Loading ...

Play interactive tourEdit tour

Analysis Report QqZFYLlfGU

Overview

General Information

Sample Name:QqZFYLlfGU (renamed file extension from none to exe)
MD5:3de5b2f1da9fc79e4f52aa55661b0ca3
SHA1:f528d924be713c722457ac62468c41cb59f32122
SHA256:1789493dcb90022e86b162654f82c15e83553689e0810c2758ed49ab1b8e5611

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected Nanocore RAT
Contains functionality to detect sleep reduction / modifications
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality locales information (e.g. system language)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1500425457.0000000000922000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.1500425457.0000000000922000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000001.00000002.1500425457.0000000000922000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000001.00000002.1499549663.0000000000439000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1e1e5:$x1: NanoCore.ClientPluginHost
    • 0x1e222:$x2: IClientNetworkHost
    • 0x21d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000001.00000002.1499549663.0000000000439000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 33 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.QqZFYLlfGU.exe.2690000.5.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      1.2.QqZFYLlfGU.exe.2690000.5.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      1.2.QqZFYLlfGU.exe.2ac0000.7.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xd9ad:$x1: NanoCore.ClientPluginHost
      • 0xd9da:$x2: IClientNetworkHost
      1.2.QqZFYLlfGU.exe.2ac0000.7.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xd9ad:$x2: NanoCore.ClientPluginHost
      • 0xea88:$s4: PipeCreated
      • 0xd9c7:$s5: IClientLoggingHost
      1.2.QqZFYLlfGU.exe.2ac0000.7.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 32 entries

        Sigma Overview


        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\QqZFYLlfGU.exe, ProcessId: 5860, TargetFilename: C:\Users\user\AppData\Roaming\59407D34-C8C5-44DF-A766-BA8A11CB1CB0\run.dat

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for submitted fileShow sources
        Source: QqZFYLlfGU.exeVirustotal: Detection: 87%Perma Link
        Source: QqZFYLlfGU.exeReversingLabs: Detection: 83%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000001.00000002.1500425457.0000000000922000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1499549663.0000000000439000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1503017633.0000000002AC0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1500000126.00000000006E2000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000001.1081044254.0000000000439000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1499465458.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1504798604.0000000003BC7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1082676524.00000000026C2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1082754697.00000000026F9000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1499933130.00000000006A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: QqZFYLlfGU.exe PID: 5860, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: QqZFYLlfGU.exe PID: 4636, type: MEMORY
        Source: Yara matchFile source: 1.2.QqZFYLlfGU.exe.2ac0000.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.QqZFYLlfGU.exe.2ac0000.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.QqZFYLlfGU.exe.6a0000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.QqZFYLlfGU.exe.6a0000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.QqZFYLlfGU.exe.920000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.1.QqZFYLlfGU.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.QqZFYLlfGU.exe.2680000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.QqZFYLlfGU.exe.26c0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.QqZFYLlfGU.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.QqZFYLlfGU.exe.6e0000.2.unpack, type: UNPACKEDPE
        Machine Learning detection for sampleShow sources
        Source: QqZFYLlfGU.exeJoe Sandbox ML: detected
        Source: 1.1.QqZFYLlfGU.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 0.2.QqZFYLlfGU.exe.2680000.2.unpackAvira: Label: TR/Patched.Ren.Gen
        Source: 0.2.QqZFYLlfGU.exe.26c0000.3.unpackAvira: Label: TR/Dropper.Gen
        Source: 1.2.QqZFYLlfGU.exe.6e0000.2.unpackAvira: Label: TR/Dropper.Gen
        Source: 1.2.QqZFYLlfGU.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
        Source: 1.2.QqZFYLlfGU.exe.920000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7

        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_00408608 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_00408608
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_00408708 FindFirstFileA,GetLastError,0_2_00408708
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_00405310 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405310

        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 4x nop then mov dword ptr [eax], ebx0_2_00479228
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 4x nop then mov ebx, dword ptr [ebp-10h]0_2_00479228
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 4x nop then and eax, 000000FFh0_2_00479228
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 4x nop then mov ebx, dword ptr [ebp-10h]0_2_00479228
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 4x nop then mov al, byte ptr [edx]0_2_00479228
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 4x nop then mov al, byte ptr [ebp+eax*4-00000420h]0_2_00479228
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 4x nop then inc dword ptr [ebp-18h]0_2_00479228
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 4x nop then cmp word ptr [ebp-20h], 07E2h0_2_004793E8

        Source: global trafficTCP traffic: 192.168.2.6:49942 -> 185.244.30.139:4050
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139

        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_0045710C GetKeyboardState,0_2_0045710C
        Source: QqZFYLlfGU.exe, 00000000.00000002.1082051326.00000000006BA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: QqZFYLlfGU.exe, 00000001.00000002.1503017633.0000000002AC0000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000001.00000002.1500425457.0000000000922000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1499549663.0000000000439000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1503017633.0000000002AC0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1500000126.00000000006E2000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000001.1081044254.0000000000439000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1499465458.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1504798604.0000000003BC7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1082676524.00000000026C2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1082754697.00000000026F9000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1499933130.00000000006A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: QqZFYLlfGU.exe PID: 5860, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: QqZFYLlfGU.exe PID: 4636, type: MEMORY
        Source: Yara matchFile source: 1.2.QqZFYLlfGU.exe.2ac0000.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.QqZFYLlfGU.exe.2ac0000.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.QqZFYLlfGU.exe.6a0000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.QqZFYLlfGU.exe.6a0000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.QqZFYLlfGU.exe.920000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.1.QqZFYLlfGU.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.QqZFYLlfGU.exe.2680000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.QqZFYLlfGU.exe.26c0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.QqZFYLlfGU.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.QqZFYLlfGU.exe.6e0000.2.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000001.00000002.1500425457.0000000000922000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.1500425457.0000000000922000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.1499549663.0000000000439000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.1499549663.0000000000439000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.1503017633.0000000002AC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.1500000126.00000000006E2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.1500000126.00000000006E2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000001.1081044254.0000000000439000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000001.1081044254.0000000000439000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.1499465458.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.1499465458.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.1504798604.0000000003BC7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.1082676524.00000000026C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.1082676524.00000000026C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.1501565397.0000000002690000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.1082754697.00000000026F9000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.1082754697.00000000026F9000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.1499933130.00000000006A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.1499933130.00000000006A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: QqZFYLlfGU.exe PID: 5860, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: QqZFYLlfGU.exe PID: 5860, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: QqZFYLlfGU.exe PID: 4636, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: QqZFYLlfGU.exe PID: 4636, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.QqZFYLlfGU.exe.2690000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.QqZFYLlfGU.exe.2ac0000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.QqZFYLlfGU.exe.2ac0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.QqZFYLlfGU.exe.6a0000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.QqZFYLlfGU.exe.6a0000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.QqZFYLlfGU.exe.6a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.QqZFYLlfGU.exe.6a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.QqZFYLlfGU.exe.920000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.QqZFYLlfGU.exe.920000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.1.QqZFYLlfGU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.1.QqZFYLlfGU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.QqZFYLlfGU.exe.2680000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.QqZFYLlfGU.exe.2680000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.QqZFYLlfGU.exe.26c0000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.QqZFYLlfGU.exe.26c0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.QqZFYLlfGU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.QqZFYLlfGU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.QqZFYLlfGU.exe.6e0000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.QqZFYLlfGU.exe.6e0000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_00474828 NtdllDefWindowProc_A,0_2_00474828
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_0045A088 NtdllDefWindowProc_A,GetCapture,0_2_0045A088
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_0042E27C NtdllDefWindowProc_A,0_2_0042E27C
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_00474FD0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_00474FD0
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_00475080 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_00475080
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_00469B18 GetSubMenu,SaveDC,RestoreDC,7311B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_00469B18
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 1_2_00440159 NtCreateSection,1_2_00440159
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 1_2_024F1642 NtQuerySystemInformation,1_2_024F1642
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 1_2_024F1607 NtQuerySystemInformation,1_2_024F1607
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 1_1_00440159 NtCreateSection,1_1_00440159
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_004421380_2_00442138
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_00422AA40_2_00422AA4
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_00416BD60_2_00416BD6
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_0046ED200_2_0046ED20
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_0043B8700_2_0043B870
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_00469B180_2_00469B18
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 1_2_0040524A1_2_0040524A
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 1_2_0044A4A21_2_0044A4A2
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 1_2_004399761_2_00439976
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 1_2_0043F13D1_2_0043F13D
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 1_2_021B7AC61_2_021B7AC6
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 1_2_02492FA81_2_02492FA8
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 1_2_024923A01_2_024923A0
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 1_2_024938501_2_02493850
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 1_2_024984681_2_02498468
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 1_2_024990681_2_02499068
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 1_2_0249AD381_2_0249AD38
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 1_2_0249306F1_2_0249306F
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 1_2_024999101_2_02499910
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 1_2_0249912F1_2_0249912F
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 1_1_0044A4A21_1_0044A4A2
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 1_1_004399761_1_00439976
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 1_1_0043F13D1_1_0043F13D
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: String function: 0040634C appears 63 times
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: String function: 00439F3C appears 36 times
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: String function: 00403FBC appears 91 times
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: String function: 0043936B appears 32 times
        Source: QqZFYLlfGU.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: QqZFYLlfGU.exe, 00000001.00000002.1503017633.0000000002AC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs QqZFYLlfGU.exe
        Source: QqZFYLlfGU.exe, 00000001.00000002.1503017633.0000000002AC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs QqZFYLlfGU.exe
        Source: QqZFYLlfGU.exe, 00000001.00000002.1501413699.00000000024E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs QqZFYLlfGU.exe
        Source: QqZFYLlfGU.exe, 00000001.00000002.1503283538.0000000002B80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs QqZFYLlfGU.exe
        Source: QqZFYLlfGU.exe, 00000001.00000002.1505495603.0000000005770000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs QqZFYLlfGU.exe
        Source: 00000001.00000002.1500425457.0000000000922000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.1500425457.0000000000922000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.1499549663.0000000000439000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.1499549663.0000000000439000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.1503017633.0000000002AC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.1503017633.0000000002AC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000001.00000002.1500000126.00000000006E2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.1500000126.00000000006E2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000001.1081044254.0000000000439000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000001.1081044254.0000000000439000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.1499465458.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.1499465458.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.1504798604.0000000003BC7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.1082676524.00000000026C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.1082676524.00000000026C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.1501565397.0000000002690000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.1501565397.0000000002690000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000000.00000002.1082754697.00000000026F9000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.1082754697.00000000026F9000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.1499933130.00000000006A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.1499933130.00000000006A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000001.00000002.1499933130.00000000006A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: QqZFYLlfGU.exe PID: 5860, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: QqZFYLlfGU.exe PID: 5860, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: QqZFYLlfGU.exe PID: 4636, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: QqZFYLlfGU.exe PID: 4636, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.QqZFYLlfGU.exe.2690000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.QqZFYLlfGU.exe.2690000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.QqZFYLlfGU.exe.2ac0000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.QqZFYLlfGU.exe.2ac0000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.QqZFYLlfGU.exe.2ac0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.QqZFYLlfGU.exe.2ac0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.QqZFYLlfGU.exe.6a0000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.QqZFYLlfGU.exe.6a0000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.QqZFYLlfGU.exe.6a0000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.QqZFYLlfGU.exe.6a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.QqZFYLlfGU.exe.6a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.QqZFYLlfGU.exe.6a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.QqZFYLlfGU.exe.920000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.QqZFYLlfGU.exe.920000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.QqZFYLlfGU.exe.920000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.1.QqZFYLlfGU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.1.QqZFYLlfGU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.1.QqZFYLlfGU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.QqZFYLlfGU.exe.2680000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.QqZFYLlfGU.exe.2680000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.QqZFYLlfGU.exe.2680000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.QqZFYLlfGU.exe.26c0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.QqZFYLlfGU.exe.26c0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.QqZFYLlfGU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.QqZFYLlfGU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.QqZFYLlfGU.exe.6e0000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.QqZFYLlfGU.exe.6e0000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.QqZFYLlfGU.exe.26c0000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 0.2.QqZFYLlfGU.exe.26c0000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.2.QqZFYLlfGU.exe.26c0000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 1.2.QqZFYLlfGU.exe.6e0000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 1.2.QqZFYLlfGU.exe.6e0000.2.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 1.2.QqZFYLlfGU.exe.6e0000.2.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 1.2.QqZFYLlfGU.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 1.2.QqZFYLlfGU.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 1.2.QqZFYLlfGU.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 0.2.QqZFYLlfGU.exe.26c0000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 0.2.QqZFYLlfGU.exe.26c0000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 1.2.QqZFYLlfGU.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 1.2.QqZFYLlfGU.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 1.2.QqZFYLlfGU.exe.6e0000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 1.2.QqZFYLlfGU.exe.6e0000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 1.2.QqZFYLlfGU.exe.920000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 1.2.QqZFYLlfGU.exe.920000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: classification engineClassification label: mal100.troj.evad.winEXE@3/1@0/1
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_004255DC GetLastError,FormatMessageA,0_2_004255DC
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 1_2_024F1402 AdjustTokenPrivileges,1_2_024F1402
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 1_2_024F13E2 AdjustTokenPrivileges,1_2_024F13E2
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_00408966 GetDiskFreeSpaceA,0_2_00408966
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_00418348 FindResourceA,0_2_00418348
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeFile created: C:\Users\user\AppData\Roaming\59407D34-C8C5-44DF-A766-BA8A11CB1CB0Jump to behavior
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{52e05d5b-dcbb-4f70-86bd-eb80b3602ddc}
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: QqZFYLlfGU.exeVirustotal: Detection: 87%
        Source: QqZFYLlfGU.exeReversingLabs: Detection: 83%
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeFile read: C:\Users\user\Desktop\QqZFYLlfGU.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\QqZFYLlfGU.exe 'C:\Users\user\Desktop\QqZFYLlfGU.exe'
        Source: unknownProcess created: C:\Users\user\Desktop\QqZFYLlfGU.exe 'C:\Users\user\Desktop\QqZFYLlfGU.exe'
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeProcess created: C:\Users\user\Desktop\QqZFYLlfGU.exe 'C:\Users\user\Desktop\QqZFYLlfGU.exe' Jump to behavior
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior

        Data Obfuscation:

        barindex
        Detected unpacking (changes PE section rights)Show sources
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeUnpacked PE file: 1.2.QqZFYLlfGU.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.reloc:R;.rsrc:R;
        Detected unpacking (creates a PE file in dynamic memory)Show sources
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeUnpacked PE file: 1.2.QqZFYLlfGU.exe.920000.3.unpack
        Detected unpacking (overwrites its own PE header)Show sources
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeUnpacked PE file: 1.2.QqZFYLlfGU.exe.400000.0.unpack
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_0042C874 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0042C874
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_00461598 push 00461625h; ret 0_2_0046161D
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_00464050 push 0046407Ch; ret 0_2_00464074
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_00406064 push 00406090h; ret 0_2_00406088
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_0042A02C push 0042A058h; ret 0_2_0042A050
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_0042C174 push 0042C1A0h; ret 0_2_0042C198
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_00406120 push 0040614Ch; ret 0_2_00406144
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_0042C12C push 0042C16Ah; ret 0_2_0042C162
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_004221EE push 0042229Bh; ret 0_2_00422293
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_004221F0 push 0042229Bh; ret 0_2_00422293
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_0042C1AC push 0042C1E4h; ret 0_2_0042C1DC
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_004222A0 push 00422330h; ret 0_2_00422328
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_0040E360 push 0040E38Ch; ret 0_2_0040E384
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_00462304 push ecx; mov dword ptr [esp], edx0_2_00462308
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_00448330 push 00448372h; ret 0_2_0044836A
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_0042C4D0 push 0042C4FCh; ret 0_2_0042C4F4
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_0046A5CC push 0046A637h; ret 0_2_0046A62F
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_004225CC push 004225F8h; ret 0_2_004225F0
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_004625A4 push ecx; mov dword ptr [esp], edx0_2_004625A8
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_0041A678 push ecx; mov dword ptr [esp], ecx0_2_0041A67D
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_0042C67C push 0042C6A8h; ret 0_2_0042C6A0
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_004507C8 push 0045083Dh; ret 0_2_00450835
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_00450840 push 00450899h; ret 0_2_00450891
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_004628F4 push 00462920h; ret 0_2_00462918
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_00414938 push 004149AEh; ret 0_2_004149A6
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_0042A984 push 0042A9B0h; ret 0_2_0042A9A8
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_004149B0 push 00414A58h; ret 0_2_00414A50
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_00476A68 push 00476AC2h; ret 0_2_00476ABA
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_00414B54 push 00414B80h; ret 0_2_00414B78
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_00406C18 push ecx; mov dword ptr [esp], eax0_2_00406C19
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_00430C88 push ecx; mov dword ptr [esp], ecx0_2_00430C8C
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_00402E48 push eax; ret 0_2_00402E84
        Source: 0.2.QqZFYLlfGU.exe.26c0000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 0.2.QqZFYLlfGU.exe.26c0000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 1.2.QqZFYLlfGU.exe.6e0000.2.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 1.2.QqZFYLlfGU.exe.6e0000.2.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 1.2.QqZFYLlfGU.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 1.2.QqZFYLlfGU.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 1.2.QqZFYLlfGU.exe.920000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 1.2.QqZFYLlfGU.exe.920000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeFile opened: C:\Users\user\Desktop\QqZFYLlfGU.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_004748B0 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,0_2_004748B0
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_0045C060 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,0_2_0045C060
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_0045C984 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,0_2_0045C984
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_0042ABBC IsIconic,GetWindowPlacement,GetWindowRect,0_2_0042ABBC
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_00474FD0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_00474FD0
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_00475080 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_00475080
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_0045B7AC IsIconic,GetCapture,0_2_0045B7AC
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_004718D8 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,0_2_004718D8
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeCode function: 0_2_0042C874 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0042C874
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QqZFYLlfGU.exeProcess information set: NOOPENFILEERRORBOX