Loading ...

Play interactive tourEdit tour

Analysis Report SWIFT.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:227912
Start date:06.05.2020
Start time:13:06:39
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 12m 33s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:SWIFT.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:40
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.evad.winEXE@68/10@0/2
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 98.7% (good quality ratio 90.8%)
  • Quality average: 80.3%
  • Quality standard deviation: 30.6%
HCA Information:
  • Successful, ratio: 93%
  • Number of executed functions: 265
  • Number of non-executed functions: 250
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, conhost.exe
  • Report creation exceeded maximum time and may have missing disassembly code information.
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Nanocore NetWire
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation1Registry Run Keys / Startup Folder1Access Token Manipulation1Software Packing41Input Capture41System Time Discovery11Remote File Copy1Screen Capture1Data Encrypted11Uncommonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExecution through API13Hidden Files and Directories1Process Injection112Disabling Security Tools1Network SniffingSecurity Software Discovery341Remote ServicesInput Capture41Exfiltration Over Other Network MediumCommonly Used Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesGraphical User Interface2Scheduled Task1Scheduled Task1Deobfuscate/Decode Files or Information11Input CaptureFile and Directory Discovery3Windows Remote ManagementClipboard Data1Automated ExfiltrationRemote File Copy1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled Task1Application Shimming1Application Shimming1Obfuscated Files or Information3Credentials in FilesSystem Information Discovery26Logon ScriptsInput CaptureData EncryptedStandard Cryptographic Protocol2SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasquerading11Account ManipulationVirtualization/Sandbox Evasion13Shared WebrootData StagedScheduled TransferRemote Access Tools1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceHidden Files and Directories1Brute ForceProcess Discovery3Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskVirtualization/Sandbox Evasion13Two-Factor Authentication InterceptionApplication Window Discovery11Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionAccess Token Manipulation1Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess Injection112Input PromptSystem Network Connections DiscoveryWindows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Install\Host.exeAvira: detection malicious, Label: TR/Spy.Gen
Source: C:\Users\user\AppData\Local\Temp\bob1.exeAvira: detection malicious, Label: TR/Spy.Gen
Found malware configurationShow sources
Source: SWIFT.exe.2976.15.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["185.140.53.158"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\bob1.exeReversingLabs: Detection: 77%
Source: C:\Users\user\AppData\Roaming\Install\Host.exeReversingLabs: Detection: 77%
Multi AV Scanner detection for submitted fileShow sources
Source: SWIFT.exeVirustotal: Detection: 51%Perma Link
Source: SWIFT.exeReversingLabs: Detection: 72%
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 0000000F.00000002.647389147.0000000002850000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001A.00000002.745150274.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000027.00000002.913355502.0000000000642000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.556351874.0000000003399000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.948824383.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.606431270.00000000004C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001A.00000002.746283722.0000000000622000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000020.00000002.827924245.00000000029C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000008.00000002.590570220.00000000034B2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.963540585.00000000054F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001D.00000002.786276781.00000000005F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001F.00000002.803581834.0000000002712000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.606055599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.642978087.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.677596280.0000000002232000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000027.00000002.912327939.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000023.00000002.875700075.00000000009B2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001D.00000002.787383289.00000000020F2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000001.547957650.0000000000439000.00000040.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000023.00000002.875486461.0000000000972000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000027.00000002.918676856.00000000029A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.677808723.0000000002282000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.607564887.0000000000632000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.556135514.0000000003362000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000020.00000002.823604409.00000000007B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000017.00000002.711717969.0000000000652000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001D.00000002.790348892.0000000002770000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.624791565.0000000002849000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001D.00000002.787592817.0000000002132000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000023.00000002.867123223.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000026.00000002.893824269.0000000002729000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.624679288.0000000002812000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000013.00000002.658638074.0000000002859000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000017.00000002.710517844.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000022.00000002.846503171.0000000002709000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000020.00000001.798005934.000000000044D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000020.00000002.828084130.00000000039C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000023.00000002.871964852.00000000005D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001A.00000002.745310599.0000000000439000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001A.00000002.745909256.00000000005A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.953305206.0000000001FB2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000016.00000002.691206381.0000000002729000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000017.00000001.686513360.000000000044D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000019.00000002.727747661.0000000002849000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.676402481.0000000000439000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.676206541.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001C.00000002.767128685.0000000002719000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000017.00000002.711552890.0000000000612000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000027.00000001.887922334.000000000044D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000020.00000002.824350392.0000000000962000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.643644002.00000000006A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000023.00000002.879535727.00000000037E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001F.00000002.803735478.0000000002749000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.952977986.0000000000950000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001D.00000002.785369036.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000027.00000002.912488471.0000000000439000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001C.00000002.766905599.00000000026E2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000013.00000002.658445063.0000000002822000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.643101139.0000000000439000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.611536564.00000000027E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001D.00000002.785581325.0000000000439000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000023.00000002.879419416.00000000027E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000017.00000002.715055669.00000000029E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.677449067.00000000021F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.611757502.00000000037E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.680602990.00000000039E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001A.00000002.751812695.0000000003980000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000027.00000002.913239421.0000000000600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000026.00000002.893653816.00000000026F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000020.00000002.822695187.0000000000439000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000023.00000001.841186797.0000000000439000.00000040.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.959366972.00000000038FA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000017.00000002.710682780.0000000000439000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.607367384.00000000005F2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000020.00000002.822524720.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000027.00000002.914083557.0000000000AC2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.644369191.0000000002102000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.606185172.0000000000439000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000023.00000002.867348922.0000000000439000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001A.00000002.751682643.0000000002980000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000016.00000002.691028484.00000000026F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000020.00000002.824171468.0000000000922000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.643750970.00000000006E2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.953822430.0000000002032000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000027.00000002.918795315.00000000039A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.680507748.00000000029E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000017.00000002.711000249.00000000004F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.647540586.0000000003850000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001D.00000002.790490118.0000000003770000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000022.00000002.846322468.00000000026D2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000008.00000002.590760355.00000000034E9000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.949249933.0000000000439000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001A.00000002.746097736.00000000005E2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000017.00000002.715188559.00000000039E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000019.00000002.727571584.0000000002812000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 2976, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 3952, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 5104, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 3396, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 3028, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 2612, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 608, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 4804, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 2272, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 760, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 3976, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 2612, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 4616, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 4572, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 4032, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 2380, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 1460, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 3620, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 2892, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 3492, type: MEMORY
Source: Yara matchFile source: 29.2.SWIFT.exe.5f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.SWIFT.exe.2280000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 23.2.SWIFT.exe.4f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 35.2.SWIFT.exe.5d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 39.2.SWIFT.exe.ac0000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 39.1.SWIFT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.SWIFT.exe.54f0000.19.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 11.2.SWIFT.exe.4c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 34.2.SWIFT.exe.2680000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 39.2.SWIFT.exe.600000.1.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 38.2.SWIFT.exe.26b0000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 32.2.SWIFT.exe.7b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 25.2.SWIFT.exe.27c0000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 11.2.SWIFT.exe.4c0000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 28.2.SWIFT.exe.26a0000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 32.2.SWIFT.exe.960000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 23.2.SWIFT.exe.650000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.1.SWIFT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 32.2.SWIFT.exe.920000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 28.2.SWIFT.exe.26e0000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 15.2.SWIFT.exe.6e0000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 15.2.SWIFT.exe.2100000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 11.2.SWIFT.exe.5f0000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 23.1.SWIFT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.SWIFT.exe.2230000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 22.2.SWIFT.exe.26f0000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.SWIFT.exe.54f0000.19.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 15.2.SWIFT.exe.6a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 11.2.SWIFT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 15.2.SWIFT.exe.6a0000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.SWIFT.exe.950000.1.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 39.2.SWIFT.exe.600000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.SWIFT.exe.21f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 15.2.SWIFT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 39.2.SWIFT.exe.640000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 31.2.SWIFT.exe.26d0000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 32.1.SWIFT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 29.2.SWIFT.exe.2130000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 35.2.SWIFT.exe.5d0000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 26.2.SWIFT.exe.5a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 32.2.SWIFT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 35.1.SWIFT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 31.2.SWIFT.exe.2710000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 32.2.SWIFT.exe.7b0000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 23.2.SWIFT.exe.4f0000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 11.2.SWIFT.exe.630000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 35.2.SWIFT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.SWIFT.exe.3320000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.SWIFT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 34.2.SWIFT.exe.26d0000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 39.2.SWIFT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 26.2.SWIFT.exe.620000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 38.2.SWIFT.exe.26f0000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 8.2.SWIFT.exe.34b0000.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 35.2.SWIFT.exe.9b0000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 29.2.SWIFT.exe.20f0000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.SWIFT.exe.2810000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 26.2.SWIFT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 35.2.SWIFT.exe.970000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.SWIFT.exe.950000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.SWIFT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 19.2.SWIFT.exe.2820000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 29.2.SWIFT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 26.2.SWIFT.exe.5e0000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 19.2.SWIFT.exe.27e0000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.SWIFT.exe.21f0000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.SWIFT.exe.2030000.6.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 26.2.SWIFT.exe.5a0000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 8.2.SWIFT.exe.3470000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 29.2.SWIFT.exe.5f0000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 25.2.SWIFT.exe.2810000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.SWIFT.exe.3360000.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 23.2.SWIFT.exe.610000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 23.2.SWIFT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.SWIFT.exe.1fb0000.2.unpack, type: UNPACKEDPE
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Install\Host.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\bob1.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: SWIFT.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 39.1.SWIFT.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 39.2.SWIFT.exe.ac0000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
Source: 5.2.Host.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
Source: 2.2.bob1.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
Source: 20.2.SWIFT.exe.2280000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
Source: 32.2.SWIFT.exe.920000.2.unpackAvira: Label: TR/Dropper.Gen
Source: 13.0.Host.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
Source: 15.2.SWIFT.exe.6e0000.2.unpackAvira: Label: TR/Dropper.Gen
Source: 28.2.SWIFT.exe.26e0000.3.unpackAvira: Label: TR/Dropper.Gen
Source: 34.2.SWIFT.exe.2680000.2.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 11.2.SWIFT.exe.5f0000.2.unpackAvira: Label: TR/Dropper.Gen
Source: 20.2.SWIFT.exe.2230000.2.unpackAvira: Label: TR/Dropper.Gen
Source: 22.2.SWIFT.exe.26f0000.3.unpackAvira: Label: TR/Dropper.Gen
Source: 38.2.SWIFT.exe.26b0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 25.2.SWIFT.exe.27c0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 28.2.SWIFT.exe.26a0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 26.1.SWIFT.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 13.2.Host.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
Source: 11.2.SWIFT.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 23.1.SWIFT.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 32.2.SWIFT.exe.960000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
Source: 2.0.bob1.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
Source: 23.2.SWIFT.exe.650000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
Source: 39.2.SWIFT.exe.640000.2.unpackAvira: Label: TR/Dropper.Gen
Source: 15.2.SWIFT.exe.2100000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
Source: 15.2.SWIFT.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 29.2.SWIFT.exe.20f0000.2.unpackAvira: Label: TR/Dropper.Gen
Source: 10.0.Host.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
Source: 8.2.SWIFT.exe.34b0000.4.unpackAvira: Label: TR/Dropper.Gen
Source: 20.2.SWIFT.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 26.2.SWIFT.exe.5e0000.2.unpackAvira: Label: TR/Dropper.Gen
Source: 31.2.SWIFT.exe.26d0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 32.1.SWIFT.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 32.2.SWIFT.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 9.2.bob1.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
Source: 31.2.SWIFT.exe.2710000.3.unpackAvira: Label: TR/Dropper.Gen
Source: 39.2.SWIFT.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 26.2.SWIFT.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 34.2.SWIFT.exe.26d0000.3.unpackAvira: Label: TR/Dropper.Gen
Source: 35.2.SWIFT.exe.970000.2.unpackAvira: Label: TR/Dropper.Gen
Source: 5.0.Host.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
Source: 35.2.SWIFT.exe.9b0000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
Source: 29.2.SWIFT.exe.2130000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
Source: 11.2.SWIFT.exe.630000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
Source: 0.2.SWIFT.exe.3320000.3.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 3.2.SWIFT.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 19.2.SWIFT.exe.2820000.3.unpackAvira: Label: TR/Dropper.Gen
Source: 35.2.SWIFT.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 29.2.SWIFT.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 14.2.SWIFT.exe.2810000.3.unpackAvira: Label: TR/Dropper.Gen
Source: 10.2.Host.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
Source: 19.2.SWIFT.exe.27e0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 29.1.SWIFT.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 26.2.SWIFT.exe.620000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
Source: 38.2.SWIFT.exe.26f0000.3.unpackAvira: Label: TR/Dropper.Gen
Source: 23.2.SWIFT.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 0.2.SWIFT.exe.3360000.4.unpackAvira: Label: TR/Dropper.Gen
Source: 9.0.bob1.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
Source: 8.2.SWIFT.exe.3470000.3.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 11.1.SWIFT.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 3.2.SWIFT.exe.2030000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
Source: 20.1.SWIFT.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 3.2.SWIFT.exe.1fb0000.2.unpackAvira: Label: TR/Dropper.Gen
Source: 25.2.SWIFT.exe.2810000.3.unpackAvira: Label: TR/Dropper.Gen
Source: 15.1.SWIFT.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 23.2.SWIFT.exe.610000.2.unpackAvira: Label: TR/Dropper.Gen

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 2_2_0041249C CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,2_2_0041249C
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 2_2_0041294C CryptDestroyHash,CryptReleaseContext,2_2_0041294C
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 2_2_00412660 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,RegQueryValueExA,LocalFree,CryptDestroyHash,CryptReleaseContext,2_2_00412660
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 2_2_00413F70 CryptUnprotectData,LocalFree,2_2_00413F70
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 2_2_00411320 RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegCloseKey,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,CryptUnprotectData,LocalFree,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,CryptUnprotectData,LocalFree,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,2_2_00411320
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 9_2_0041249C CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,9_2_0041249C
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 9_2_0041294C CryptDestroyHash,CryptReleaseContext,9_2_0041294C
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 9_2_00412660 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,RegQueryValueExA,LocalFree,CryptDestroyHash,CryptReleaseContext,9_2_00412660
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 9_2_00413F70 CryptUnprotectData,LocalFree,9_2_00413F70
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 9_2_00411320 RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegCloseKey,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,CryptUnprotectData,LocalFree,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,CryptUnprotectData,LocalFree,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,9_2_00411320

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 0_2_004082EC FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_004082EC
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 0_2_00404FA0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00404FA0
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 2_2_0040A450 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,2_2_0040A450
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 2_2_0040A070 SetErrorMode,FindFirstFileA,FindNextFileA,FileTimeToSystemTime,FindClose,2_2_0040A070
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 2_2_00413400 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,strlen,2_2_00413400
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 2_2_0040AB10 GetFileAttributesA,GetFileAttributesExA,SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,2_2_0040AB10
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 2_2_0041A720 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,2_2_0041A720
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 4_2_004082EC FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,4_2_004082EC
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 4_2_00404FA0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,4_2_00404FA0
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 8_2_004082EC FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,8_2_004082EC
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 8_2_00404FA0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,8_2_00404FA0
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 9_2_0040A450 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,9_2_0040A450
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 9_2_0040A070 SetErrorMode,FindFirstFileA,FindNextFileA,FileTimeToSystemTime,FindClose,9_2_0040A070
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 9_2_00413400 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,strlen,9_2_00413400
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 9_2_0040AB10 GetFileAttributesA,GetFileAttributesExA,SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,9_2_0040AB10
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 9_2_0041A720 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,9_2_0041A720
Contains functionality to query local drivesShow sources
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 2_2_00409CE0 SetErrorMode,GetLogicalDriveStringsA,GetDiskFreeSpaceExA,GetDriveTypeA,GetVolumeInformationA,2_2_00409CE0

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)Show sources
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 4x nop then mov ebx, dword ptr [ebp-10h]0_2_0045FBD8
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 4x nop then mov ebx, dword ptr [ebp-10h]0_2_0045FBD8
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 4x nop then mov ecx, dword ptr [ebp+edi*4-00000420h]0_2_0045FBD8
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 4x nop then mov eax, dword ptr [ebp+ebx*4-00000420h]0_2_0045FBD8
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]3_2_05DD69F0
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]3_2_05DD69E1
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]3_2_05DD6A5A
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 4x nop then mov esp, ebp3_2_05DD3610
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 4x nop then mov ebx, dword ptr [ebp-10h]4_2_0045FBD8
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 4x nop then mov ebx, dword ptr [ebp-10h]4_2_0045FBD8
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 4x nop then mov ecx, dword ptr [ebp+edi*4-00000420h]4_2_0045FBD8
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 4x nop then mov eax, dword ptr [ebp+ebx*4-00000420h]4_2_0045FBD8
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 4x nop then mov ebx, dword ptr [ebp-10h]8_2_0045FBD8
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 4x nop then mov ebx, dword ptr [ebp-10h]8_2_0045FBD8
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 4x nop then mov ecx, dword ptr [ebp+edi*4-00000420h]8_2_0045FBD8
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 4x nop then mov eax, dword ptr [ebp+ebx*4-00000420h]8_2_0045FBD8
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 4x nop then push ebp8_2_023B019F

Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.7:49704 -> 43.226.229.43:2030
Source: global trafficTCP traffic: 192.168.2.7:49705 -> 185.140.53.158:1414
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 43.226.229.43
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.158
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.158
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.158
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.158
Source: unknownTCP traffic detected without corresponding DNS query: 43.226.229.43
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.158
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.158
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.158
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.158
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.158
Source: unknownTCP traffic detected without corresponding DNS query: 43.226.229.43
Source: unknownTCP traffic detected without corresponding DNS query: 43.226.229.43
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.158
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.158
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.158
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.158
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.158
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.158
Source: unknownTCP traffic detected without corresponding DNS query: 43.226.229.43
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.158
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.158
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.158
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.158
Source: unknownTCP traffic detected without corresponding DNS query: 43.226.229.43
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.158
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.158
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.158
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.158
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.158
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.158
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.158
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.158
Source: unknownTCP traffic detected without corresponding DNS query: 43.226.229.43
Source: unknownTCP traffic detected without corresponding DNS query: 43.226.229.43
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.158
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.158
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.158
Source: unknownTCP traffic detected without corresponding DNS query: 43.226.229.43
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.158
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.158
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.158
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.158
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.158
Source: unknownTCP traffic detected without corresponding DNS query: 43.226.229.43
Source: unknownTCP traffic detected without corresponding DNS query: 43.226.229.43
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.158
Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.158
Source: unknownTCP traffic detected without corresponding DNS query: 43.226.229.43
Source: unknownTCP traffic detected without corresponding DNS query: 43.226.229.43
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 2_2_0040D8EC recv,fopen,fwrite,recv,fclose,2_2_0040D8EC
Urls found in memory or binary dataShow sources
Source: SWIFT.exe, 00000003.00000002.954375384.0000000002100000.00000004.00000001.sdmpString found in binary or memory: http://google.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to read the clipboard dataShow sources
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 0_2_0042147C GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,0_2_0042147C
Contains functionality to record screenshotsShow sources
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 2_2_00417A40 GetSystemMetrics,GetSystemMetrics,GetDesktopWindow,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,DeleteDC,DeleteObject,free,GetDIBits,calloc,GetDIBits,2_2_00417A40
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 0_2_0043FB6C GetKeyboardState,0_2_0043FB6C
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: bob1.exe, 00000002.00000002.551308718.00000000009A0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Installs a raw input device (often for capturing keystrokes)Show sources
Source: SWIFT.exe, 00000003.00000002.963540585.00000000054F0000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices
Potential key logger detected (key state polling based)Show sources
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 2_2_0040E040 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,GetForegroundWindow,GetLocalTime,GetWindowTextA,MapVirtualKeyA,ToAscii,MapVirtualKeyA,GetKeyNameTextA,GetKeyState,GetKeyState,2_2_0040E040
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 9_2_0040E040 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,GetForegroundWindow,GetLocalTime,GetWindowTextA,MapVirtualKeyA,ToAscii,MapVirtualKeyA,GetKeyNameTextA,GetKeyState,GetKeyState,9_2_0040E040

E-Banking Fraud:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 0000000F.00000002.647389147.0000000002850000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001A.00000002.745150274.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000027.00000002.913355502.0000000000642000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.556351874.0000000003399000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.948824383.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.606431270.00000000004C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001A.00000002.746283722.0000000000622000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000020.00000002.827924245.00000000029C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000008.00000002.590570220.00000000034B2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.963540585.00000000054F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001D.00000002.786276781.00000000005F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001F.00000002.803581834.0000000002712000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.606055599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.642978087.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.677596280.0000000002232000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000027.00000002.912327939.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000023.00000002.875700075.00000000009B2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001D.00000002.787383289.00000000020F2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000001.547957650.0000000000439000.00000040.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000023.00000002.875486461.0000000000972000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000027.00000002.918676856.00000000029A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.677808723.0000000002282000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.607564887.0000000000632000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.556135514.0000000003362000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000020.00000002.823604409.00000000007B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000017.00000002.711717969.0000000000652000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001D.00000002.790348892.0000000002770000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.624791565.0000000002849000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001D.00000002.787592817.0000000002132000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000023.00000002.867123223.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000026.00000002.893824269.0000000002729000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.624679288.0000000002812000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000013.00000002.658638074.0000000002859000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000017.00000002.710517844.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000022.00000002.846503171.0000000002709000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000020.00000001.798005934.000000000044D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000020.00000002.828084130.00000000039C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000023.00000002.871964852.00000000005D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001A.00000002.745310599.0000000000439000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001A.00000002.745909256.00000000005A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.953305206.0000000001FB2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000016.00000002.691206381.0000000002729000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000017.00000001.686513360.000000000044D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000019.00000002.727747661.0000000002849000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.676402481.0000000000439000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.676206541.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001C.00000002.767128685.0000000002719000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000017.00000002.711552890.0000000000612000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000027.00000001.887922334.000000000044D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000020.00000002.824350392.0000000000962000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.643644002.00000000006A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000023.00000002.879535727.00000000037E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001F.00000002.803735478.0000000002749000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.952977986.0000000000950000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001D.00000002.785369036.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000027.00000002.912488471.0000000000439000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001C.00000002.766905599.00000000026E2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000013.00000002.658445063.0000000002822000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.643101139.0000000000439000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.611536564.00000000027E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001D.00000002.785581325.0000000000439000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000023.00000002.879419416.00000000027E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000017.00000002.715055669.00000000029E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.677449067.00000000021F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.611757502.00000000037E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.680602990.00000000039E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001A.00000002.751812695.0000000003980000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000027.00000002.913239421.0000000000600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000026.00000002.893653816.00000000026F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000020.00000002.822695187.0000000000439000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000023.00000001.841186797.0000000000439000.00000040.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.959366972.00000000038FA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000017.00000002.710682780.0000000000439000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.607367384.00000000005F2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000020.00000002.822524720.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000027.00000002.914083557.0000000000AC2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.644369191.0000000002102000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.606185172.0000000000439000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000023.00000002.867348922.0000000000439000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001A.00000002.751682643.0000000002980000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000016.00000002.691028484.00000000026F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000020.00000002.824171468.0000000000922000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.643750970.00000000006E2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.953822430.0000000002032000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000027.00000002.918795315.00000000039A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.680507748.00000000029E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000017.00000002.711000249.00000000004F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.647540586.0000000003850000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001D.00000002.790490118.0000000003770000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000022.00000002.846322468.00000000026D2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000008.00000002.590760355.00000000034E9000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.949249933.0000000000439000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001A.00000002.746097736.00000000005E2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000017.00000002.715188559.00000000039E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000019.00000002.727571584.0000000002812000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 2976, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 3952, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 5104, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 3396, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 3028, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 2612, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 608, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 4804, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 2272, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 760, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 3976, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 2612, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 4616, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 4572, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 4032, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 2380, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 1460, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 3620, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 2892, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 3492, type: MEMORY
Source: Yara matchFile source: 29.2.SWIFT.exe.5f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.SWIFT.exe.2280000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 23.2.SWIFT.exe.4f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 35.2.SWIFT.exe.5d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 39.2.SWIFT.exe.ac0000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 39.1.SWIFT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.SWIFT.exe.54f0000.19.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 11.2.SWIFT.exe.4c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 34.2.SWIFT.exe.2680000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 39.2.SWIFT.exe.600000.1.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 38.2.SWIFT.exe.26b0000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 32.2.SWIFT.exe.7b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 25.2.SWIFT.exe.27c0000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 11.2.SWIFT.exe.4c0000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 28.2.SWIFT.exe.26a0000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 32.2.SWIFT.exe.960000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 23.2.SWIFT.exe.650000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.1.SWIFT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 32.2.SWIFT.exe.920000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 28.2.SWIFT.exe.26e0000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 15.2.SWIFT.exe.6e0000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 15.2.SWIFT.exe.2100000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 11.2.SWIFT.exe.5f0000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 23.1.SWIFT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.SWIFT.exe.2230000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 22.2.SWIFT.exe.26f0000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.SWIFT.exe.54f0000.19.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 15.2.SWIFT.exe.6a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 11.2.SWIFT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 15.2.SWIFT.exe.6a0000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.SWIFT.exe.950000.1.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 39.2.SWIFT.exe.600000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.SWIFT.exe.21f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 15.2.SWIFT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 39.2.SWIFT.exe.640000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 31.2.SWIFT.exe.26d0000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 32.1.SWIFT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 29.2.SWIFT.exe.2130000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 35.2.SWIFT.exe.5d0000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 26.2.SWIFT.exe.5a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 32.2.SWIFT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 35.1.SWIFT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 31.2.SWIFT.exe.2710000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 32.2.SWIFT.exe.7b0000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 23.2.SWIFT.exe.4f0000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 11.2.SWIFT.exe.630000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 35.2.SWIFT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.SWIFT.exe.3320000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.SWIFT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 34.2.SWIFT.exe.26d0000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 39.2.SWIFT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 26.2.SWIFT.exe.620000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 38.2.SWIFT.exe.26f0000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 8.2.SWIFT.exe.34b0000.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 35.2.SWIFT.exe.9b0000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 29.2.SWIFT.exe.20f0000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.SWIFT.exe.2810000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 26.2.SWIFT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 35.2.SWIFT.exe.970000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.SWIFT.exe.950000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.SWIFT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 19.2.SWIFT.exe.2820000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 29.2.SWIFT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 26.2.SWIFT.exe.5e0000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 19.2.SWIFT.exe.27e0000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.SWIFT.exe.21f0000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.SWIFT.exe.2030000.6.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 26.2.SWIFT.exe.5a0000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 8.2.SWIFT.exe.3470000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 29.2.SWIFT.exe.5f0000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 25.2.SWIFT.exe.2810000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.SWIFT.exe.3360000.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 23.2.SWIFT.exe.610000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 23.2.SWIFT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.SWIFT.exe.1fb0000.2.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: SWIFT.exe, type: SAMPLEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 2076, type: SAMPLEMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 2076, type: SAMPLEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000000.527525883.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000000.00000000.527525883.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.647389147.0000000002850000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000002.745150274.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001A.00000002.745150274.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000000.547664750.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000003.00000000.547664750.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000003.683664592.0000000002290000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000016.00000003.683664592.0000000002290000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.949382695.000000000041C000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 0000000D.00000002.949382695.000000000041C000.00000004.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000027.00000002.913355502.0000000000642000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000027.00000002.913355502.0000000000642000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.556351874.0000000003399000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.556351874.0000000003399000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.948824383.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.948824383.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.651181818.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000010.00000002.651181818.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.953565321.0000000001FF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.606431270.00000000004C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.606431270.00000000004C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.763815685.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 0000001C.00000002.763815685.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0000001A.00000002.746283722.0000000000622000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001A.00000002.746283722.0000000000622000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000020.00000002.827924245.00000000029C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.590570220.00000000034B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.590570220.00000000034B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.963540585.00000000054F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001C.00000003.758250006.0000000002470000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 0000001C.00000003.758250006.0000000002470000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000026.00000000.882907980.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000026.00000000.882907980.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000002.786276781.00000000005F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001D.00000002.786276781.00000000005F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001F.00000002.803581834.0000000002712000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001F.00000002.803581834.0000000002712000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.545725218.0000000002290000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000000.00000003.545725218.0000000002290000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000019.00000002.724834811.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000019.00000002.724834811.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000000.612380359.000000000041C000.00000008.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 0000000D.00000000.612380359.000000000041C000.00000008.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.950168292.000000000041C000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000005.00000002.950168292.000000000041C000.00000004.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.606055599.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.606055599.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000000.654241686.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000015.00000000.654241686.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.642978087.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.642978087.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.677596280.0000000002232000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.677596280.0000000002232000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000027.00000002.912327939.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000027.00000002.912327939.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000023.00000002.875700075.00000000009B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000023.00000002.875700075.00000000009B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001E.00000000.762458104.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 0000001E.00000000.762458104.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000000.760896280.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 0000001D.00000000.760896280.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.954375384.0000000002100000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001D.00000002.787383289.00000000020F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001D.00000002.787383289.00000000020F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000000.652734422.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000014.00000000.652734422.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.954281586.00000000020E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000001.547957650.0000000000439000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000001.547957650.0000000000439000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000023.00000002.875486461.0000000000972000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000023.00000002.875486461.0000000000972000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000027.00000002.918676856.00000000029A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.677808723.0000000002282000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.677808723.0000000002282000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.607564887.0000000000632000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.607564887.0000000000632000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000000.720256595.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 0000001A.00000000.720256595.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.556135514.0000000003362000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.556135514.0000000003362000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.684551453.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000015.00000002.684551453.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0000001F.00000002.800883380.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 0000001F.00000002.800883380.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000002.844151518.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000022.00000002.844151518.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000020.00000002.823604409.00000000007B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000020.00000002.823604409.00000000007B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000000.578038161.000000000041C000.00000008.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000009.00000000.578038161.000000000041C000.00000008.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000003.616421977.00000000024B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 0000000E.00000003.616421977.00000000024B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000002.711717969.0000000000652000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000017.00000002.711717969.0000000000652000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001D.00000002.790348892.0000000002770000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000000.682694425.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000016.00000000.682694425.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.624791565.0000000002849000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.624791565.0000000002849000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.963262291.0000000005140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001D.00000002.787592817.0000000002132000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001D.00000002.787592817.0000000002132000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000025.00000000.842385596.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000025.00000000.842385596.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000023.00000002.867123223.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000023.00000002.867123223.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.957248708.0000000002904000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000000.722832406.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 0000001B.00000000.722832406.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000026.00000002.893824269.0000000002729000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000026.00000002.893824269.0000000002729000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.550168331.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000000.00000002.550168331.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.688700918.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000016.00000002.688700918.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.624679288.0000000002812000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.624679288.0000000002812000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.658638074.0000000002859000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.658638074.0000000002859000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000017.00000002.710517844.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000017.00000002.710517844.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001E.00000002.796106993.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 0000001E.00000002.796106993.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000002.846503171.0000000002709000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000022.00000002.846503171.0000000002709000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000020.00000001.798005934.000000000044D000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000020.00000001.798005934.000000000044D000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000000.835593527.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000022.00000000.835593527.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.950050225.000000000041C000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000009.00000002.950050225.000000000041C000.00000004.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000020.00000002.828084130.00000000039C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000002.718761498.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000018.00000002.718761498.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000000.584410982.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 0000000C.00000000.584410982.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000023.00000002.871964852.00000000005D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000023.00000002.871964852.00000000005D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000002.745310599.0000000000439000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001A.00000002.745310599.0000000000439000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000000.545604105.000000000041C000.00000008.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000002.00000000.545604105.000000000041C000.00000008.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000025.00000002.884981751.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000025.00000002.884981751.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.550772284.000000000041C000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000002.00000002.550772284.000000000041C000.00000004.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.621181894.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000010.00000000.621181894.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0000001F.00000000.794179819.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 0000001F.00000000.794179819.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000003.650506748.00000000023F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000013.00000003.650506748.00000000023F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0000001A.00000002.745909256.00000000005A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001A.00000002.745909256.00000000005A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.954480172.0000000002130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.953305206.0000000001FB2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.953305206.0000000001FB2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.954182935.00000000020C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000016.00000002.691206381.0000000002729000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000016.00000002.691206381.0000000002729000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000002.758807143.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 0000001B.00000002.758807143.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000001.686513360.000000000044D000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000017.00000001.686513360.000000000044D000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000026.00000002.890594582.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000026.00000002.890594582.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.549682132.000000000041C000.00000008.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000005.00000000.549682132.000000000041C000.00000008.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000019.00000002.727747661.0000000002849000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000019.00000002.727747661.0000000002849000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.676402481.0000000000439000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.676402481.0000000000439000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.676206541.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.676206541.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000027.00000000.887006492.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000027.00000000.887006492.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000000.583499440.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 0000000B.00000000.583499440.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000019.00000003.718128404.0000000002740000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000019.00000003.718128404.0000000002740000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.767128685.0000000002719000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001C.00000002.767128685.0000000002719000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000017.00000002.711552890.0000000000612000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000017.00000002.711552890.0000000000612000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000002.838831541.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000021.00000002.838831541.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.954591098.0000000002160000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000027.00000001.887922334.000000000044D000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000027.00000001.887922334.000000000044D000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000023.00000000.840235775.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000023.00000000.840235775.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000020.00000002.824350392.0000000000962000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000020.00000002.824350392.0000000000962000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.643644002.00000000006A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.643644002.00000000006A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000023.00000002.879535727.00000000037E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001F.00000002.803735478.0000000002749000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001F.00000002.803735478.0000000002749000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000000.798791754.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000021.00000000.798791754.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.622846510.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 0000000E.00000002.622846510.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.952977986.0000000000950000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.952977986.0000000000950000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001D.00000002.785369036.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001D.00000002.785369036.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000027.00000002.912488471.0000000000439000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000027.00000002.912488471.0000000000439000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.954520948.0000000002140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001C.00000002.766905599.00000000026E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001C.00000002.766905599.00000000026E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001F.00000003.795313504.0000000000630000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 0000001F.00000003.795313504.0000000000630000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.658445063.0000000002822000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.658445063.0000000002822000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.953619371.0000000002000000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.643101139.0000000000439000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.643101139.0000000000439000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.611536564.00000000027E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001D.00000002.785581325.0000000000439000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001D.00000002.785581325.0000000000439000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000000.615554515.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 0000000E.00000000.615554515.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000023.00000002.879419416.00000000027E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000017.00000002.715055669.00000000029E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.677449067.00000000021F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.677449067.00000000021F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.611757502.00000000037E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.680602990.00000000039E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000002.751812695.0000000003980000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000000.757080315.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 0000001C.00000000.757080315.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000027.00000002.913239421.0000000000600000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000027.00000002.913239421.0000000000600000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000026.00000002.893653816.00000000026F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000026.00000002.893653816.00000000026F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000020.00000002.822695187.0000000000439000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000020.00000002.822695187.0000000000439000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.954418082.0000000002110000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.954679507.0000000002190000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000017.00000000.685927537.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000017.00000000.685927537.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.581004863.000000000041C000.00000008.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 0000000A.00000000.581004863.000000000041C000.00000008.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000023.00000001.841186797.0000000000439000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000023.00000001.841186797.0000000000439000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000000.555600849.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000008.00000000.555600849.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000002.710682780.0000000000439000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000017.00000002.710682780.0000000000439000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.607367384.00000000005F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.607367384.00000000005F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.953715847.0000000002020000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.656012150.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000013.00000002.656012150.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000020.00000002.822524720.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000020.00000002.822524720.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000020.00000000.797538835.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000020.00000000.797538835.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.617131338.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 0000000C.00000002.617131338.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000027.00000002.914083557.0000000000AC2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000027.00000002.914083557.0000000000AC2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.644369191.0000000002102000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.644369191.0000000002102000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.551180653.0000000000780000.00000004.00000040.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000002.00000002.551180653.0000000000780000.00000004.00000040.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.606185172.0000000000439000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.606185172.0000000000439000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000023.00000002.867348922.0000000000439000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000023.00000002.867348922.0000000000439000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000002.751682643.0000000002980000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.691028484.00000000026F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000016.00000002.691028484.00000000026F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000020.00000002.824171468.0000000000922000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000020.00000002.824171468.0000000000922000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.643750970.00000000006E2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.643750970.00000000006E2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.953822430.0000000002032000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.953822430.0000000002032000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000027.00000002.918795315.00000000039A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000000.548796598.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000004.00000000.548796598.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000003.836997328.0000000002600000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000022.00000003.836997328.0000000002600000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000026.00000003.884236128.00000000021B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000026.00000003.884236128.00000000021B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.585687569.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000008.00000002.585687569.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.950463818.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000004.00000002.950463818.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.949249200.000000000041C000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 0000000A.00000002.949249200.000000000041C000.00000004.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000003.578169786.0000000002750000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000008.00000003.578169786.0000000002750000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000000.687571511.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000018.00000000.687571511.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.680507748.00000000029E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.954326669.00000000020F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000017.00000002.711000249.00000000004F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000017.00000002.711000249.00000000004F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000000.649647966.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000013.00000000.649647966.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.647540586.0000000003850000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000019.00000000.717267624.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000019.00000000.717267624.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000002.790490118.0000000003770000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000002.846322468.00000000026D2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000022.00000002.846322468.00000000026D2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.590760355.00000000034E9000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.590760355.00000000034E9000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000000.618806933.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 0000000F.00000000.618806933.00000000004CC000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.949249933.0000000000439000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.949249933.0000000000439000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000002.746097736.00000000005E2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001A.00000002.746097736.00000000005E2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000019.00000002.727571584.0000000002812000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000017.00000002.715188559.00000000039E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000019.00000002.727571584.0000000002812000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: SWIFT.exe PID: 2976, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: SWIFT.exe PID: 2976, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: SWIFT.exe PID: 2432, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Host.exe PID: 4896, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: Process Memory Space: Host.exe PID: 4896, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: SWIFT.exe PID: 4588, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: SWIFT.exe PID: 3952, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: SWIFT.exe PID: 3952, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: SWIFT.exe PID: 4844, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: SWIFT.exe PID: 1468, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: SWIFT.exe PID: 5104, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: SWIFT.exe PID: 5104, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: SWIFT.exe PID: 5104, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: SWIFT.exe PID: 3396, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: SWIFT.exe PID: 3396, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: SWIFT.exe PID: 3396, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: SWIFT.exe PID: 3028, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: SWIFT.exe PID: 3028, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: SWIFT.exe PID: 3028, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: bob1.exe PID: 4292, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: SWIFT.exe PID: 2612, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: SWIFT.exe PID: 2612, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: SWIFT.exe PID: 2612, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: SWIFT.exe PID: 608, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: SWIFT.exe PID: 608, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: SWIFT.exe PID: 608, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: SWIFT.exe PID: 4804, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: SWIFT.exe PID: 4804, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: SWIFT.exe PID: 4804, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: SWIFT.exe PID: 2272, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: SWIFT.exe PID: 2272, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: SWIFT.exe PID: 2272, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: bob1.exe PID: 952, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: Process Memory Space: bob1.exe PID: 952, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: SWIFT.exe PID: 760, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: SWIFT.exe PID: 760, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: SWIFT.exe PID: 760, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: SWIFT.exe PID: 3976, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: SWIFT.exe PID: 3976, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: SWIFT.exe PID: 3976, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: SWIFT.exe PID: 2612, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: SWIFT.exe PID: 2612, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: SWIFT.exe PID: 2612, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: SWIFT.exe PID: 4616, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: SWIFT.exe PID: 4616, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: SWIFT.exe PID: 4616, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: SWIFT.exe PID: 2876, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: SWIFT.exe PID: 4572, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: SWIFT.exe PID: 4572, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: SWIFT.exe PID: 4572, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: SWIFT.exe PID: 4032, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: SWIFT.exe PID: 4032, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: SWIFT.exe PID: 1256, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: SWIFT.exe PID: 2380, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: SWIFT.exe PID: 2380, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: SWIFT.exe PID: 1460, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: SWIFT.exe PID: 1460, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: SWIFT.exe PID: 3764, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: SWIFT.exe PID: 3620, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: SWIFT.exe PID: 3620, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: SWIFT.exe PID: 3620, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Host.exe PID: 4124, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: Process Memory Space: Host.exe PID: 4124, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: SWIFT.exe PID: 2892, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: SWIFT.exe PID: 2892, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: SWIFT.exe PID: 3492, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: SWIFT.exe PID: 3492, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Roaming\Install\Host.exe, type: DROPPEDMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\Install\Host.exe, type: DROPPEDMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: dropped/bob1.exe, type: DROPPEDMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: dropped/bob1.exe, type: DROPPEDMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\bob1.exe, type: DROPPEDMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\bob1.exe, type: DROPPEDMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.SWIFT.exe.2020000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.bob1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 2.2.bob1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 5.2.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 29.2.SWIFT.exe.5f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 29.2.SWIFT.exe.5f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.SWIFT.exe.2280000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.SWIFT.exe.2280000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.0.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 13.0.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 23.2.SWIFT.exe.4f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 23.2.SWIFT.exe.4f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 35.2.SWIFT.exe.5d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 35.2.SWIFT.exe.5d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 39.2.SWIFT.exe.ac0000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 39.2.SWIFT.exe.ac0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.SWIFT.exe.20e0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.SWIFT.exe.2160000.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 39.1.SWIFT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 39.1.SWIFT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.SWIFT.exe.54f0000.19.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.SWIFT.exe.1ff0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.SWIFT.exe.4c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.SWIFT.exe.4c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.SWIFT.exe.2000000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 34.2.SWIFT.exe.2680000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 34.2.SWIFT.exe.2680000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 39.2.SWIFT.exe.600000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 39.2.SWIFT.exe.600000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.SWIFT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 38.2.SWIFT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 14.2.SWIFT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 38.2.SWIFT.exe.26b0000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 38.2.SWIFT.exe.26b0000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.SWIFT.exe.5140000.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 34.2.SWIFT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 27.2.SWIFT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 14.0.SWIFT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 21.0.SWIFT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 15.0.SWIFT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 28.0.SWIFT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.SWIFT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 19.2.SWIFT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 25.0.SWIFT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 32.2.SWIFT.exe.7b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 32.2.SWIFT.exe.7b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 25.2.SWIFT.exe.27c0000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 25.2.SWIFT.exe.27c0000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.SWIFT.exe.2100000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 31.2.SWIFT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.SWIFT.exe.4c0000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.SWIFT.exe.4c0000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.0.SWIFT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 28.2.SWIFT.exe.26a0000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 28.2.SWIFT.exe.26a0000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.SWIFT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 13.2.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 23.0.SWIFT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 25.2.SWIFT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.bob1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 2.0.bob1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 8.0.SWIFT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 32.2.SWIFT.exe.960000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 32.2.SWIFT.exe.960000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.SWIFT.exe.2190000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.SWIFT.exe.2130000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.SWIFT.exe.20f0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 23.2.SWIFT.exe.650000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 23.2.SWIFT.exe.650000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.1.SWIFT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.0.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 8.2.SWIFT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 32.2.SWIFT.exe.920000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 32.2.SWIFT.exe.920000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 31.0.SWIFT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 28.2.SWIFT.exe.26e0000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.SWIFT.exe.2140000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.SWIFT.exe.6e0000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.SWIFT.exe.6e0000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.SWIFT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 38.0.SWIFT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 3.1.SWIFT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.SWIFT.exe.2100000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 30.2.SWIFT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.SWIFT.exe.2100000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.SWIFT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 39.0.SWIFT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.SWIFT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 19.0.SWIFT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.SWIFT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.SWIFT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.SWIFT.exe.5f0000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 28.2.SWIFT.exe.26e0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.1.SWIFT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 23.1.SWIFT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.0.Host.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 35.0.SWIFT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.SWIFT.exe.5f0000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.0.SWIFT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 20.2.SWIFT.exe.2230000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.SWIFT.exe.2230000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 0_2_0045D71C NtdllDefWindowProc_A,0_2_0045D71C
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 0_2_00452A2C GetSubMenu,SaveDC,RestoreDC,734BB080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_00452A2C
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 0_2_00442AE8 NtdllDefWindowProc_A,GetCapture,0_2_00442AE8
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 0_2_0042ABB8 NtdllDefWindowProc_A,0_2_0042ABB8
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 0_2_0045DEC4 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_0045DEC4
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 0_2_0045DF74 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_0045DF74
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 3_2_00440159 NtCreateSection,3_2_00440159
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 3_2_04BA1A02 NtQuerySystemInformation,3_2_04BA1A02
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 3_2_04BA19C7 NtQuerySystemInformation,3_2_04BA19C7
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 3_1_00440159 NtCreateSection,3_1_00440159
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 4_2_0045D71C NtdllDefWindowProc_A,4_2_0045D71C
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 4_2_00452A2C GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,4_2_00452A2C
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 4_2_00442AE8 NtdllDefWindowProc_A,GetCapture,4_2_00442AE8
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 4_2_0042ABB8 NtdllDefWindowProc_A,4_2_0042ABB8
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 4_2_0045DEC4 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,4_2_0045DEC4
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 4_2_0045DF74 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,4_2_0045DF74
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 8_2_0045D71C NtdllDefWindowProc_A,8_2_0045D71C
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 8_2_00452A2C GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,8_2_00452A2C
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 8_2_00442AE8 NtdllDefWindowProc_A,GetCapture,8_2_00442AE8
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 8_2_0042ABB8 NtdllDefWindowProc_A,8_2_0042ABB8
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 8_2_0045DEC4 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,8_2_0045DEC4
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 8_2_0045DF74 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,8_2_0045DF74
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 8_2_023B265A NtMapViewOfSection,8_2_023B265A
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 8_2_023B47D4 NtQueryInformationProcess,NtQueryInformationProcess,8_2_023B47D4
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 8_2_023B4B2E GetThreadContext,VirtualAlloc,CreateProcessW,NtUnmapViewOfSection,8_2_023B4B2E
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 8_2_023B2F3A NtCreateSection,8_2_023B2F3A
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 8_2_023B7068 SetThreadContext,NtResumeThread,8_2_023B7068
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 0_2_00452A2C0_2_00452A2C
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 0_2_00457C140_2_00457C14
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 2_2_004030F02_2_004030F0
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 2_2_00403DF02_2_00403DF0
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 2_2_0040DE212_2_0040DE21
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 2_2_0040DAC02_2_0040DAC0
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 2_2_0040368C2_2_0040368C
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 2_2_004042812_2_00404281
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 2_2_00403EB72_2_00403EB7
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 2_2_0040F3402_2_0040F340
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 2_2_004063602_2_00406360
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 2_2_004047792_2_00404779
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 2_2_004153002_2_00415300
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 2_2_004047302_2_00404730
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 2_2_0040A7A02_2_0040A7A0
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 2_2_00403BB02_2_00403BB0
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 3_2_0040524A3_2_0040524A
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 3_2_0044A4A23_2_0044A4A2
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 3_2_004399763_2_00439976
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 3_2_0043F13D3_2_0043F13D
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 3_2_04A638503_2_04A63850
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 3_2_04A686A83_2_04A686A8
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 3_2_04A692A83_2_04A692A8
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 3_2_04A632BB3_2_04A632BB
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 3_2_04A623A03_2_04A623A0
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 3_2_04A62FA83_2_04A62FA8
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 3_2_04A6AF783_2_04A6AF78
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 3_2_04A6306F3_2_04A6306F
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 3_2_04A695BB3_2_04A695BB
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 3_2_04A6936F3_2_04A6936F
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 3_2_04A69B503_2_04A69B50
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 3_2_05DD17783_2_05DD1778
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 3_2_05DD23783_2_05DD2378
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 3_2_05DD6F603_2_05DD6F60
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 3_2_05DD7B603_2_05DD7B60
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 3_2_05DD57083_2_05DD5708
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 3_2_05DD42603_2_05DD4260
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 3_2_05DD4E603_2_05DD4E60
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 3_2_05DD5FEB3_2_05DD5FEB
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 3_2_05DD4F273_2_05DD4F27
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 3_2_05DD243F3_2_05DD243F
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 3_2_05DD7C273_2_05DD7C27
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 3_1_0044A4A23_1_0044A4A2
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 3_1_004399763_1_00439976
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 3_1_0043F13D3_1_0043F13D
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 4_2_00452A2C4_2_00452A2C
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 4_2_00457C144_2_00457C14
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 8_2_00452A2C8_2_00452A2C
Source: C:\Users\user\Desktop\SWIFT.exeCode function: 8_2_00457C148_2_00457C14
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 9_2_004030F09_2_004030F0
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 9_2_00403DF09_2_00403DF0
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 9_2_0040DE219_2_0040DE21
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 9_2_0040DAC09_2_0040DAC0
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 9_2_0040368C9_2_0040368C
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 9_2_004042819_2_00404281
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 9_2_00403EB79_2_00403EB7
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 9_2_0040F3409_2_0040F340
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 9_2_004063609_2_00406360
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 9_2_004047799_2_00404779
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 9_2_004153009_2_00415300
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 9_2_004047309_2_00404730
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 9_2_0040A7A09_2_0040A7A0
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: 9_2_00403BB09_2_00403BB0
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\AppData\Local\Temp\bob1.exeCode function: String function: 0040BD00 appears 44 times
Source: C:\Users\user\Desktop\SWIFT.exeCode function: String function: 00405C98 appears 48 times
Source: C:\Users\user\Desktop\SWIFT.exeCode function: String function: 00403E4C appears 210 times
Source: C:\Users\user\Desktop\SWIFT.exeCode function: String function: 0040E9FC appears 33 times
Source: C:\Users\user\Desktop\SWIFT.exeCode function: String function: 0040D8F8 appears 63 times
Source: C:\Users\user\Desktop\SWIFT.exeCode function: String function: 00439F3C appears 36 times
Source: C:\Users\user\Desktop\SWIFT.exeCode function: String function: 00409878 appears 33 times
Source: C:\Users\user\Desktop\SWIFT.exeCode function: String function: 004030FC appears 42 times
Source: C:\Users\user\Desktop\SWIFT.exeCode function: String function: 00403488 appears 72 times
Source: C:\Users\user\Desktop\SWIFT.exeCode function: String function: 0043936B appears 32 times
Source: C:\Users\user\Desktop\SWIFT.exeCode function: String function: 00403E70 appears 63 times
Source: C:\Users\user\Desktop\SWIFT.exeCode function: String function: 00405FC4 appears 189 times
PE file contains strange resourcesShow sources
Source: SWIFT.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SWIFT.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: SWIFT.exe, 00000000.00000002.554570438.00000000029C0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs SWIFT.exe
Source: SWIFT.exe, 00000000.00000002.555257080.0000000002AC0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs SWIFT.exe
Source: SWIFT.exe, 00000000.00000002.555257080.0000000002AC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs SWIFT.exe
Source: SWIFT.exe, 00000003.00000002.953565321.0000000001FF0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs SWIFT.exe
Source: SWIFT.exe, 00000003.00000002.963540585.00000000054F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs SWIFT.exe
Source: SWIFT.exe, 00000003.00000002.963540585.00000000054F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs SWIFT.exe
Source: SWIFT.exe, 00000003.00000002.954375384.0000000002100000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs SWIFT.exe
Source: SWIFT.exe, 00000003.00000002.954281586.00000000020E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs SWIFT.exe
Source: SWIFT.exe, 00000003.00000002.957248708.0000000002904000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs SWIFT.exe
Source: SWIFT.exe, 00000003.00000002.957248708.0000000002904000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs SWIFT.exe
Source: SWIFT.exe, 00000003.00000002.957248708.0000000002904000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs SWIFT.exe
Source: SWIFT.exe, 00000003.00000002.957248708.0000000002904000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs SWIFT.exe
Source: SWIFT.exe, 00000003.00000002.957248708.0000000002904000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs SWIFT.exe
Source: SWIFT.exe, 00000003.00000002.957248708.0000000002904000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs SWIFT.exe
Source: SWIFT.exe, 00000003.00000002.957248708.0000000002904000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs SWIFT.exe
Source: SWIFT.exe, 00000003.00000002.957248708.0000000002904000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs SWIFT.exe
Source: SWIFT.exe, 00000003.00000002.963262291.0000000005140000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs SWIFT.exe
Source: SWIFT.exe, 00000003.00000002.962156196.0000000004AB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SWIFT.exe
Source: SWIFT.exe, 00000003.00000002.960062394.0000000003A08000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs SWIFT.exe
Source: SWIFT.exe, 00000003.00000002.960062394.0000000003A08000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs SWIFT.exe
Source: SWIFT.exe, 00000003.00000002.960062394.0000000003A08000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs SWIFT.exe
Source: SWIFT.exe, 00000008.00000002.589436311.0000000002B00000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs SWIFT.exe
Source: SWIFT.exe, 00000008.00000002.586905015.0000000002350000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SWIFT.exe
Source: SWIFT.exe, 00000008.00000002.589949956.0000000002C00000.00000002.00000001.sdmpBinary or memory string: originalfilename vs SWIFT.exe
Source: SWIFT.exe, 00000008.00000002.589949956.0000000002C00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs SWIFT.exe
Source: SWIFT.exe, 0000000B.00000002.607908205.00000000006C0000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs SWIFT.exe
Source: SWIFT.exe, 0000000B.00000002.611536564.00000000027E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs SWIFT.exe
Source: SWIFT.exe, 0000000B.00000002.611536564.00000000027E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs SWIFT.exe
Source: SWIFT.exe, 0000000B.00000002.611757502.00000000037E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs SWIFT.exe
Source: SWIFT.exe, 0000000B.00000002.612799878.0000000004A40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SWIFT.exe
Source: SWIFT.exe, 0000000C.00000002.617785531.0000000000650000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SWIFT.exe
Source: SWIFT.exe, 0000000E.00000002.623793596.0000000002350000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SWIFT.exe
Source: SWIFT.exe, 0000000F.00000002.647389147.0000000002850000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs SWIFT.exe
Source: SWIFT.exe, 0000000F.00000002.647389147.0000000002850000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs SWIFT.exe
Source: SWIFT.exe, 0000000F.00000002.648149579.0000000004A40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SWIFT.exe
Source: SWIFT.exe, 0000000F.00000002.644015663.0000000000750000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs SWIFT.exe
Source: SWIFT.exe, 0000000F.00000002.647540586.0000000003850000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs SWIFT.exe
Source: SWIFT.exe, 00000010.00000002.652180712.0000000002200000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SWIFT.exe
Source: SWIFT.exe, 00000013.00000002.657520563.0000000002350000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SWIFT.exe
Source: SWIFT.exe, 00000014.00000002.680602990.00000000039E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs SWIFT.exe
Source: SWIFT.exe, 00000014.00000002.680602990.00000000039E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs SWIFT.exe
Source: SWIFT.exe, 00000014.00000002.680602990.00000000039E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs SWIFT.exe
Source: SWIFT.exe, 00000014.00000002.678949027.0000000002670000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SWIFT.exe
Source: SWIFT.exe, 00000015.00000002.685373778.0000000002200000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SWIFT.exe
Source: SWIFT.exe, 00000017.00000002.711990365.0000000000701000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs SWIFT.exe
Source: SWIFT.exe, 00000017.00000002.713481855.0000000002560000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SWIFT.exe
Source: SWIFT.exe, 00000017.00000002.715055669.00000000029E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs SWIFT.exe
Source: SWIFT.exe, 00000017.00000002.715055669.00000000029E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs SWIFT.exe
Source: SWIFT.exe, 00000017.00000002.715188559.00000000039E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs SWIFT.exe
Source: SWIFT.exe, 00000018.00000002.719524724.0000000000760000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SWIFT.exe
Source: SWIFT.exe, 00000019.00000002.726408336.0000000002250000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SWIFT.exe
Source: SWIFT.exe, 0000001A.00000002.748666397.00000000025E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SWIFT.exe
Source: SWIFT.exe, 0000001A.00000002.751812695.0000000003980000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs SWIFT.exe
Source: SWIFT.exe, 0000001A.00000002.751812695.0000000003980000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs SWIFT.exe
Source: SWIFT.exe, 0000001A.00000002.751812695.0000000003980000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs SWIFT.exe
Source: SWIFT.exe, 0000001C.00000002.765093699.0000000002210000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SWIFT.exe
Source: SWIFT.exe, 0000001D.00000002.790348892.0000000002770000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs SWIFT.exe
Source: SWIFT.exe, 0000001D.00000002.790348892.0000000002770000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs SWIFT.exe
Source: SWIFT.exe, 0000001D.00000002.791409240.0000000004A40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SWIFT.exe
Source: SWIFT.exe, 0000001D.00000002.790490118.0000000003770000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs SWIFT.exe
Source: SWIFT.exe, 0000001E.00000002.796999378.0000000000770000.00000002.00000001.sdmp<