Loading ...

Play interactive tourEdit tour

Analysis Report QTxFuxF5NQ.exe

Overview

General Information

Sample Name:QTxFuxF5NQ.exe
Analysis ID:356819
MD5:06ab01b61a81d223e61fc64a11b50a39
SHA1:6ea28b8ba49d332c9c937b1d2bf4a212bb50ab65
SHA256:8a7d56c6c4f937173a0a45145765feb562b1fae368d9297a03dd4ea098d90d03
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
.NET source code contains very large strings
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Startup

  • System is w10x64
  • QTxFuxF5NQ.exe (PID: 7084 cmdline: 'C:\Users\user\Desktop\QTxFuxF5NQ.exe' MD5: 06AB01B61A81D223E61FC64A11B50A39)
    • schtasks.exe (PID: 2848 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CDaJolZUw' /XML 'C:\Users\user\AppData\Local\Temp\tmp1954.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 6120 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe MD5: 71369277D09DA0830C8C59F9E22BB23A)
      • schtasks.exe (PID: 6700 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp22E3.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 2220 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2601.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 2188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RegSvcs.exe (PID: 4424 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0 MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 7016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 6812 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 6852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 6560 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 6568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.911962759.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000002.911962759.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000006.00000002.911962759.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000006.00000002.915278946.0000000006140000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xf7ad:$x1: NanoCore.ClientPluginHost
    • 0xf7da:$x2: IClientNetworkHost
    00000006.00000002.915278946.0000000006140000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xf7ad:$x2: NanoCore.ClientPluginHost
    • 0x10888:$s4: PipeCreated
    • 0xf7c7:$s5: IClientLoggingHost
    Click to see the 17 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    6.2.RegSvcs.exe.465310d.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xb184:$x1: NanoCore.ClientPluginHost
    • 0x24170:$x1: NanoCore.ClientPluginHost
    • 0xb1b1:$x2: IClientNetworkHost
    • 0x2419d:$x2: IClientNetworkHost
    6.2.RegSvcs.exe.465310d.3.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xb184:$x2: NanoCore.ClientPluginHost
    • 0x24170:$x2: NanoCore.ClientPluginHost
    • 0xc25f:$s4: PipeCreated
    • 0x2524b:$s4: PipeCreated
    • 0xb19e:$s5: IClientLoggingHost
    • 0x2418a:$s5: IClientLoggingHost
    6.2.RegSvcs.exe.465310d.3.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      6.2.RegSvcs.exe.6144629.9.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xb184:$x1: NanoCore.ClientPluginHost
      • 0xb1b1:$x2: IClientNetworkHost
      6.2.RegSvcs.exe.6144629.9.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xb184:$x2: NanoCore.ClientPluginHost
      • 0xc25f:$s4: PipeCreated
      • 0xb19e:$s5: IClientLoggingHost
      Click to see the 39 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 6120, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CDaJolZUw' /XML 'C:\Users\user\AppData\Local\Temp\tmp1954.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CDaJolZUw' /XML 'C:\Users\user\AppData\Local\Temp\tmp1954.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\QTxFuxF5NQ.exe' , ParentImage: C:\Users\user\Desktop\QTxFuxF5NQ.exe, ParentProcessId: 7084, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CDaJolZUw' /XML 'C:\Users\user\AppData\Local\Temp\tmp1954.tmp', ProcessId: 2848

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\CDaJolZUw.exeReversingLabs: Detection: 33%
      Multi AV Scanner detection for submitted fileShow sources
      Source: QTxFuxF5NQ.exeReversingLabs: Detection: 33%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000006.00000002.911962759.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.915278946.0000000006140000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.664714275.0000000004729000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.914314431.000000000463D000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6120, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: QTxFuxF5NQ.exe PID: 7084, type: MEMORY
      Source: Yara matchFile source: 6.2.RegSvcs.exe.465310d.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.6144629.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.6140000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.464eae4.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.QTxFuxF5NQ.exe.49154a0.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.4649cae.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.QTxFuxF5NQ.exe.49154a0.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.464eae4.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.6140000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.QTxFuxF5NQ.exe.47c8fd0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.QTxFuxF5NQ.exe.4822ff0.2.raw.unpack, type: UNPACKEDPE
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\CDaJolZUw.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: QTxFuxF5NQ.exeJoe Sandbox ML: detected
      Source: 6.2.RegSvcs.exe.6140000.8.unpackAvira: Label: TR/NanoCore.fadte
      Source: 6.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

      Compliance:

      barindex
      Uses 32bit PE filesShow sources
      Source: QTxFuxF5NQ.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Uses new MSVCR DllsShow sources
      Source: C:\Users\user\Desktop\QTxFuxF5NQ.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
      Source: QTxFuxF5NQ.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Binary contains paths to debug symbolsShow sources
      Source: Binary string: .pdb_ source: QTxFuxF5NQ.exe, 00000000.00000002.661856455.00000000015CD000.00000004.00000020.sdmp
      Source: Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.pdb source: RegSvcs.exe, 00000006.00000002.913254707.0000000003145000.00000004.00000040.sdmp
      Source: Binary string: System.EnterpriseServices.Wrapper.pdb source: RegSvcs.exe, 0000000B.00000002.671984110.00000000051B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.675513074.0000000005140000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.688584110.0000000004E40000.00000002.00000001.sdmp
      Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: RegSvcs.exe, 00000006.00000002.913254707.0000000003145000.00000004.00000040.sdmp
      Source: Binary string: indows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 00000006.00000002.913254707.0000000003145000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000006.00000002.913254707.0000000003145000.00000004.00000040.sdmp
      Source: Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.6.dr
      Source: Binary string: mscorrc.pdb source: QTxFuxF5NQ.exe, 00000000.00000002.669858463.0000000008A20000.00000002.00000001.sdmp, RegSvcs.exe, 00000006.00000002.915087376.0000000005E50000.00000002.00000001.sdmp, RegSvcs.exe, 0000000B.00000002.672928697.0000000005260000.00000002.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.675714982.00000000051F0000.00000002.00000001.sdmp
      Source: C:\Users\user\Desktop\QTxFuxF5NQ.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_08C795C8
      Source: C:\Users\user\Desktop\QTxFuxF5NQ.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_08C795B7
      Source: C:\Users\user\Desktop\QTxFuxF5NQ.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_08C79690
      Source: C:\Users\user\Desktop\QTxFuxF5NQ.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_08C7967F

      Networking:

      barindex
      Uses dynamic DNS servicesShow sources
      Source: unknownDNS query: name: jeksabide.duckdns.org
      Source: global trafficTCP traffic: 192.168.2.4:49745 -> 197.210.135.138:8989
      Source: Joe Sandbox ViewASN Name: VCG-ASNG VCG-ASNG
      Source: unknownDNS traffic detected: queries for: jeksabide.duckdns.org
      Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: QTxFuxF5NQ.exe, 00000000.00000003.648543186.000000000592D000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: QTxFuxF5NQ.exe, 00000000.00000003.649124659.000000000592A000.00000004.00000001.sdmp, QTxFuxF5NQ.exe, 00000000.00000003.648851674.0000000005936000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
      Source: QTxFuxF5NQ.exe, 00000000.00000003.648851674.0000000005936000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comatn
      Source: QTxFuxF5NQ.exe, 00000000.00000003.648851674.0000000005936000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comficU
      Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: QTxFuxF5NQ.exe, 00000000.00000003.648851674.0000000005936000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comles-
      Source: QTxFuxF5NQ.exe, 00000000.00000003.648851674.0000000005936000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comy
      Source: QTxFuxF5NQ.exe, 00000000.00000003.648851674.0000000005936000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comyrlO
      Source: QTxFuxF5NQ.exe, 00000000.00000003.650201372.000000000592C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: QTxFuxF5NQ.exe, 00000000.00000003.650237541.000000000592C000.00000004.00000001.sdmp, QTxFuxF5NQ.exe, 00000000.00000003.650188936.0000000001A8B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
      Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
      Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: QTxFuxF5NQ.exe, 00000000.00000003.650237541.000000000592C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
      Source: QTxFuxF5NQ.exe, 00000000.00000003.650201372.000000000592C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
      Source: QTxFuxF5NQ.exe, 00000000.00000002.665566951.0000000005920000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comoitu
      Source: QTxFuxF5NQ.exe, 00000000.00000002.665566951.0000000005920000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comtH
      Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: QTxFuxF5NQ.exe, 00000000.00000003.647604832.0000000005930000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnS
      Source: QTxFuxF5NQ.exe, 00000000.00000003.647650814.0000000001A8B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnTF
      Source: QTxFuxF5NQ.exe, 00000000.00000003.647604832.0000000005930000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnate
      Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: QTxFuxF5NQ.exe, 00000000.00000003.649439715.000000000592C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: QTxFuxF5NQ.exe, 00000000.00000003.649439715.000000000592C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/$
      Source: QTxFuxF5NQ.exe, 00000000.00000003.649439715.000000000592C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-
      Source: QTxFuxF5NQ.exe, 00000000.00000003.649407889.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/6
      Source: QTxFuxF5NQ.exe, 00000000.00000003.649407889.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/?
      Source: QTxFuxF5NQ.exe, 00000000.00000003.649407889.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/H
      Source: QTxFuxF5NQ.exe, 00000000.00000003.649439715.000000000592C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/c
      Source: QTxFuxF5NQ.exe, 00000000.00000003.649439715.000000000592C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
      Source: QTxFuxF5NQ.exe, 00000000.00000003.649124659.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/H
      Source: QTxFuxF5NQ.exe, 00000000.00000003.649439715.000000000592C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/y
      Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: QTxFuxF5NQ.exe, 00000000.00000003.650237541.000000000592C000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de9
      Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: QTxFuxF5NQ.exe, 00000000.00000003.650237541.000000000592C000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deo
      Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: QTxFuxF5NQ.exe, 00000000.00000002.663880375.00000000036D1000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
      Source: QTxFuxF5NQ.exe, 00000000.00000002.661741104.0000000001590000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: RegSvcs.exe, 00000006.00000002.915278946.0000000006140000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000006.00000002.911962759.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.915278946.0000000006140000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.664714275.0000000004729000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.914314431.000000000463D000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6120, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: QTxFuxF5NQ.exe PID: 7084, type: MEMORY
      Source: Yara matchFile source: 6.2.RegSvcs.exe.465310d.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.6144629.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.6140000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.464eae4.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.QTxFuxF5NQ.exe.49154a0.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.4649cae.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.QTxFuxF5NQ.exe.49154a0.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.464eae4.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.RegSvcs.exe.6140000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.QTxFuxF5NQ.exe.47c8fd0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.QTxFuxF5NQ.exe.4822ff0.2.raw.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000006.00000002.911962759.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000006.00000002.911962759.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000002.915278946.0000000006140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000006.00000002.915159896.0000000005EB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.664714275.0000000004729000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.664714275.0000000004729000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000002.914314431.000000000463D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: RegSvcs.exe PID: 6120, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: RegSvcs.exe PID: 6120, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: QTxFuxF5NQ.exe PID: 7084, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: QTxFuxF5NQ.exe PID: 7084, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.RegSvcs.exe.465310d.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.RegSvcs.exe.6144629.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.RegSvcs.exe.6140000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.RegSvcs.exe.464eae4.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.QTxFuxF5NQ.exe.49154a0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.QTxFuxF5NQ.exe.49154a0.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.RegSvcs.exe.4649cae.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.RegSvcs.exe.4649cae.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.QTxFuxF5NQ.exe.49154a0.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.QTxFuxF5NQ.exe.49154a0.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.RegSvcs.exe.5eb0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.RegSvcs.exe.464eae4.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.RegSvcs.exe.6140000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.QTxFuxF5NQ.exe.47c8fd0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.QTxFuxF5NQ.exe.47c8fd0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.RegSvcs.exe.36116e0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.QTxFuxF5NQ.exe.4822ff0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.QTxFuxF5NQ.exe.4822ff0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      .NET source code contains very large stringsShow sources
      Source: QTxFuxF5NQ.exe, LogIn.csLong String: Length: 13656
      Source: CDaJolZUw.exe.0.dr, LogIn.csLong String: Length: 13656
      Source: 0.0.QTxFuxF5NQ.exe.e90000.0.unpack, LogIn.csLong String: Length: 13656
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 6_2_0317180A NtQuerySystemInformation,6_2_0317180A
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 6_2_031717CF NtQuerySystemInformation,6_2_031717CF
      Source: C:\Users\user\Desktop\QTxFuxF5NQ.exeCode function: 0_2_0315FB900_2_0315FB90
      Source: C:\Users\user\Desktop\QTxFuxF5NQ.exeCode function: 0_2_0315FD980_2_0315FD98
      Source: C:\Users\user\Desktop\QTxFuxF5NQ.exeCode function: 0_2_03150B880_2_03150B88
      Source: C:\Users\user\Desktop\QTxFuxF5NQ.exeCode function: 0_2_0315D0180_2_0315D018
      Source: C:\Users\user\Desktop\QTxFuxF5NQ.exeCode function: 0_2_03150B770_2_03150B77
      Source: C:\Users\user\Desktop\QTxFuxF5NQ.exeCode function: 0_2_0315FB810_2_0315FB81
      Source: C:\Users\user\Desktop\QTxFuxF5NQ.exeCode function: 0_2_0315D0080_2_0315D008
      Source: C:\Users\user\Desktop\QTxFuxF5NQ.exeCode function: 0_2_0315E8F00_2_0315E8F0
      Source: C:\Users\user\Desktop\QTxFuxF5NQ.exeCode function: 0_2_0315E8EE0_2_0315E8EE
      Source: C:\Users\user\Desktop\QTxFuxF5NQ.exeCode function: 0_2_08C763C00_2_08C763C0
      Source: C:\Users\user\Desktop\QTxFuxF5NQ.exeCode function: 0_2_08C708E10_2_08C708E1
      Source: C:\Users\user\Desktop\QTxFuxF5NQ.exeCode function: 0_2_08C708F00_2_08C708F0
      Source: C:\Users\user\Desktop\QTxFuxF5NQ.exeCode function: 0_2_08C781D80_2_08C781D8
      Source: C:\Users\user\Desktop\QTxFuxF5NQ.exeCode function: 0_2_08C781E80_2_08C781E8
      Source: C:\Users\user\Desktop\QTxFuxF5NQ.exeCode function: 0_2_08C70B380_2_08C70B38
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 6_2_031023A06_2_031023A0
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 6_2_03102FA86_2_03102FA8
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 6_2_0310B2386_2_0310B238
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 6_2_031089D86_2_031089D8
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 6_2_031038506_2_03103850
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 6_2_0310969F6_2_0310969F
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 6_2_031095D86_2_031095D8
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 6_2_0310306F6_2_0310306F
      Source: QTxFuxF5NQ.exeBinary or memory string: OriginalFilename vs QTxFuxF5NQ.exe
      Source: QTxFuxF5NQ.exe, 00000000.00000002.667831770.0000000006B00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs QTxFuxF5NQ.exe
      Source: QTxFuxF5NQ.exe, 00000000.00000002.670105598.0000000008BE0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLegacyPathHandling.dllN vs QTxFuxF5NQ.exe
      Source: QTxFuxF5NQ.exe, 00000000.00000002.669858463.0000000008A20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs QTxFuxF5NQ.exe
      Source: QTxFuxF5NQ.exe, 00000000.00000000.643920398.0000000000E92000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAction.exe6 vs QTxFuxF5NQ.exe
      Source: QTxFuxF5NQ.exe, 00000000.00000002.669525319.0000000007480000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs QTxFuxF5NQ.exe
      Source: QTxFuxF5NQ.exe, 00000000.00000002.669716790.00000000089A0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncState.dllF vs QTxFuxF5NQ.exe
      Source: QTxFuxF5NQ.exe, 00000000.00000002.661741104.0000000001590000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs QTxFuxF5NQ.exe
      Source: QTxFuxF5NQ.exe, 00000000.00000002.669676572.0000000007650000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs QTxFuxF5NQ.exe
      Source: QTxFuxF5NQ.exe, 00000000.00000002.669628440.00000000074E0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs QTxFuxF5NQ.exe
      Source: QTxFuxF5NQ.exe, 00000000.00000002.669628440.00000000074E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs QTxFuxF5NQ.exe
      Source: QTxFuxF5NQ.exeBinary or memory string: OriginalFilenameAction.exe6 vs QTxFuxF5NQ.exe
      Source: QTxFuxF5NQ.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 00000006.00000002.911962759.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000002.911962759.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000002.915278946.0000000006140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000002.915278946.0000000006140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000006.00000002.915159896.0000000005EB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000002.915159896.0000000005EB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000000.00000002.664714275.0000000004729000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.664714275.0000000004729000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000002.914314431.000000000463D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: RegSvcs.exe PID: 6120, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: RegSvcs.exe PID: 6120, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: QTxFuxF5NQ.exe PID: 7084, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: QTxFuxF5NQ.exe PID: 7084, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.RegSvcs.exe.465310d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.RegSvcs.exe.465310d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.RegSvcs.exe.6144629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.RegSvcs.exe.6144629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.RegSvcs.exe.6140000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.RegSvcs.exe.6140000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.RegSvcs.exe.464eae4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.RegSvcs.exe.464eae4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.QTxFuxF5NQ.exe.49154a0.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.QTxFuxF5NQ.exe.49154a0.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.QTxFuxF5NQ.exe.49154a0.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.RegSvcs.exe.4649cae.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.RegSvcs.exe.4649cae.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.RegSvcs.exe.4649cae.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.QTxFuxF5NQ.exe.49154a0.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.QTxFuxF5NQ.exe.49154a0.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.QTxFuxF5NQ.exe.49154a0.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.RegSvcs.exe.5eb0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.RegSvcs.exe.5eb0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.RegSvcs.exe.464eae4.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.RegSvcs.exe.464eae4.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.RegSvcs.exe.6140000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.RegSvcs.exe.6140000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.QTxFuxF5NQ.exe.47c8fd0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.QTxFuxF5NQ.exe.47c8fd0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.RegSvcs.exe.36116e0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.QTxFuxF5NQ.exe.4822ff0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.QTxFuxF5NQ.exe.4822ff0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: QTxFuxF5NQ.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: CDaJolZUw.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 6.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 6.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 6.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: QTxFuxF5NQ.exe, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
      Source: CDaJolZUw.exe.0.dr, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
      Source: 0.0.QTxFuxF5NQ.exe.e90000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpw