374eb4fed75c30af4935169a05cdcad754
                • Opcode Fuzzy Hash: f3b157afdbb6b8f97dc596e66e634dfcbcf822356cd4e727a4141288e46826d7
                • Instruction Fuzzy Hash: C011B176804280CFCF16CF54D9C4B56BF71FB84324F24C6AAD8450B626C336E45ACBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions