Loading ...

Play interactive tourEdit tour

Analysis Report uqoYt8EFEWQXAne.exe

Overview

General Information

Sample Name:uqoYt8EFEWQXAne.exe
Analysis ID:356642
MD5:c415765ef678428f502b101039b7d495
SHA1:e5458ff58b98401d715a68a67afabdefaaf2edc3
SHA256:c024e649afaafd4d1a1ebc2c5a2c457eecd2b5994c2b78e32312eb5289b5c093
Tags:exeNanoCore
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
.NET source code contains very large strings
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • uqoYt8EFEWQXAne.exe (PID: 7160 cmdline: 'C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe' MD5: C415765EF678428F502B101039B7D495)
    • schtasks.exe (PID: 3984 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\krPtdhRIieabB' /XML 'C:\Users\user\AppData\Local\Temp\tmp975D.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • uqoYt8EFEWQXAne.exe (PID: 3040 cmdline: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe MD5: C415765EF678428F502B101039B7D495)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.661591930.0000000002511000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.661683281.0000000002599000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x3f54d:$x1: NanoCore.ClientPluginHost
      • 0x7258d:$x1: NanoCore.ClientPluginHost
      • 0x3f58a:$x2: IClientNetworkHost
      • 0x725ca:$x2: IClientNetworkHost
      • 0x430bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      • 0x760fd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0x3f2b5:$a: NanoCore
        • 0x3f2c5:$a: NanoCore
        • 0x3f4f9:$a: NanoCore
        • 0x3f50d:$a: NanoCore
        • 0x3f54d:$a: NanoCore
        • 0x722f5:$a: NanoCore
        • 0x72305:$a: NanoCore
        • 0x72539:$a: NanoCore
        • 0x7254d:$a: NanoCore
        • 0x7258d:$a: NanoCore
        • 0x3f314:$b: ClientPlugin
        • 0x3f516:$b: ClientPlugin
        • 0x3f556:$b: ClientPlugin
        • 0x72354:$b: ClientPlugin
        • 0x72556:$b: ClientPlugin
        • 0x72596:$b: ClientPlugin
        • 0x3f43b:$c: ProjectData
        • 0x7247b:$c: ProjectData
        • 0x3fe42:$d: DESCrypto
        • 0x72e82:$d: DESCrypto
        • 0x4780e:$e: KeepAlive
        Click to see the 4 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe38d:$x1: NanoCore.ClientPluginHost
        • 0xe3ca:$x2: IClientNetworkHost
        • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xe105:$x1: NanoCore Client.exe
        • 0xe38d:$x2: NanoCore.ClientPluginHost
        • 0xf9c6:$s1: PluginCommand
        • 0xf9ba:$s2: FileCommand
        • 0x1086b:$s3: PipeExists
        • 0x16622:$s4: PipeCreated
        • 0xe3b7:$s5: IClientLoggingHost
        0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
          • 0xe0f5:$a: NanoCore
          • 0xe105:$a: NanoCore
          • 0xe339:$a: NanoCore
          • 0xe34d:$a: NanoCore
          • 0xe38d:$a: NanoCore
          • 0xe154:$b: ClientPlugin
          • 0xe356:$b: ClientPlugin
          • 0xe396:$b: ClientPlugin
          • 0xe27b:$c: ProjectData
          • 0xec82:$d: DESCrypto
          • 0x1664e:$e: KeepAlive
          • 0x1463c:$g: LogClientMessage
          • 0x10837:$i: get_Connected
          • 0xefb8:$j: #=q
          • 0xefe8:$j: #=q
          • 0xf004:$j: #=q
          • 0xf034:$j: #=q
          • 0xf050:$j: #=q
          • 0xf06c:$j: #=q
          • 0xf09c:$j: #=q
          • 0xf0b8:$j: #=q
          0.2.uqoYt8EFEWQXAne.exe.2546bb0.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 4 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe, ProcessId: 3040, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
            Sigma detected: Scheduled temp file as task from temp locationShow sources
            Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\krPtdhRIieabB' /XML 'C:\Users\user\AppData\Local\Temp\tmp975D.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\krPtdhRIieabB' /XML 'C:\Users\user\AppData\Local\Temp\tmp975D.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe' , ParentImage: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe, ParentProcessId: 7160, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\krPtdhRIieabB' /XML 'C:\Users\user\AppData\Local\Temp\tmp975D.tmp', ProcessId: 3984

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\krPtdhRIieabB.exeReversingLabs: Detection: 31%
            Multi AV Scanner detection for submitted fileShow sources
            Source: uqoYt8EFEWQXAne.exeVirustotal: Detection: 42%Perma Link
            Source: uqoYt8EFEWQXAne.exeReversingLabs: Detection: 31%
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: uqoYt8EFEWQXAne.exe PID: 7160, type: MEMORY
            Source: Yara matchFile source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.raw.unpack, type: UNPACKEDPE
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\krPtdhRIieabB.exeJoe Sandbox ML: detected
            Machine Learning detection for sampleShow sources
            Source: uqoYt8EFEWQXAne.exeJoe Sandbox ML: detected

            Compliance:

            barindex
            Uses 32bit PE filesShow sources
            Source: uqoYt8EFEWQXAne.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
            Source: uqoYt8EFEWQXAne.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49745 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49747 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49750 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49751 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49759 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49764 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49766 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49775 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49776 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49777 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49778 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49779 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49780 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49783 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49784 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49785 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49786 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49787 -> 185.239.242.243:2010
            Source: global trafficTCP traffic: 192.168.2.4:49745 -> 185.239.242.243:2010
            Source: Joe Sandbox ViewASN Name: CLOUDIE-AS-APCloudieLimitedHK CLOUDIE-AS-APCloudieLimitedHK
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.638312128.00000000054D5000.00000004.00000001.sdmpString found in binary or memory: http://en.wxK
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661591930.0000000002511000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.642649855.000000000550D000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlmq
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.660725626.00000000054D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.660725626.00000000054D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgritaSOR
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.660725626.00000000054D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm=OD
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.640101915.00000000054DE000.00000004.00000001.sdmp, uqoYt8EFEWQXAne.exe, 00000000.00000003.640686280.00000000054D8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.640371685.00000000054D7000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnL
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.640183149.0000000000BAD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnN
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.640183149.0000000000BAD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnO
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.640101915.00000000054DE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnmr_=
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.640371685.00000000054D7000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnn
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.644430876.0000000005505000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.637920168.00000000054D3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.637920168.00000000054D3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comZ
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.637920168.00000000054D3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.come
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmp, uqoYt8EFEWQXAne.exe, 00000000.00000003.639384165.00000000054EB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661591930.0000000002511000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

            E-Banking Fraud:

            barindex
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: uqoYt8EFEWQXAne.exe PID: 7160, type: MEMORY
            Source: Yara matchFile source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.raw.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: uqoYt8EFEWQXAne.exe PID: 7160, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: uqoYt8EFEWQXAne.exe PID: 7160, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            .NET source code contains very large stringsShow sources
            Source: uqoYt8EFEWQXAne.exe, LogIn.csLong String: Length: 13656
            Source: krPtdhRIieabB.exe.0.dr, LogIn.csLong String: Length: 13656
            Source: 0.2.uqoYt8EFEWQXAne.exe.150000.0.unpack, LogIn.csLong String: Length: 13656
            Source: 0.0.uqoYt8EFEWQXAne.exe.150000.0.unpack, LogIn.csLong String: Length: 13656
            Source: 4.0.uqoYt8EFEWQXAne.exe.700000.0.unpack, LogIn.csLong String: Length: 13656
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeCode function: 0_2_00B9C5080_2_00B9C508
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeCode function: 0_2_00B999900_2_00B99990
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeCode function: 0_2_06D396F80_2_06D396F8
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeCode function: 0_2_06D300400_2_06D30040
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeCode function: 0_2_06D30D900_2_06D30D90
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeCode function: 0_2_06D332780_2_06D33278
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeCode function: 0_2_06D332690_2_06D33269
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeCode function: 0_2_06D3301A0_2_06D3301A
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeCode function: 0_2_06D330280_2_06D33028
            Source: uqoYt8EFEWQXAne.exeBinary or memory string: OriginalFilename vs uqoYt8EFEWQXAne.exe
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000000.635181214.0000000000152000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIsolatedStorageFilePermissionAttribute.exe6 vs uqoYt8EFEWQXAne.exe
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661591930.0000000002511000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncState.dllF vs uqoYt8EFEWQXAne.exe
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.673360016.0000000008E20000.00000002.00000001.sdmpBinary or memory string: originalfilename vs uqoYt8EFEWQXAne.exe
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.673360016.0000000008E20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs uqoYt8EFEWQXAne.exe
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.673206890.0000000008D30000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs uqoYt8EFEWQXAne.exe
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.669486065.0000000006B40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs uqoYt8EFEWQXAne.exe
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.669605854.0000000006CC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLegacyPathHandling.dllN vs uqoYt8EFEWQXAne.exe
            Source: uqoYt8EFEWQXAne.exe, 00000004.00000000.659785837.0000000000702000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIsolatedStorageFilePermissionAttribute.exe6 vs uqoYt8EFEWQXAne.exe
            Source: uqoYt8EFEWQXAne.exeBinary or memory string: OriginalFilenameIsolatedStorageFilePermissionAttribute.exe6 vs uqoYt8EFEWQXAne.exe
            Source: uqoYt8EFEWQXAne.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: Process Memory Space: uqoYt8EFEWQXAne.exe PID: 7160, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: Process Memory Space: uqoYt8EFEWQXAne.exe PID: 7160, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: uqoYt8EFEWQXAne.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: krPtdhRIieabB.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: uqoYt8EFEWQXAne.exe, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: krPtdhRIieabB.exe.0.dr, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: 0.2.uqoYt8EFEWQXAne.exe.150000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: 0.0.uqoYt8EFEWQXAne.exe.150000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: 4.0.uqoYt8EFEWQXAne.exe.700000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: classification engineClassification label: mal100.troj.evad.winEXE@6/8@0/1
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeFile created: C:\Users\user\AppData\Roaming\krPtdhRIieabB.exeJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4680:120:WilError_01
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeMutant created: \Sessions\1\BaseNamedObjects\KDtpJHnhkvnJksKbat
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{9e8dc517-1111-49c1-9ace-3da1a887c465}
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeFile created: C:\Users\user\AppData\Local\Temp\tmp975D.tmpJump to behavior
            Source: uqoYt8EFEWQXAne.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661591930.0000000002511000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661591930.0000000002511000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
            Source: uqoYt8EFEWQXAne.exeVirustotal: Detection: 42%
            Source: uqoYt8EFEWQXAne.exeReversingLabs: Detection: 31%
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeFile read: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe 'C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe'
            Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\krPtdhRIieabB' /XML 'C:\Users\user\AppData\Local\Temp\tmp975D.tmp'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\krPtdhRIieabB' /XML 'C:\Users\user\AppData\Local\Temp\tmp975D.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess created: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: uqoYt8EFEWQXAne.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: uqoYt8EFEWQXAne.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: uqoYt8EFEWQXAne.exe, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: krPtdhRIieabB.exe.0.dr, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.2.uqoYt8EFEWQXAne.exe.150000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.0.uqoYt8EFEWQXAne.exe.150000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 4.0.uqoYt8EFEWQXAne.exe.700000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeCode function: 0_2_06D365EC push eax; retf 0_2_06D365ED
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeCode function: 0_2_06D36DEC push eax; ret 0_2_06D36DED
            Source: initial sampleStatic PE information: section name: .text entropy: 7.49785747568
            Source: initial sampleStatic PE information: section name: .text entropy: 7.49785747568
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeFile created: C:\Users\user\AppData\Roaming\krPtdhRIieabB.exeJump to dropped file

            Boot Survival:

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
            Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\krPtdhRIieabB' /XML 'C:\Users\user\AppData\Local\Temp\tmp975D.tmp'

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeFile opened: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior</