Loading ...

Play interactive tourEdit tour

Analysis Report eabass ).exe

Overview

General Information

Sample Name:eabass ).exe
Analysis ID:319577
MD5:e104111a29db150134fe6a812f54b691
SHA1:b64fd544542b623f37778ede23ae39ca508ed868
SHA256:563803e4673863857f98356d9d8177b4d1afb49e8eb839e80e4f6e416e7f1083
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • eabass ).exe (PID: 1144 cmdline: 'C:\Users\user\Desktop\eabass ).exe' MD5: E104111A29DB150134FE6A812F54B691)
    • schtasks.exe (PID: 4624 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iZjPEbxRTQJTJj' /XML 'C:\Users\user\AppData\Local\Temp\tmpEFB4.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • eabass ).exe (PID: 2408 cmdline: C:\Users\user\Desktop\eabass ).exe MD5: E104111A29DB150134FE6A812F54B691)
    • eabass ).exe (PID: 4676 cmdline: C:\Users\user\Desktop\eabass ).exe MD5: E104111A29DB150134FE6A812F54B691)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["104.207.150.47"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xa7925:$x1: NanoCore.ClientPluginHost
  • 0xda145:$x1: NanoCore.ClientPluginHost
  • 0xa7962:$x2: IClientNetworkHost
  • 0xda182:$x2: IClientNetworkHost
  • 0xab495:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0xddcb5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xa768d:$a: NanoCore
    • 0xa769d:$a: NanoCore
    • 0xa78d1:$a: NanoCore
    • 0xa78e5:$a: NanoCore
    • 0xa7925:$a: NanoCore
    • 0xd9ead:$a: NanoCore
    • 0xd9ebd:$a: NanoCore
    • 0xda0f1:$a: NanoCore
    • 0xda105:$a: NanoCore
    • 0xda145:$a: NanoCore
    • 0xa76ec:$b: ClientPlugin
    • 0xa78ee:$b: ClientPlugin
    • 0xa792e:$b: ClientPlugin
    • 0xd9f0c:$b: ClientPlugin
    • 0xda10e:$b: ClientPlugin
    • 0xda14e:$b: ClientPlugin
    • 0xa7813:$c: ProjectData
    • 0xda033:$c: ProjectData
    • 0xa821a:$d: DESCrypto
    • 0xdaa3a:$d: DESCrypto
    • 0xafbe6:$e: KeepAlive
    00000004.00000002.616576592.0000000003E8D000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        Click to see the 9 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.eabass ).exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        4.2.eabass ).exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xff05:$x1: NanoCore Client.exe
        • 0x1018d:$x2: NanoCore.ClientPluginHost
        • 0x117c6:$s1: PluginCommand
        • 0x117ba:$s2: FileCommand
        • 0x1266b:$s3: PipeExists
        • 0x18422:$s4: PipeCreated
        • 0x101b7:$s5: IClientLoggingHost
        4.2.eabass ).exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          4.2.eabass ).exe.400000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
          • 0xfef5:$a: NanoCore
          • 0xff05:$a: NanoCore
          • 0x10139:$a: NanoCore
          • 0x1014d:$a: NanoCore
          • 0x1018d:$a: NanoCore
          • 0xff54:$b: ClientPlugin
          • 0x10156:$b: ClientPlugin
          • 0x10196:$b: ClientPlugin
          • 0x1007b:$c: ProjectData
          • 0x10a82:$d: DESCrypto
          • 0x1844e:$e: KeepAlive
          • 0x1643c:$g: LogClientMessage
          • 0x12637:$i: get_Connected
          • 0x10db8:$j: #=q
          • 0x10de8:$j: #=q
          • 0x10e04:$j: #=q
          • 0x10e34:$j: #=q
          • 0x10e50:$j: #=q
          • 0x10e6c:$j: #=q
          • 0x10e9c:$j: #=q
          • 0x10eb8:$j: #=q

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\eabass ).exe, ProcessId: 4676, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iZjPEbxRTQJTJj' /XML 'C:\Users\user\AppData\Local\Temp\tmpEFB4.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iZjPEbxRTQJTJj' /XML 'C:\Users\user\AppData\Local\Temp\tmpEFB4.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\eabass ).exe' , ParentImage: C:\Users\user\Desktop\eabass ).exe, ParentProcessId: 1144, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iZjPEbxRTQJTJj' /XML 'C:\Users\user\AppData\Local\Temp\tmpEFB4.tmp', ProcessId: 4624

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: eabass ).exe.4676.4.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["104.207.150.47"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
          Source: eabass ).exe.4676.4.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["104.207.150.47"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.616576592.0000000003E8D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: eabass ).exe PID: 4676, type: MEMORY
          Source: Yara matchFile source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\iZjPEbxRTQJTJj.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Roaming\iZjPEbxRTQJTJj.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: eabass ).exeJoe Sandbox ML: detected
          Source: eabass ).exeJoe Sandbox ML: detected
          Source: 4.2.eabass ).exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 4.2.eabass ).exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: global trafficTCP traffic: 192.168.2.6:49708 -> 104.207.150.47:4563
          Source: global trafficTCP traffic: 192.168.2.6:49708 -> 104.207.150.47:4563
          Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
          Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: unknownTCP traffic detected without corresponding DNS query: 104.207.150.47
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpString found in binary or memory: http://google.com
          Source: eabass ).exe, 00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpString found in binary or memory: http://google.com
          Source: eabass ).exe, 00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: eabass ).exe, 00000000.00000002.365408882.0000000000FAB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: eabass ).exe, 00000000.00000002.365408882.0000000000FAB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: eabass ).exe, 00000004.00000002.616576592.0000000003E8D000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices
          Source: eabass ).exe, 00000004.00000002.616576592.0000000003E8D000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

          E-Banking Fraud:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.616576592.0000000003E8D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: eabass ).exe PID: 4676, type: MEMORY
          Source: Yara matchFile source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: eabass ).exe PID: 4676, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: eabass ).exe PID: 4676, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: eabass ).exe PID: 4676, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: eabass ).exe PID: 4676, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: C:\Users\user\Desktop\eabass ).exeCode function: 0_2_00F7C2D0
          Source: C:\Users\user\Desktop\eabass ).exeCode function: 0_2_00F799F8
          Source: C:\Users\user\Desktop\eabass ).exeCode function: 0_2_00F7C2D0
          Source: C:\Users\user\Desktop\eabass ).exeCode function: 0_2_00F799F8
          Source: C:\Users\user\Desktop\eabass ).exeCode function: 4_2_02DAE480
          Source: C:\Users\user\Desktop\eabass ).exeCode function: 4_2_02DAE471
          Source: C:\Users\user\Desktop\eabass ).exeCode function: 4_2_02DABBD4
          Source: eabass ).exeBinary or memory string: OriginalFilename vs eabass ).exe
          Source: eabass ).exe, 00000000.00000002.371035157.0000000005EFA000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWMLJ.e#c vs eabass ).exe
          Source: eabass ).exe, 00000000.00000002.372056045.0000000006760000.00000002.00000001.sdmpBinary or memory string: originalfilename vs eabass ).exe
          Source: eabass ).exe, 00000000.00000002.372056045.0000000006760000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs eabass ).exe
          Source: eabass ).exe, 00000000.00000002.371471703.0000000006660000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs eabass ).exe
          Source: eabass ).exe, 00000000.00000002.365408882.0000000000FAB000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs eabass ).exe
          Source: eabass ).exe, 00000000.00000002.370728590.0000000005E80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs eabass ).exe
          Source: eabass ).exe, 00000000.00000000.343438100.0000000000872000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWMLJ.exe6 vs eabass ).exe
          Source: eabass ).exeBinary or memory string: OriginalFilename vs eabass ).exe
          Source: eabass ).exe, 00000003.00000000.362483536.00000000001C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWMLJ.exe6 vs eabass ).exe
          Source: eabass ).exeBinary or memory string: OriginalFilename vs eabass ).exe
          Source: eabass ).exe, 00000004.00000000.363432441.00000000009A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWMLJ.exe6 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.616576592.0000000003E8D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.616576592.0000000003E8D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.616437901.0000000003E31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.616437901.0000000003E31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.616437901.0000000003E31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.612909393.000000000110A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs eabass ).exe
          Source: eabass ).exeBinary or memory string: OriginalFilenameWMLJ.exe6 vs eabass ).exe
          Source: eabass ).exeBinary or memory string: OriginalFilename vs eabass ).exe
          Source: eabass ).exe, 00000000.00000002.371035157.0000000005EFA000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWMLJ.e#c vs eabass ).exe
          Source: eabass ).exe, 00000000.00000002.372056045.0000000006760000.00000002.00000001.sdmpBinary or memory string: originalfilename vs eabass ).exe
          Source: eabass ).exe, 00000000.00000002.372056045.0000000006760000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs eabass ).exe
          Source: eabass ).exe, 00000000.00000002.371471703.0000000006660000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs eabass ).exe
          Source: eabass ).exe, 00000000.00000002.365408882.0000000000FAB000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs eabass ).exe
          Source: eabass ).exe, 00000000.00000002.370728590.0000000005E80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs eabass ).exe
          Source: eabass ).exe, 00000000.00000000.343438100.0000000000872000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWMLJ.exe6 vs eabass ).exe
          Source: eabass ).exeBinary or memory string: OriginalFilename vs eabass ).exe
          Source: eabass ).exe, 00000003.00000000.362483536.00000000001C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWMLJ.exe6 vs eabass ).exe
          Source: eabass ).exeBinary or memory string: OriginalFilename vs eabass ).exe
          Source: eabass ).exe, 00000004.00000000.363432441.00000000009A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWMLJ.exe6 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.616576592.0000000003E8D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.616576592.0000000003E8D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.616437901.0000000003E31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.616437901.0000000003E31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.616437901.0000000003E31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs eabass ).exe
          Source: eabass ).exe, 00000004.00000002.612909393.000000000110A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs eabass ).exe
          Source: eabass ).exeBinary or memory string: OriginalFilenameWMLJ.exe6 vs eabass ).exe
          Source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: eabass ).exe PID: 4676, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: eabass ).exe PID: 4676, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: eabass ).exe PID: 4676, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: eabass ).exe PID: 4676, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: eabass ).exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: iZjPEbxRTQJTJj.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: eabass ).exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: iZjPEbxRTQJTJj.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/8@0/1
          Source: C:\Users\user\Desktop\eabass ).exeFile created: C:\Users\user\AppData\Roaming\iZjPEbxRTQJTJj.exeJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeFile created: C:\Users\user\AppData\Roaming\iZjPEbxRTQJTJj.exeJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeMutant created: \Sessions\1\BaseNamedObjects\YDOIskdbwfIsJCoT
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5116:120:WilError_01
          Source: C:\Users\user\Desktop\eabass ).exeMutant created: \Sessions\1\BaseNamedObjects\Global\{076109b0-c49a-4f78-9f0c-cbcb47f22db4}
          Source: C:\Users\user\Desktop\eabass ).exeMutant created: \Sessions\1\BaseNamedObjects\YDOIskdbwfIsJCoT
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5116:120:WilError_01
          Source: C:\Users\user\Desktop\eabass ).exeMutant created: \Sessions\1\BaseNamedObjects\Global\{076109b0-c49a-4f78-9f0c-cbcb47f22db4}
          Source: C:\Users\user\Desktop\eabass ).exeFile created: C:\Users\user\AppData\Local\Temp\tmpEFB4.tmpJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeFile created: C:\Users\user\AppData\Local\Temp\tmpEFB4.tmpJump to behavior
          Source: eabass ).exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: eabass ).exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\eabass ).exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\eabass ).exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\eabass ).exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\eabass ).exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\eabass ).exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Users\user\Desktop\eabass ).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Users\user\Desktop\eabass ).exeFile read: C:\Users\user\Desktop\eabass ).exeJump to behavior
          Source: C:\Users\user\Desktop\eabass ).exeFile read: C:\Users\user\Desktop\eabass ).exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\eabass ).exe 'C:\Users\user\Desktop\eabass ).exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iZjPEbxRTQJTJj' /XML 'C:\Users\user\AppData\Local\Temp\tmpEFB4.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\eabass ).exe C:\Users\user\Desktop\eabass ).exe
          Source: unknownProcess created: C:\Users\user\Desktop\eabass ).exe C:\Users\user\Desktop\eabass ).exe
          Source: C:\Users\user\Desktop\eabass ).exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iZjPEbxRTQJTJj' /XML 'C:\Users\user\AppData\Local\Temp\tmpEFB4.tmp'
          Source: C:\Users\user\Desktop\eabass ).exeProcess created: C:\Users\user\Desktop\eabass ).exe C:\Users\user\Desktop\eabass ).exe
          Source: C:\Users\user\Desktop\eabass ).exeProcess created: C:\Users\user\Desktop\eabass ).exe C:\Users\user\Desktop\eabass ).exe
          Source: unknownProcess created: C:\Users\user\Desktop\eabass ).exe 'C:\Users\user\Desktop\eabass ).exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iZjPEbxRTQJTJj' /XML 'C:\Users\user\AppData\Local\Temp\tmpEFB4.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\eabass ).exe C:\Users\user\Desktop\eabass ).exe
          Source: unknownProcess created: C:\Users\user\Desktop\eabass ).exe C:\Users\user\Desktop\eabass ).exe
          Source: C:\Users\user\Desktop\eabass ).exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iZjPEbxRTQJTJj' /XML 'C:\Users\user\AppData\Local\Temp\tmpEFB4.tmp'
          Source: C:\Users\user\Desktop\eabass ).exeProcess created: C:\Users\user\Desktop\eabass ).exe C:\Users\user\Desktop\eabass ).exe
          Source: C:\Users\user\Desktop\eabass ).exeProcess created: C:\Users\user\Desktop\eabass ).exe C:\Users\user\Desktop\eabass ).exe
          Source: C:\Users\user\Desktop\eabass ).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
          Source: C:\Users\user\Desktop\eabass ).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
          Source: C:\Users\user\Desktop\eabass ).exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: C:\Users\user\Desktop\eabass ).exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: eabass ).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: eabass ).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: eabass ).exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: eabass ).exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp
          Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp
          Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp
          Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp
          Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\eabass ).exeCode function: 4_2_02DAC8D9 push edx; ret
          Source: C:\Users\user\Desktop\eabass ).exeCode function: 4_2_02DAC8D9 push edx; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.7057574273
          Source: initial sampleStatic PE information: section name: .text entropy: 7.7057574273
          Source: initial sampleStatic PE information: section name: .text entropy: 7.7057574273
          Source: initial sampleStatic PE information: section name: .text entropy: 7.7057574273
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 4.2.eabass ).exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: C:\Users\user\Desktop\eabass ).exeFile created: C:\Users\user\AppData\Roaming\iZjPEbxRTQJTJj.exeJump to dropped file
          Source: C:\Users\user\Desktop\eabass ).exeFile created: C:\Users\user\AppData\Roaming\iZjPEbxRTQJTJj.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iZjPEbxRTQJTJj' /XML 'C:\Users\user\AppData\Local\Temp\tmpEFB4.tmp'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iZjPEbxRTQJTJj' /XML 'C:\Users\user\AppData\Local\Temp\tmpEFB4.tmp'

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\eabass ).exeFile opened: C:\Users\user\Desktop\eabass ).exe:Zone.Identifier read attributes | delete
          Source: C:\Users\user\Desktop\eabass ).exeFile opened: C:\Users\user\Desktop\eabass ).exe:Zone.Identifier read attributes | delete
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\eabass ).exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: 00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.365991657.0000000002D09000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: eabass ).exe PID: 1144, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: eabass ).exe, 00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: eabass ).exe, 00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Source: eabass ).exe, 00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: eabass ).exe, 00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Source: C:\Users\user\Desktop\eabass ).exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\eabass ).exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\eabass ).exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\eabass ).exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\eabass ).exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\eabass ).exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\eabass ).exeWindow / User API: threadDelayed 3030
          Source: C:\Users\user\Desktop\eabass ).exeWindow / User API: threadDelayed 6127
          Source: C:\Users\user\Desktop\eabass ).exeWindow / User API: foregroundWindowGot 631
          Source: C:\Users\user\Desktop\eabass ).exeWindow / User API: foregroundWindowGot 770
          Source: C:\Users\user\Desktop\eabass ).exeWindow / User API: threadDelayed 3030
          Source: C:\Users\user\Desktop\eabass ).exeWindow / User API: threadDelayed 6127
          Source: C:\Users\user\Desktop\eabass ).exeWindow / User API: foregroundWindowGot 631
          Source: C:\Users\user\Desktop\eabass ).exeWindow / User API: foregroundWindowGot 770
          Source: C:\Users\user\Desktop\eabass ).exe TID: 576Thread sleep time: -51315s >= -30000s
          Source: C:\Users\user\Desktop\eabass ).exe TID: 3864Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\eabass ).exe TID: 2932Thread sleep time: -13835058055282155s >= -30000s
          Source: C:\Users\user\Desktop\eabass ).exe TID: 576Thread sleep time: -51315s >= -30000s
          Source: C:\Users\user\Desktop\eabass ).exe TID: 3864Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\eabass ).exe TID: 2932Thread sleep time: -13835058055282155s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: eabass ).exe, 00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: eabass ).exe, 00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: eabass ).exe, 00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id
          Source: eabass ).exe, 00000004.00000003.493728704.0000000001145000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[R
          Source: eabass ).exe, 00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: eabass ).exe, 00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: eabass ).exe, 00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: eabass ).exe, 00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id
          Source: eabass ).exe, 00000004.00000003.493728704.0000000001145000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[R
          Source: eabass ).exe, 00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\eabass ).exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\eabass ).exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\eabass ).exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\eabass ).exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\eabass ).exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\eabass ).exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\eabass ).exeMemory allocated: page read and write | page guard
          Source: C:\Users\user\Desktop\eabass ).exeMemory allocated: page read and write | page guard
          Source: C:\Users\user\Desktop\eabass ).exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iZjPEbxRTQJTJj' /XML 'C:\Users\user\AppData\Local\Temp\tmpEFB4.tmp'
          Source: C:\Users\user\Desktop\eabass ).exeProcess created: C:\Users\user\Desktop\eabass ).exe C:\Users\user\Desktop\eabass ).exe
          Source: C:\Users\user\Desktop\eabass ).exeProcess created: C:\Users\user\Desktop\eabass ).exe C:\Users\user\Desktop\eabass ).exe
          Source: C:\Users\user\Desktop\eabass ).exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iZjPEbxRTQJTJj' /XML 'C:\Users\user\AppData\Local\Temp\tmpEFB4.tmp'
          Source: C:\Users\user\Desktop\eabass ).exeProcess created: C:\Users\user\Desktop\eabass ).exe C:\Users\user\Desktop\eabass ).exe
          Source: C:\Users\user\Desktop\eabass ).exeProcess created: C:\Users\user\Desktop\eabass ).exe C:\Users\user\Desktop\eabass ).exe
          Source: eabass ).exe, 00000004.00000002.616403394.000000000342C000.00000004.00000001.sdmpBinary or memory string: Program Manager0.ze
          Source: eabass ).exe, 00000004.00000002.614010116.0000000002F3A000.00000004.00000001.sdmpBinary or memory string: Program Manager
          Source: eabass ).exe, 00000004.00000002.615264108.0000000003214000.00000004.00000001.sdmpBinary or memory string: Program ManagerHg
          Source: eabass ).exe, 00000004.00000002.613301246.00000000016B0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: eabass ).exe, 00000004.00000002.613301246.00000000016B0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: eabass ).exe, 00000004.00000002.613301246.00000000016B0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
          Source: eabass ).exe, 00000004.00000002.613301246.00000000016B0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: eabass ).exe, 00000004.00000002.616403394.000000000342C000.00000004.00000001.sdmpBinary or memory string: Program Manager0.ze
          Source: eabass ).exe, 00000004.00000002.614010116.0000000002F3A000.00000004.00000001.sdmpBinary or memory string: Program Manager
          Source: eabass ).exe, 00000004.00000002.615264108.0000000003214000.00000004.00000001.sdmpBinary or memory string: Program ManagerHg
          Source: eabass ).exe, 00000004.00000002.613301246.00000000016B0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: eabass ).exe, 00000004.00000002.613301246.00000000016B0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: eabass ).exe, 00000004.00000002.613301246.00000000016B0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
          Source: eabass ).exe, 00000004.00000002.613301246.00000000016B0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Users\user\Desktop\eabass ).exe VolumeInformation
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Users\user\Desktop\eabass ).exe VolumeInformation
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Users\user\Desktop\eabass ).exe VolumeInformation
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Users\user\Desktop\eabass ).exe VolumeInformation
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\eabass ).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Users\user\Desktop\eabass ).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
          Source: C:\Users\user\Desktop\eabass ).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
          Source: C:\Users\user\Desktop\eabass ).exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\eabass ).exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\eabass ).exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\eabass ).exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\eabass ).exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\eabass ).exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

          Stealing of Sensitive Information:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.616576592.0000000003E8D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: eabass ).exe PID: 4676, type: MEMORY
          Source: Yara matchFile source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Detected Nanocore RatShow sources
          Source: eabass ).exe, 00000004.00000002.616576592.0000000003E8D000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
          Source: eabass ).exe, 00000004.00000002.616576592.0000000003E8D000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
          Source: eabass ).exe, 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.616576592.0000000003E8D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: eabass ).exe PID: 4676, type: MEMORY
          Source: Yara matchFile source: 4.2.eabass ).exe.400000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection12Masquerading1Input Capture21Security Software Discovery121Remote ServicesInput Capture21Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Virtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          eabass ).exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\iZjPEbxRTQJTJj.exe100%Joe Sandbox ML

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          4.2.eabass ).exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          No contacted domains info

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameeabass ).exe, 00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmpfalse
            high

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious
            104.207.150.47
            unknownUnited States
            20473AS-CHOOPAUStrue

            General Information

            Joe Sandbox Version:31.0.0 Red Diamond
            Analysis ID:319577
            Start date:18.11.2020
            Start time:13:05:45
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 8m 8s
            Hypervisor based Inspection enabled:false
            Report type:light
            Sample file name:eabass ).exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:8
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@8/8@0/1
            EGA Information:Failed
            HDC Information:Failed
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 0
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe
            Warnings:
            Show All
            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
            • TCP Packets have been reduced to 100
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, svchost.exe
            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            13:06:45API Interceptor1000x Sleep call for process: eabass ).exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            104.207.150.47Draft BL(s) (BL No UIH000062500).exeGet hashmaliciousBrowse

              Domains

              No context

              ASN

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              AS-CHOOPAUSCpManyv2nV.exeGet hashmaliciousBrowse
              • 108.61.29.35
              ubvk0T4ceG.exeGet hashmaliciousBrowse
              • 108.61.29.35
              Hag4TPW3Ue.exeGet hashmaliciousBrowse
              • 140.82.59.108
              2q8x6yYNHj.exeGet hashmaliciousBrowse
              • 108.61.29.35
              oL9U4IbxMb.exeGet hashmaliciousBrowse
              • 95.179.229.244
              Y7i2sl4Foh.exeGet hashmaliciousBrowse
              • 140.82.59.108
              REibC3I4ju.exeGet hashmaliciousBrowse
              • 108.61.29.35
              OBg8aUeQjJ.exeGet hashmaliciousBrowse
              • 45.32.129.110
              tbzcpAZnBK.exeGet hashmaliciousBrowse
              • 66.42.54.195
              w6r8DJTtvF.exeGet hashmaliciousBrowse
              • 45.76.50.199
              fiksat.exeGet hashmaliciousBrowse
              • 45.63.107.192
              Invoice.exeGet hashmaliciousBrowse
              • 66.42.63.136
              qejrj9WOGM.exeGet hashmaliciousBrowse
              • 140.82.59.108
              http://149.129.50.37/Get hashmaliciousBrowse
              • 108.61.40.123
              RbM6WfSPbz.exeGet hashmaliciousBrowse
              • 144.202.97.5
              PI210941.exeGet hashmaliciousBrowse
              • 66.42.54.195
              document-359248421.xlsbGet hashmaliciousBrowse
              • 45.63.107.192
              http://www.viportal.coGet hashmaliciousBrowse
              • 209.250.225.52
              Amacon Order Specification Requirement.exeGet hashmaliciousBrowse
              • 149.28.117.117
              4AXKXtaavC.exeGet hashmaliciousBrowse
              • 140.82.59.108

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\eabass ).exe.log
              Process:C:\Users\user\Desktop\eabass ).exe
              File Type:ASCII text, with CRLF line terminators
              Category:modified
              Size (bytes):1314
              Entropy (8bit):5.350128552078965
              Encrypted:false
              SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
              MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
              SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
              SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
              SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
              Malicious:true
              Reputation:high, very likely benign file
              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
              C:\Users\user\AppData\Local\Temp\tmpEFB4.tmp
              Process:C:\Users\user\Desktop\eabass ).exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1659
              Entropy (8bit):5.176005492710507
              Encrypted:false
              SSDEEP:24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3Ctn:cbha7JlNQV/rydbz9I3YODOLNdq3u
              MD5:20AC5DF5C0E738DE92FB86366885E0CB
              SHA1:BF819154E2968870A6EF5E059DAE17B90A05993C
              SHA-256:01481B4B1EE586B5E2A93598F5F2ECAB905A8CA509776E0EAE5D1B95B1953988
              SHA-512:C4AB981CF70BE031AD18DE1D55B817A9114FD3AD5C771BD346CCFD63783504B9D7469F7B94662377E7B556098E1B1C6012F855E17F5C6CF514C203DD48B241FB
              Malicious:true
              Reputation:low
              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
              Process:C:\Users\user\Desktop\eabass ).exe
              File Type:data
              Category:dropped
              Size (bytes):232
              Entropy (8bit):7.024371743172393
              Encrypted:false
              SSDEEP:6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
              MD5:32D0AAE13696FF7F8AF33B2D22451028
              SHA1:EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
              SHA-256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
              SHA-512:1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
              Process:C:\Users\user\Desktop\eabass ).exe
              File Type:data
              Category:dropped
              Size (bytes):8
              Entropy (8bit):3.0
              Encrypted:false
              SSDEEP:3:u09t:uE
              MD5:F85BF482C98AF76102C8E65250639E50
              SHA1:F46E7F19C2F16FDD3EAB9D60F4064B5BBEE8D952
              SHA-256:BDE0B0543A8C7AACA18EBB5A7A2694344BBE3BFD5D2127037E7AD183B815F88B
              SHA-512:5CA469F597C2EB393D83D1B8AB7FD073E47558D8EFA251DB9D6BB6389E35E6C79B32796AF1A9592E4447F2EDC668229450E0A9C644E8D9BB157B30509159984F
              Malicious:true
              Reputation:low
              Preview: t.O....H
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
              Process:C:\Users\user\Desktop\eabass ).exe
              File Type:data
              Category:dropped
              Size (bytes):40
              Entropy (8bit):5.153055907333276
              Encrypted:false
              SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
              MD5:4E5E92E2369688041CC82EF9650EDED2
              SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
              SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
              SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
              Process:C:\Users\user\Desktop\eabass ).exe
              File Type:data
              Category:dropped
              Size (bytes):327432
              Entropy (8bit):7.99938831605763
              Encrypted:true
              SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
              MD5:7E8F4A764B981D5B82D1CC49D341E9C6
              SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
              SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
              SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
              C:\Users\user\AppData\Roaming\iZjPEbxRTQJTJj.exe
              Process:C:\Users\user\Desktop\eabass ).exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):665088
              Entropy (8bit):7.696568668619478
              Encrypted:false
              SSDEEP:12288:H6jXmxXRv6+ftJuI2TBFbsZni3lcEs2jMJ7KUZt9luz9NK3vSH:ZBvvftJuI21aZWGEsrJ7KU5M23qH
              MD5:E104111A29DB150134FE6A812F54B691
              SHA1:B64FD544542B623F37778EDE23AE39CA508ED868
              SHA-256:563803E4673863857F98356D9D8177B4D1AFB49E8EB839E80E4F6E416E7F1083
              SHA-512:12C9223B2D3FC712883CB97FDADF03CDB1EC775B8BE102C0537153C54AF4CDEB4D46DC4AAF2333627984321A424B3ABAA6A00E1E61D5480226680322BE2BA2DA
              Malicious:true
              Antivirus:
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Reputation:low
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............P.............^:... ...@....@.. ....................................@..................................:..S....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B................@:......H.......0..............`...............................................*....(!......("......(#......($......(%....*N..(....o....(&....*&..('....*.s(........s)........s*........s+........s,........*Z........o?...........*&..(@....*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{.
              C:\Users\user\AppData\Roaming\iZjPEbxRTQJTJj.exe:Zone.Identifier
              Process:C:\Users\user\Desktop\eabass ).exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:ggPYV:rPYV
              MD5:187F488E27DB4AF347237FE461A079AD
              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
              Malicious:true
              Reputation:high, very likely benign file
              Preview: [ZoneTransfer]....ZoneId=0

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Entropy (8bit):7.696568668619478
              TrID:
              • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
              • Win32 Executable (generic) a (10002005/4) 49.75%
              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
              • Windows Screen Saver (13104/52) 0.07%
              • Win16/32 Executable Delphi generic (2074/23) 0.01%
              File name:eabass ).exe
              File size:665088
              MD5:e104111a29db150134fe6a812f54b691
              SHA1:b64fd544542b623f37778ede23ae39ca508ed868
              SHA256:563803e4673863857f98356d9d8177b4d1afb49e8eb839e80e4f6e416e7f1083
              SHA512:12c9223b2d3fc712883cb97fdadf03cdb1ec775b8be102c0537153c54af4cdeb4d46dc4aaf2333627984321a424b3abaa6a00e1e61d5480226680322be2ba2da
              SSDEEP:12288:H6jXmxXRv6+ftJuI2TBFbsZni3lcEs2jMJ7KUZt9luz9NK3vSH:ZBvvftJuI21aZWGEsrJ7KU5M23qH
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............P.............^:... ...@....@.. ....................................@................................

              File Icon

              Icon Hash:00828e8e8686b000

              Static PE Info

              General

              Entrypoint:0x4a3a5e
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Time Stamp:0x5FB4FACB [Wed Nov 18 10:43:23 2020 UTC]
              TLS Callbacks:
              CLR (.Net) Version:v4.0.30319
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

              Entrypoint Preview

              Instruction
              jmp dword ptr [00402000h]
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0xa3a080x53.text
              IMAGE_DIRECTORY_ENTRY_RESOURCE0xa40000x5b0.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0xa60000xc.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x20000xa1a640xa1c00False0.81880162046data7.7057574273IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              .rsrc0xa40000x5b00x600False0.423828125data4.09731810024IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0xa60000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_VERSION0xa40a00x324data
              RT_MANIFEST0xa43c40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

              Imports

              DLLImport
              mscoree.dll_CorExeMain

              Version Infos

              DescriptionData
              Translation0x0000 0x04b0
              LegalCopyrightCopyright 2017 - 2020
              Assembly Version1.0.0.0
              InternalNameWMLJ.exe
              FileVersion1.0.0.0
              CompanyName
              LegalTrademarks
              Comments
              ProductNameCashMe Out
              ProductVersion1.0.0.0
              FileDescriptionCashMe Out
              OriginalFilenameWMLJ.exe

              Network Behavior

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Nov 18, 2020 13:06:57.161761999 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:57.342571974 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:57.342952967 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:57.434830904 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:57.620856047 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:57.621068954 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:57.854350090 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:57.855804920 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.035903931 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.065124989 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.290086985 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.290112019 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.290128946 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.290144920 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.292371988 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.472335100 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.472367048 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.472383022 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.472395897 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.472409010 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.472429037 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.472445965 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.472461939 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.472552061 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.472585917 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.652507067 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.652535915 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.652559042 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.652581930 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.652597904 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.652597904 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.652614117 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.652631044 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.652636051 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.652653933 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.652672052 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.652712107 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.653127909 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.653147936 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.653168917 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.653187037 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.653189898 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.653203964 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.653223038 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.653232098 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.653245926 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.653283119 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.653335094 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.654036999 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.832644939 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.832674026 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.832689047 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.832701921 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.832717896 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.832736969 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.832755089 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.832772970 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.832784891 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.832801104 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.832803011 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.832819939 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.832838058 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.832854986 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.832863092 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.832870960 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.832886934 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.832901001 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.832901955 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.832925081 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.832966089 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.832983971 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.833000898 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.833059072 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.833070993 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.833089113 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.833105087 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.833121061 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.833137989 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.833157063 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.833172083 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.833173990 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.833189964 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.833204985 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.833220959 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.833223104 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.833236933 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.833251953 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.833259106 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.833316088 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:58.834074020 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.834094048 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:58.834188938 CET497084563192.168.2.6104.207.150.47
              Nov 18, 2020 13:06:59.013355017 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013382912 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013400078 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013416052 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013433933 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013453007 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013472080 CET456349708104.207.150.47192.168.2.6
              Nov 18, 2020 13:06:59.013488054 CET456349708104.207.150.47192.168.2.6

              Code Manipulations

              Statistics

              Behavior

              Click to jump to process

              System Behavior

              General

              Start time:13:06:44
              Start date:18/11/2020
              Path:C:\Users\user\Desktop\eabass ).exe
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\Desktop\eabass ).exe'
              Imagebase:0x870000
              File size:665088 bytes
              MD5 hash:E104111A29DB150134FE6A812F54B691
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.366661945.0000000003CB9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.365898841.0000000002CB1000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.365991657.0000000002D09000.00000004.00000001.sdmp, Author: Joe Security
              Reputation:low

              General

              Start time:13:06:52
              Start date:18/11/2020
              Path:C:\Windows\SysWOW64\schtasks.exe
              Wow64 process (32bit):true
              Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\iZjPEbxRTQJTJj' /XML 'C:\Users\user\AppData\Local\Temp\tmpEFB4.tmp'
              Imagebase:0xaf0000
              File size:185856 bytes
              MD5 hash:15FF7D8324231381BAD48A052F85DF04
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Start time:13:06:52
              Start date:18/11/2020
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff61de10000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Start time:13:06:52
              Start date:18/11/2020
              Path:C:\Users\user\Desktop\eabass ).exe
              Wow64 process (32bit):false
              Commandline:C:\Users\user\Desktop\eabass ).exe
              Imagebase:0x1c0000
              File size:665088 bytes
              MD5 hash:E104111A29DB150134FE6A812F54B691
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low

              General

              Start time:13:06:53
              Start date:18/11/2020
              Path:C:\Users\user\Desktop\eabass ).exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\Desktop\eabass ).exe
              Imagebase:0x9a0000
              File size:665088 bytes
              MD5 hash:E104111A29DB150134FE6A812F54B691
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.616576592.0000000003E8D000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.612290722.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.613779714.0000000002E48000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Disassembly

              Code Analysis

              Reset < >