Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report SWIFTS.scr.exe

Overview

General Information

Sample Name:SWIFTS.scr.exe
Analysis ID:385150
MD5:0984d8481d809d2715214d220d5f3224
SHA1:be4bfdae28308590b04709935794109a77d5ecee
SHA256:f2597b91433ba86188dd0e53cf04d2c43d97f5231bc3077df18e75447f15c77c
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM autoit script
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • SWIFTS.scr.exe (PID: 4104 cmdline: 'C:\Users\user\Desktop\SWIFTS.scr.exe' MD5: 0984D8481D809D2715214D220D5F3224)
    • qtfarawjob.pif (PID: 6132 cmdline: 'C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pif' odfugpcmco.org MD5: F471B7C16D5B01AF9F67F5F4A921F81F)
      • RegSvcs.exe (PID: 1972 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
        • schtasks.exe (PID: 3120 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA342.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 2404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RegSvcs.exe (PID: 5864 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0 MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 4908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • qtfarawjob.pif (PID: 5900 cmdline: 'C:\Users\user\AppData\Roaming\89378384\QTFARA~1.PIF' C:\Users\user\AppData\Roaming\89378384\ODFUGP~1.ORG MD5: F471B7C16D5B01AF9F67F5F4A921F81F)
    • RegSvcs.exe (PID: 2932 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "7f972ccd-f2c1-42af-a77f-74adb4b9", "Group": "EGO OKU", "Domain1": "ekuro.hopto.org", "Domain2": "127.0.0.1", "Port": 1980, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.343262575.00000000049D1000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf9dd:$x1: NanoCore.ClientPluginHost
  • 0xfa1a:$x2: IClientNetworkHost
  • 0x1354d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000003.343262575.00000000049D1000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000001.00000003.343262575.00000000049D1000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xf745:$a: NanoCore
    • 0xf755:$a: NanoCore
    • 0xf989:$a: NanoCore
    • 0xf99d:$a: NanoCore
    • 0xf9dd:$a: NanoCore
    • 0xf7a4:$b: ClientPlugin
    • 0xf9a6:$b: ClientPlugin
    • 0xf9e6:$b: ClientPlugin
    • 0xf8cb:$c: ProjectData
    • 0x102d2:$d: DESCrypto
    • 0x17c9e:$e: KeepAlive
    • 0x15c8c:$g: LogClientMessage
    • 0x11e87:$i: get_Connected
    • 0x10608:$j: #=q
    • 0x10638:$j: #=q
    • 0x10654:$j: #=q
    • 0x10684:$j: #=q
    • 0x106a0:$j: #=q
    • 0x106bc:$j: #=q
    • 0x106ec:$j: #=q
    • 0x10708:$j: #=q
    00000002.00000002.593935065.0000000006F20000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x2205:$x1: NanoCore.ClientPluginHost
    • 0x223e:$x2: IClientNetworkHost
    00000002.00000002.593935065.0000000006F20000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x2205:$x2: NanoCore.ClientPluginHost
    • 0x2320:$s4: PipeCreated
    • 0x221f:$s5: IClientLoggingHost
    Click to see the 139 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    2.2.RegSvcs.exe.6f20000.28.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x605:$x1: NanoCore.ClientPluginHost
    • 0x63e:$x2: IClientNetworkHost
    2.2.RegSvcs.exe.6f20000.28.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x605:$x2: NanoCore.ClientPluginHost
    • 0x720:$s4: PipeCreated
    • 0x61f:$s5: IClientLoggingHost
    2.2.RegSvcs.exe.34c58f4.4.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x2dbb:$x1: NanoCore.ClientPluginHost
    • 0x2de5:$x2: IClientNetworkHost
    2.2.RegSvcs.exe.34c58f4.4.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x2dbb:$x2: NanoCore.ClientPluginHost
    • 0x4c6b:$s4: PipeCreated
    2.2.RegSvcs.exe.6f10000.27.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x5b0b:$x1: NanoCore.ClientPluginHost
    • 0x5b44:$x2: IClientNetworkHost
    Click to see the 186 entries

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 1972, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
    Sigma detected: Scheduled temp file as task from temp locationShow sources
    Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA342.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA342.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ParentImage: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ParentProcessId: 1972, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA342.tmp', ProcessId: 3120

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000002.00000002.590990913.0000000004495000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "7f972ccd-f2c1-42af-a77f-74adb4b9", "Group": "EGO OKU", "Domain1": "ekuro.hopto.org", "Domain2": "127.0.0.1", "Port": 1980, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000001.00000003.343262575.00000000049D1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.369835210.0000000003EF4000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.388090942.0000000000A02000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.371760898.0000000003EC1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.590990913.0000000004495000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.343194863.0000000004A51000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.370790447.0000000003E17000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.343095716.0000000004A84000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.371839238.0000000003FA6000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.345055331.00000000049D1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.371972017.0000000003F73000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.372073303.0000000003F41000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.369800232.0000000003F74000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.592048655.00000000051A7000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.345307078.0000000004A83000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.343476102.0000000004AB6000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.369871220.0000000003F41000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.370824550.0000000003DF5000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.371528290.0000000003EF3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.593310031.0000000005F70000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.343140164.0000000004A04000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.343507843.0000000004AE9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.343433163.0000000004AB6000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.369946595.0000000003EC1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.389362789.0000000003001000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.344666735.0000000004A03000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.345446557.0000000004A51000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.586093866.0000000000E02000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.343592182.0000000004B1B000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.389636385.0000000004009000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.587531110.0000000003441000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.370138817.0000000003FD9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.370011747.0000000003F73000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.345193902.0000000004AB6000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.343388307.0000000004A03000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: qtfarawjob.pif PID: 5900, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2932, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1972, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: qtfarawjob.pif PID: 6132, type: MEMORY
    Source: Yara matchFile source: 7.3.qtfarawjob.pif.400b028.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.3.qtfarawjob.pif.4b1b830.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.5f74629.22.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.44a95f8.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.RegSvcs.exe.404b7de.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.RegSvcs.exe.4054c3d.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.5f70000.21.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.51ac908.18.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.RegSvcs.exe.a00000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.3.qtfarawjob.pif.4a83000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.3.qtfarawjob.pif.4b1b830.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.3.qtfarawjob.pif.4b1b830.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.44a95f8.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.3.qtfarawjob.pif.3f73000.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.51ac908.18.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.RegSvcs.exe.4050614.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.3.qtfarawjob.pif.4b1b830.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.RegSvcs.exe.4050614.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.e00000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.3.qtfarawjob.pif.400b028.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.5f70000.21.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.51b0f31.17.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.51a7ad2.16.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.44adc21.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.3.qtfarawjob.pif.4a83000.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.3.qtfarawjob.pif.3f73000.0.raw.unpack, type: UNPACKEDPE
    Source: 8.2.RegSvcs.exe.a00000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 2.2.RegSvcs.exe.e00000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 2.2.RegSvcs.exe.5f70000.21.unpackAvira: Label: TR/NanoCore.fadte
    Source: SWIFTS.scr.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: SWIFTS.scr.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: SWIFTS.scr.exe
    Source: Binary string: RegSvcs.pdb, source: qtfarawjob.pif, 00000001.00000003.355830718.0000000001520000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000000.344127021.0000000000A02000.00000002.00020000.sdmp, RegSvcs.exe, 00000005.00000002.358285839.00000000007E2000.00000002.00020000.sdmp, RegSvcs.exe, 00000008.00000000.370695063.0000000000622000.00000002.00020000.sdmp, RegSvcs.exe.1.dr
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: RegSvcs.exe, 00000002.00000002.591488895.0000000004E76000.00000004.00000001.sdmp
    Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, RegSvcs.exe.1.dr
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000002.00000003.536569006.00000000051C8000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegSvcs.exe, 00000002.00000003.536569006.00000000051C8000.00000004.00000001.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegSvcs.exe, 00000002.00000003.536569006.00000000051C8000.00000004.00000001.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000002.00000003.536569006.00000000051C8000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegSvcs.exe, 00000002.00000002.593935065.0000000006F20000.00000004.00000001.sdmp
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00EEA2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00F09FD3 FindFirstFileExA,
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00EFAFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_0012399B GetFileAttributesW,FindFirstFileW,FindClose,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_0013BCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_00142408 FindFirstFileW,LdrInitializeThunk,Sleep,FindNextFileW,FindClose,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_0013280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_00168877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_00121A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_0014CAE7 FindFirstFileW,FindNextFileW,FindClose,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_0014DE7C FindFirstFileW,FindClose,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_0013BF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: ekuro.hopto.org
    Source: Malware configuration extractorURLs: 127.0.0.1
    Source: global trafficTCP traffic: 192.168.2.6:49682 -> 194.5.98.184:1980
    Source: Joe Sandbox ViewASN Name: DANILENKODE DANILENKODE
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_00132285 InternetQueryDataAvailable,InternetReadFile,
    Source: unknownDNS traffic detected: queries for: ekuro.hopto.org
    Source: qtfarawjob.pif.0.drString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
    Source: qtfarawjob.pif.0.drString found in binary or memory: http://crl.globalsign.net/Root.crl0
    Source: qtfarawjob.pif.0.drString found in binary or memory: http://crl.globalsign.net/Timestamping1.crl0
    Source: qtfarawjob.pif.0.drString found in binary or memory: http://crl.globalsign.net/primobject.crl0N
    Source: qtfarawjob.pif.0.drString found in binary or memory: http://crl.globalsign.net/root.crl0
    Source: RegSvcs.exe, 00000002.00000003.536569006.00000000051C8000.00000004.00000001.sdmpString found in binary or memory: http://google.com
    Source: qtfarawjob.pif.0.drString found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
    Source: qtfarawjob.pif.0.drString found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
    Source: qtfarawjob.pif.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/0
    Source: qtfarawjob.pif.0.drString found in binary or memory: http://www.globalsign.net/repository/0
    Source: qtfarawjob.pif.0.drString found in binary or memory: http://www.globalsign.net/repository/03
    Source: qtfarawjob.pif.0.drString found in binary or memory: http://www.globalsign.net/repository09
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_0014A0FC OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_0015D8E9 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_0013C2F0 GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,
    Source: qtfarawjob.pif, 00000001.00000002.356341967.00000000014EA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
    Source: RegSvcs.exe, 00000002.00000002.590990913.0000000004495000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_0016C7D6 SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

    E-Banking Fraud:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000001.00000003.343262575.00000000049D1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.369835210.0000000003EF4000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.388090942.0000000000A02000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.371760898.0000000003EC1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.590990913.0000000004495000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.343194863.0000000004A51000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.370790447.0000000003E17000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.343095716.0000000004A84000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.371839238.0000000003FA6000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.345055331.00000000049D1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.371972017.0000000003F73000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.372073303.0000000003F41000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.369800232.0000000003F74000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.592048655.00000000051A7000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.345307078.0000000004A83000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.343476102.0000000004AB6000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.369871220.0000000003F41000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.370824550.0000000003DF5000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.371528290.0000000003EF3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.593310031.0000000005F70000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.343140164.0000000004A04000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.343507843.0000000004AE9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.343433163.0000000004AB6000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.369946595.0000000003EC1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.389362789.0000000003001000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.344666735.0000000004A03000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.345446557.0000000004A51000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.586093866.0000000000E02000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.343592182.0000000004B1B000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.389636385.0000000004009000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.587531110.0000000003441000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.370138817.0000000003FD9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.370011747.0000000003F73000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.345193902.0000000004AB6000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.343388307.0000000004A03000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: qtfarawjob.pif PID: 5900, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2932, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1972, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: qtfarawjob.pif PID: 6132, type: MEMORY
    Source: Yara matchFile source: 7.3.qtfarawjob.pif.400b028.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.3.qtfarawjob.pif.4b1b830.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.5f74629.22.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.44a95f8.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.RegSvcs.exe.404b7de.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.RegSvcs.exe.4054c3d.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.5f70000.21.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.51ac908.18.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.RegSvcs.exe.a00000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.3.qtfarawjob.pif.4a83000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.3.qtfarawjob.pif.4b1b830.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.3.qtfarawjob.pif.4b1b830.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.44a95f8.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.3.qtfarawjob.pif.3f73000.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.51ac908.18.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.RegSvcs.exe.4050614.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.3.qtfarawjob.pif.4b1b830.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.RegSvcs.exe.4050614.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.e00000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.3.qtfarawjob.pif.400b028.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.5f70000.21.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.51b0f31.17.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.51a7ad2.16.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.44adc21.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.3.qtfarawjob.pif.4a83000.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.3.qtfarawjob.pif.3f73000.0.raw.unpack, type: UNPACKEDPE

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 00000001.00000003.343262575.00000000049D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000003.343262575.00000000049D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000002.00000002.593935065.0000000006F20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000007.00000003.369835210.0000000003EF4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000007.00000003.369835210.0000000003EF4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000008.00000002.388090942.0000000000A02000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000008.00000002.388090942.0000000000A02000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000007.00000003.371760898.0000000003EC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000007.00000003.371760898.0000000003EC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000001.00000003.343194863.0000000004A51000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000003.343194863.0000000004A51000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000007.00000003.370790447.0000000003E17000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000007.00000003.370790447.0000000003E17000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000001.00000003.343095716.0000000004A84000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000003.343095716.0000000004A84000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000002.00000002.593967539.0000000006F30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000002.00000002.594092572.0000000006F80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000007.00000003.371839238.0000000003FA6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000007.00000003.371839238.0000000003FA6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000002.00000003.536569006.00000000051C8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000001.00000003.345055331.00000000049D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000003.345055331.00000000049D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000007.00000003.371972017.0000000003F73000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000007.00000003.371972017.0000000003F73000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000002.00000002.593813593.0000000006EC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000007.00000003.372073303.0000000003F41000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000007.00000003.372073303.0000000003F41000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000007.00000003.369800232.0000000003F74000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000007.00000003.369800232.0000000003F74000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000002.00000002.592048655.00000000051A7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000001.00000003.345307078.0000000004A83000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000003.345307078.0000000004A83000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000002.00000002.594107341.0000000006F90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000003.343476102.0000000004AB6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000003.343476102.0000000004AB6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000007.00000003.369871220.0000000003F41000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000007.00000003.369871220.0000000003F41000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000002.00000002.591934672.00000000050BC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000002.00000002.591488895.0000000004E76000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000007.00000003.370824550.0000000003DF5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000007.00000003.370824550.0000000003DF5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000002.00000002.594522145.0000000007490000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000007.00000003.371528290.0000000003EF3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000007.00000003.371528290.0000000003EF3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000002.00000002.593310031.0000000005F70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000002.00000002.593746192.0000000006EB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000003.343140164.0000000004A04000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000003.343140164.0000000004A04000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000001.00000003.343507843.0000000004AE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000003.343507843.0000000004AE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000002.00000002.594053531.0000000006F60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000003.343433163.0000000004AB6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000003.343433163.0000000004AB6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000007.00000003.369946595.0000000003EC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000007.00000003.369946595.0000000003EC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000008.00000002.389362789.0000000003001000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000002.00000002.593208278.0000000005D90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000002.00000002.593916225.0000000006F10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000002.00000002.593893788.0000000006F00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000003.344666735.0000000004A03000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000003.344666735.0000000004A03000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000002.00000002.591902295.00000000050A6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000002.00000002.587691040.00000000034AC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000001.00000003.345446557.0000000004A51000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000003.345446557.0000000004A51000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000002.00000002.586093866.0000000000E02000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000002.00000002.586093866.0000000000E02000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000002.00000002.594026273.0000000006F50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000002.00000002.593985539.0000000006F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000003.343592182.0000000004B1B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000003.343592182.0000000004B1B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000008.00000002.389636385.0000000004009000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000007.00000003.370138817.0000000003FD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000007.00000003.370138817.0000000003FD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000007.00000003.370011747.0000000003F73000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000007.00000003.370011747.0000000003F73000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000001.00000003.345193902.0000000004AB6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000003.345193902.0000000004AB6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000001.00000003.343388307.0000000004A03000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000003.343388307.0000000004A03000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: qtfarawjob.pif PID: 5900, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: qtfarawjob.pif PID: 5900, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: RegSvcs.exe PID: 2932, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: RegSvcs.exe PID: 2932, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: RegSvcs.exe PID: 1972, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: RegSvcs.exe PID: 1972, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: qtfarawjob.pif PID: 6132, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: qtfarawjob.pif PID: 6132, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 2.2.RegSvcs.exe.6f20000.28.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.34c58f4.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.6f10000.27.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.7490000.37.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.6f80000.33.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 7.3.qtfarawjob.pif.400b028.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 7.3.qtfarawjob.pif.400b028.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 2.2.RegSvcs.exe.6ec0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.50abcce.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.3.qtfarawjob.pif.4b1b830.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.3.qtfarawjob.pif.4b1b830.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 2.2.RegSvcs.exe.5f74629.22.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.6eb0000.24.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.6f60000.32.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.44a95f8.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.6f50000.31.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.RegSvcs.exe.404b7de.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.RegSvcs.exe.404b7de.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 2.2.RegSvcs.exe.50abcce.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.RegSvcs.exe.4054c3d.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.51187df.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.51187df.15.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 2.2.RegSvcs.exe.5f70000.21.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.6f9e8a4.35.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.6f40000.30.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.512160e.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.51ac908.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.4f255c1.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.RegSvcs.exe.a00000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.RegSvcs.exe.a00000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.3.qtfarawjob.pif.4a83000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.3.qtfarawjob.pif.4a83000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.3.qtfarawjob.pif.4b1b830.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.3.qtfarawjob.pif.4b1b830.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.3.qtfarawjob.pif.4b1b830.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.3.qtfarawjob.pif.4b1b830.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 2.2.RegSvcs.exe.44a95f8.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.512fa3e.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.6f94c9f.34.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 7.3.qtfarawjob.pif.3f73000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 7.3.qtfarawjob.pif.3f73000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 2.2.RegSvcs.exe.6f50000.31.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.51ac908.18.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.346ca04.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.6f80000.33.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.7490000.37.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.6f00000.26.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.4f317f5.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.6f60000.32.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.RegSvcs.exe.4050614.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.34d1b3c.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.3.RegSvcs.exe.51e5991.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 8.2.RegSvcs.exe.30696b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.34e6178.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.34e6178.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.3.qtfarawjob.pif.4b1b830.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.3.qtfarawjob.pif.4b1b830.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 2.2.RegSvcs.exe.512fa3e.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.3.RegSvcs.exe.51eb3bd.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.6f40000.30.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.RegSvcs.exe.4050614.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.e00000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.e00000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 2.2.RegSvcs.exe.5d90000.20.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.6f10000.27.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 7.3.qtfarawjob.pif.400b028.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 7.3.qtfarawjob.pif.400b028.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 2.2.RegSvcs.exe.5f70000.21.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.3.RegSvcs.exe.51d1366.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.51b0f31.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.6f20000.28.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.51a7ad2.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.51a7ad2.16.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 2.2.RegSvcs.exe.6f30000.29.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.34c58f4.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.34c58f4.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 2.2.RegSvcs.exe.44adc21.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.3.qtfarawjob.pif.4a83000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.3.qtfarawjob.pif.4a83000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 2.2.RegSvcs.exe.6eb0000.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.6f90000.36.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.4f45e22.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.4f45e22.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 2.2.RegSvcs.exe.512160e.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.51187df.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.6f90000.36.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.3.RegSvcs.exe.51eb3bd.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 2.2.RegSvcs.exe.6ec0000.25.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 7.3.qtfarawjob.pif.3f73000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 7.3.qtfarawjob.pif.3f73000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 2.2.RegSvcs.exe.4f255c1.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.4f255c1.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 2.2.RegSvcs.exe.34d1b3c.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.34d1b3c.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 2.2.RegSvcs.exe.4f317f5.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 2.2.RegSvcs.exe.4f317f5.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 2.3.RegSvcs.exe.51d1366.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00EE6FC6: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_00136219 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_001233A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00EF626D
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00EE83C0
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00EE30FC
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00F0C0B0
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00F00113
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00EFF3CA
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00EF33D3
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00EEF5C5
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00F0C55E
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00F00548
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00EEE510
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00EF66A2
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00EE2692
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00EF364E
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00F10654
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00EFF8C6
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00EF589E
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00EF397F
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00EEE973
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00EEDADD
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00EEBAD1
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00EFFCDE
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00EF6CDB
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00F03CBA
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00EE5D7E
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00F03EE9
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00EE3EAD
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00EEDF12
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_000F35F0
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_000F98F0
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_00102136
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_0010A137
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_0011427D
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_0013F3A6
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_00102508
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_0013655F
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_000F98F0
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_00103721
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_000FF730
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_0011088F
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_0010C8CE
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_001028F0
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_00101903
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_0016EA2B
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_0013EAD5
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_00113BA1
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_00132D2D
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_00101D98
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_00110DE0
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_0013CE8D
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_00134EB7
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_00111F2C
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_01A5E480
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_01A5E471
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_01A5BBD4
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_05B2F5F8
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_05B29788
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_05B2A613
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_05B2A61B
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_06E88988
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_06E8965E
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_06E895A0
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_06E898D8
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_075EB708
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_075E3F38
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_075EAE38
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_075E06E8
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_075E1300
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_075E1BE0
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_075E32E0
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_075E3FF6
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_075EF520
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_075E13BE
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_075EAAF0
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 8_2_014AE471
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 8_2_014AE480
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 8_2_014ABBD4
    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\RegSvcs.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: String function: 001014F7 appears 36 times
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: String function: 00106B90 appears 39 times
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: String function: 001359E6 appears 65 times
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: String function: 00EFE2F0 appears 31 times
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: String function: 00EFD870 appears 35 times
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: String function: 00EFD940 appears 51 times
    Source: qtfarawjob.pif.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
    Source: qtfarawjob.pif.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: qtfarawjob.pif.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: qtfarawjob.pif.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: SWIFTS.scr.exe, 00000000.00000002.334546498.00000000029B0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs SWIFTS.scr.exe
    Source: SWIFTS.scr.exe, 00000000.00000002.334837491.0000000004870000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs SWIFTS.scr.exe
    Source: SWIFTS.scr.exe, 00000000.00000002.333864183.0000000000EC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SWIFTS.scr.exe
    Source: SWIFTS.scr.exe, 00000000.00000002.334744919.0000000002AD0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWindows.Storage.dll.MUIj% vs SWIFTS.scr.exe
    Source: SWIFTS.scr.exe, 00000000.00000002.334714800.0000000002AB0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs SWIFTS.scr.exe
    Source: SWIFTS.scr.exe, 00000000.00000002.334714800.0000000002AB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs SWIFTS.scr.exe
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dll
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeSection loaded: dxgidebug.dll
    Source: SWIFTS.scr.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: 00000001.00000003.343262575.00000000049D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000003.343262575.00000000049D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000002.00000002.593935065.0000000006F20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000002.00000002.593935065.0000000006F20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000007.00000003.369835210.0000000003EF4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000007.00000003.369835210.0000000003EF4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000008.00000002.388090942.0000000000A02000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000008.00000002.388090942.0000000000A02000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000007.00000003.371760898.0000000003EC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000007.00000003.371760898.0000000003EC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000001.00000003.343194863.0000000004A51000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000003.343194863.0000000004A51000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000007.00000003.370790447.0000000003E17000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000007.00000003.370790447.0000000003E17000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000001.00000003.343095716.0000000004A84000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000003.343095716.0000000004A84000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000002.00000002.593967539.0000000006F30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000002.00000002.593967539.0000000006F30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000002.00000002.594092572.0000000006F80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000002.00000002.594092572.0000000006F80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000007.00000003.371839238.0000000003FA6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000007.00000003.371839238.0000000003FA6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000002.00000003.536569006.00000000051C8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000001.00000003.345055331.00000000049D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000003.345055331.00000000049D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000007.00000003.371972017.0000000003F73000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000007.00000003.371972017.0000000003F73000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000002.00000002.593813593.0000000006EC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000002.00000002.593813593.0000000006EC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000007.00000003.372073303.0000000003F41000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000007.00000003.372073303.0000000003F41000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000007.00000003.369800232.0000000003F74000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000007.00000003.369800232.0000000003F74000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000002.00000002.592048655.00000000051A7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000001.00000003.345307078.0000000004A83000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000003.345307078.0000000004A83000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000002.00000002.594107341.0000000006F90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000002.00000002.594107341.0000000006F90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000001.00000003.343476102.0000000004AB6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000003.343476102.0000000004AB6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000007.00000003.369871220.0000000003F41000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000007.00000003.369871220.0000000003F41000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000002.00000002.591934672.00000000050BC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000002.00000002.591488895.0000000004E76000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000007.00000003.370824550.0000000003DF5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000007.00000003.370824550.0000000003DF5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000002.00000002.594522145.0000000007490000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000002.00000002.594522145.0000000007490000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000007.00000003.371528290.0000000003EF3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000007.00000003.371528290.0000000003EF3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000002.00000002.593310031.0000000005F70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000002.00000002.593310031.0000000005F70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000002.00000002.593746192.0000000006EB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000002.00000002.593746192.0000000006EB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000001.00000003.343140164.0000000004A04000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000003.343140164.0000000004A04000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000001.00000003.343507843.0000000004AE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000003.343507843.0000000004AE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000002.00000002.594053531.0000000006F60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000002.00000002.594053531.0000000006F60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000001.00000003.343433163.0000000004AB6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000003.343433163.0000000004AB6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000007.00000003.369946595.0000000003EC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000007.00000003.369946595.0000000003EC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000008.00000002.389362789.0000000003001000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000002.00000002.593208278.0000000005D90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000002.00000002.593208278.0000000005D90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000002.00000002.593916225.0000000006F10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000002.00000002.593916225.0000000006F10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000002.00000002.593893788.0000000006F00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000002.00000002.593893788.0000000006F00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000001.00000003.344666735.0000000004A03000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000003.344666735.0000000004A03000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000002.00000002.591902295.00000000050A6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000002.00000002.587691040.00000000034AC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000001.00000003.345446557.0000000004A51000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000003.345446557.0000000004A51000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000002.00000002.586093866.0000000000E02000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000002.00000002.586093866.0000000000E02000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000002.00000002.594026273.0000000006F50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000002.00000002.594026273.0000000006F50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000002.00000002.593985539.0000000006F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000002.00000002.593985539.0000000006F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000001.00000003.343592182.0000000004B1B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000003.343592182.0000000004B1B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000008.00000002.389636385.0000000004009000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000007.00000003.370138817.0000000003FD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000007.00000003.370138817.0000000003FD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000007.00000003.370011747.0000000003F73000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000007.00000003.370011747.0000000003F73000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000007.00000003.370011747.0000000003F73000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000001.00000003.345193902.0000000004AB6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000003.345193902.0000000004AB6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000001.00000003.343388307.0000000004A03000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000003.343388307.0000000004A03000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: qtfarawjob.pif PID: 5900, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: qtfarawjob.pif PID: 5900, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: RegSvcs.exe PID: 2932, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: RegSvcs.exe PID: 2932, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: RegSvcs.exe PID: 1972, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: RegSvcs.exe PID: 1972, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: qtfarawjob.pif PID: 6132, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: qtfarawjob.pif PID: 6132, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 2.2.RegSvcs.exe.6f20000.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.6f20000.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.34c58f4.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.34c58f4.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.6f10000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.6f10000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.7490000.37.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.7490000.37.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.6f80000.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.6f80000.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 7.3.qtfarawjob.pif.400b028.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 7.3.qtfarawjob.pif.400b028.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 7.3.qtfarawjob.pif.400b028.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 2.2.RegSvcs.exe.6ec0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.6ec0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.50abcce.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.50abcce.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.3.qtfarawjob.pif.4b1b830.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.3.qtfarawjob.pif.4b1b830.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.3.qtfarawjob.pif.4b1b830.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 2.2.RegSvcs.exe.5f74629.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.5f74629.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.6eb0000.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.6eb0000.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.6f60000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.6f60000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.44a95f8.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.44a95f8.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.6f50000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.6f50000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.RegSvcs.exe.404b7de.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.RegSvcs.exe.404b7de.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.RegSvcs.exe.404b7de.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 2.2.RegSvcs.exe.50abcce.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.50abcce.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.RegSvcs.exe.4054c3d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.RegSvcs.exe.4054c3d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.51187df.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.51187df.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.51187df.15.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 2.2.RegSvcs.exe.5f70000.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.5f70000.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.6f9e8a4.35.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.6f9e8a4.35.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.6f40000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.6f40000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.512160e.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.512160e.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.51ac908.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.51ac908.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.4f255c1.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.4f255c1.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.RegSvcs.exe.a00000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.RegSvcs.exe.a00000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.RegSvcs.exe.a00000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.3.qtfarawjob.pif.4a83000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.3.qtfarawjob.pif.4a83000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.3.qtfarawjob.pif.4a83000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.3.qtfarawjob.pif.4b1b830.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.3.qtfarawjob.pif.4b1b830.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.3.qtfarawjob.pif.4b1b830.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.3.qtfarawjob.pif.4b1b830.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.3.qtfarawjob.pif.4b1b830.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.3.qtfarawjob.pif.4b1b830.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 2.2.RegSvcs.exe.44a95f8.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.44a95f8.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.512fa3e.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.512fa3e.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.6f94c9f.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.6f94c9f.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 7.3.qtfarawjob.pif.3f73000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 7.3.qtfarawjob.pif.3f73000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 7.3.qtfarawjob.pif.3f73000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 2.2.RegSvcs.exe.6f50000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.6f50000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.51ac908.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.51ac908.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.346ca04.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.346ca04.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.6f80000.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.6f80000.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.7490000.37.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.7490000.37.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.6f00000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.6f00000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.4f317f5.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.4f317f5.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.6f60000.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.6f60000.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.RegSvcs.exe.4050614.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.RegSvcs.exe.4050614.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.34d1b3c.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.34d1b3c.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.3.RegSvcs.exe.51e5991.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 8.2.RegSvcs.exe.30696b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.RegSvcs.exe.30696b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.34e6178.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.34e6178.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.34e6178.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.3.qtfarawjob.pif.4b1b830.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.3.qtfarawjob.pif.4b1b830.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.3.qtfarawjob.pif.4b1b830.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 2.2.RegSvcs.exe.512fa3e.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.512fa3e.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.3.RegSvcs.exe.51eb3bd.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.3.RegSvcs.exe.51eb3bd.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.6f40000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.6f40000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.RegSvcs.exe.4050614.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.RegSvcs.exe.4050614.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.e00000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.e00000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.e00000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 2.2.RegSvcs.exe.5d90000.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.5d90000.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.6f10000.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.6f10000.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 7.3.qtfarawjob.pif.400b028.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 7.3.qtfarawjob.pif.400b028.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 7.3.qtfarawjob.pif.400b028.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 2.2.RegSvcs.exe.5f70000.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.5f70000.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.3.RegSvcs.exe.51d1366.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.3.RegSvcs.exe.51d1366.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.51b0f31.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.51b0f31.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.6f20000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.6f20000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.51a7ad2.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.51a7ad2.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.51a7ad2.16.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 2.2.RegSvcs.exe.6f30000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.6f30000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.34c58f4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.34c58f4.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 2.2.RegSvcs.exe.44adc21.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.44adc21.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.3.qtfarawjob.pif.4a83000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.3.qtfarawjob.pif.4a83000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.3.qtfarawjob.pif.4a83000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 2.2.RegSvcs.exe.6eb0000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.6eb0000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.6f90000.36.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.6f90000.36.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.4f45e22.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.4f45e22.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 2.2.RegSvcs.exe.512160e.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.512160e.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.51187df.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.51187df.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.2.RegSvcs.exe.6f90000.36.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.6f90000.36.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 2.3.RegSvcs.exe.51eb3bd.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 2.2.RegSvcs.exe.6ec0000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.6ec0000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 7.3.qtfarawjob.pif.3f73000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 7.3.qtfarawjob.pif.3f73000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 7.3.qtfarawjob.pif.3f73000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 2.2.RegSvcs.exe.4f255c1.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.4f255c1.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 2.2.RegSvcs.exe.34d1b3c.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.34d1b3c.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 2.2.RegSvcs.exe.4f317f5.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 2.2.RegSvcs.exe.4f317f5.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 2.3.RegSvcs.exe.51d1366.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 2.2.RegSvcs.exe.e00000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 2.2.RegSvcs.exe.e00000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
    Source: 2.2.RegSvcs.exe.e00000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
    Source: 8.2.RegSvcs.exe.a00000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 8.2.RegSvcs.exe.a00000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
    Source: 8.2.RegSvcs.exe.a00000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
    Source: 2.2.RegSvcs.exe.e00000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
    Source: 2.2.RegSvcs.exe.e00000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
    Source: 8.2.RegSvcs.exe.a00000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
    Source: 8.2.RegSvcs.exe.a00000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@13/32@16/2
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00EE6D06 GetLastError,FormatMessageW,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_001233A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_00154AEB OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_0014D606 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_0016557E CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_0015E0F6 CoInitialize,CoCreateInstance,CoUninitialize,
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00EF963A FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeFile created: C:\Users\user\AppData\Roaming\89378384Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{7f972ccd-f2c1-42af-a77f-74adb4b90c5d}
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4908:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2404:120:WilError_01
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifFile created: C:\Users\user\temp\lklphvrvl.dllJump to behavior
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCommand line argument: sfxname
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCommand line argument: sfxstime
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCommand line argument: STARTDLG
    Source: SWIFTS.scr.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeFile read: C:\Windows\win.iniJump to behavior
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeFile read: C:\Users\user\Desktop\SWIFTS.scr.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\SWIFTS.scr.exe 'C:\Users\user\Desktop\SWIFTS.scr.exe'
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeProcess created: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pif 'C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pif' odfugpcmco.org
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA342.tmp'
    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pif 'C:\Users\user\AppData\Roaming\89378384\QTFARA~1.PIF' C:\Users\user\AppData\Roaming\89378384\ODFUGP~1.ORG
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeProcess created: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pif 'C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pif' odfugpcmco.org
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA342.tmp'
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeFile written: C:\Users\user\AppData\Roaming\89378384\crfgiqf.iniJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
    Source: SWIFTS.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
    Source: SWIFTS.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
    Source: SWIFTS.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
    Source: SWIFTS.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: SWIFTS.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
    Source: SWIFTS.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
    Source: SWIFTS.scr.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: SWIFTS.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: SWIFTS.scr.exe
    Source: Binary string: RegSvcs.pdb, source: qtfarawjob.pif, 00000001.00000003.355830718.0000000001520000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000000.344127021.0000000000A02000.00000002.00020000.sdmp, RegSvcs.exe, 00000005.00000002.358285839.00000000007E2000.00000002.00020000.sdmp, RegSvcs.exe, 00000008.00000000.370695063.0000000000622000.00000002.00020000.sdmp, RegSvcs.exe.1.dr
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: RegSvcs.exe, 00000002.00000002.591488895.0000000004E76000.00000004.00000001.sdmp
    Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, RegSvcs.exe.1.dr
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000002.00000003.536569006.00000000051C8000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegSvcs.exe, 00000002.00000003.536569006.00000000051C8000.00000004.00000001.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegSvcs.exe, 00000002.00000003.536569006.00000000051C8000.00000004.00000001.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000002.00000003.536569006.00000000051C8000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegSvcs.exe, 00000002.00000002.593935065.0000000006F20000.00000004.00000001.sdmp
    Source: SWIFTS.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
    Source: SWIFTS.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
    Source: SWIFTS.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
    Source: SWIFTS.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
    Source: SWIFTS.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

    Data Obfuscation:

    barindex
    .NET source code contains potential unpackerShow sources
    Source: 2.2.RegSvcs.exe.e00000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 2.2.RegSvcs.exe.e00000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 8.2.RegSvcs.exe.a00000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 8.2.RegSvcs.exe.a00000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_000FEE30 LoadLibraryA,GetProcAddress,
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeFile created: C:\Users\user\AppData\Roaming\89378384\__tmp_rar_sfx_access_check_6319375Jump to behavior
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00EFE336 push ecx; ret
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00EFD870 push eax; ret
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_0011D53C push 740011CFh; iretd
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_00106BD5 push ecx; ret
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_05B2D1D3 push ss; retf
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_05B2D1D1 push ss; retf
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_05B2D173 push ss; retf
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_05B2D170 push ss; retf
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_05B2D313 push ss; retf
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_05B2D238 push ss; retf
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_05B2BFA1 push cs; retf
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_05B2AF9B push es; retf
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_05B2AF98 push es; retf
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_05B269F8 pushad ; retf
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_06E8CEAE push es; retf
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_06E8CEBE push es; retf
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_06E8CEB6 push es; retf
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_06E8CE46 push es; retf
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_06E8CCEE push es; retf
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_06E8CC7E push es; retf
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_06E8CC56 push es; retf
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_06E8CC02 push es; retf
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_06E8CDAF push es; retf
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_06E8CD66 push es; retf
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_06E8CD56 push es; retf
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_06E8CD16 push es; retf
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_06E8BBA0 pushad ; ret
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_06E8CBBE push es; retf
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_075EC620 push es; ret
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_075EE488 pushfd ; retf
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 2_2_075E31C0 push es; ret
    Source: 2.2.RegSvcs.exe.e00000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 2.2.RegSvcs.exe.e00000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
    Source: 8.2.RegSvcs.exe.a00000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 8.2.RegSvcs.exe.a00000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

    Persistence and Installation Behavior:

    barindex
    Drops PE files with a suspicious file extensionShow sources
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeFile created: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifJump to dropped file
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeFile created: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifJump to dropped file
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifFile created: C:\Users\user\AppData\Local\Temp\RegSvcs.exeJump to dropped file

    Boot Survival:

    barindex
    Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA342.tmp'

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Temp\RegSvcs.exe:Zone.Identifier read attributes | delete
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_0016A2EA IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_001243FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion:

    barindex
    Yara detected AntiVM autoit scriptShow sources
    Source: Yara matchFile source: Process Memory Space: qtfarawjob.pif PID: 5900, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: qtfarawjob.pif PID: 6132, type: MEMORY
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindow / User API: threadDelayed 2103
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindow / User API: threadDelayed 7385
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindow / User API: foregroundWindowGot 601
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindow / User API: foregroundWindowGot 635
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pif TID: 2276Thread sleep count: 65 > 30
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pif TID: 2276Thread sleep count: 109 > 30
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pif TID: 1864Thread sleep count: 70 > 30
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pif TID: 1864Thread sleep count: 125 > 30
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00EEA2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00F09FD3 FindFirstFileExA,
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00EFAFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_0012399B GetFileAttributesW,FindFirstFileW,FindClose,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_0013BCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_00142408 FindFirstFileW,LdrInitializeThunk,Sleep,FindNextFileW,FindClose,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_0013280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_00168877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_00121A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_0014CAE7 FindFirstFileW,FindNextFileW,FindClose,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_0014DE7C FindFirstFileW,FindClose,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_0013BF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00EFD353 VirtualQuery,GetSystemInfo,
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
    Source: qtfarawjob.pif, 00000007.00000003.363857374.0000000003D41000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VboxService.exe") Then
    Source: qtfarawjob.pif, 00000001.00000003.355653955.0000000003CEB000.00000004.00000001.sdmpBinary or memory string: VMwareUser.exe
    Source: qtfarawjob.pif, 00000007.00000003.376441524.0000000003D51000.00000004.00000001.sdmpBinary or memory string: rocessExists("VboxService.exe") Then
    Source: RegSvcs.exe, 00000005.00000002.360172333.00000000051A0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
    Source: SWIFTS.scr.exe, 00000000.00000003.333040879.00000000007A3000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oy
    Source: odfugpcmco.org.0.drBinary or memory string: If ProcessExists("VMwaretray.exe") Then
    Source: odfugpcmco.org.0.drBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
    Source: qtfarawjob.pif, 00000007.00000003.363857374.0000000003D41000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VMwaretray.exe") Then
    Source: qtfarawjob.pif, 00000001.00000003.355653955.0000000003CEB000.00000004.00000001.sdmpBinary or memory string: VMwareService.exe536C7\
    Source: RegSvcs.exe, 00000005.00000002.360172333.00000000051A0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
    Source: qtfarawjob.pif, 00000001.00000003.337787651.0000000003CB1000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VboxService.exe") Thenun
    Source: SWIFTS.scr.exe, 00000000.00000003.333040879.00000000007A3000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
    Source: qtfarawjob.pif, 00000007.00000003.363857374.0000000003D41000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") Then39`
    Source: odfugpcmco.org.0.drBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
    Source: qtfarawjob.pif, 00000007.00000003.376441524.0000000003D51000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") ThenIv8
    Source: qtfarawjob.pif, 00000007.00000003.376441524.0000000003D51000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") Then39
    Source: qtfarawjob.pif, 00000007.00000003.377040369.0000000003D6C000.00000004.00000001.sdmpBinary or memory string: VMwaretray.exe
    Source: qtfarawjob.pif, 00000007.00000003.377040369.0000000003D6C000.00000004.00000001.sdmpBinary or memory string: VMwareService.exe536C7m
    Source: qtfarawjob.pif, 00000007.00000003.363857374.0000000003D41000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") ThenIv8l
    Source: qtfarawjob.pif, 00000001.00000003.337787651.0000000003CB1000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
    Source: odfugpcmco.org.0.drBinary or memory string: If ProcessExists("VboxService.exe") Then
    Source: qtfarawjob.pif, 00000001.00000003.355653955.0000000003CEB000.00000004.00000001.sdmp, qtfarawjob.pif, 00000007.00000003.377040369.0000000003D6C000.00000004.00000001.sdmpBinary or memory string: VBoxTray.exe
    Source: qtfarawjob.pif, 00000007.00000003.377040369.0000000003D6C000.00000004.00000001.sdmpBinary or memory string: VMwareUser.exe{
    Source: qtfarawjob.pif, 00000007.00000003.363857374.0000000003D41000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
    Source: RegSvcs.exe, 00000005.00000002.360172333.00000000051A0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
    Source: qtfarawjob.pif, 00000001.00000003.349718943.0000000003CC1000.00000004.00000001.sdmpBinary or memory string: rocessExists("VboxService.exe") Thenun
    Source: qtfarawjob.pif, 00000001.00000003.337787651.0000000003CB1000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") ThenL5
    Source: qtfarawjob.pif, 00000001.00000003.337787651.0000000003CB1000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") ThenR6>
    Source: qtfarawjob.pif, 00000007.00000003.377040369.0000000003D6C000.00000004.00000001.sdmpBinary or memory string: VboxService.exe
    Source: qtfarawjob.pif, 00000001.00000003.349718943.0000000003CC1000.00000004.00000001.sdmpBinary or memory string: VMwaretray.exec
    Source: odfugpcmco.org.0.drBinary or memory string: If ProcessExists("VBoxTray.exe") Then
    Source: RegSvcs.exe, 00000005.00000002.360172333.00000000051A0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_00106374 GetStartupInfoW,__heap_init,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,__amsg_exit,GetCommandLineW,__wsetargv,__amsg_exit,__wsetenvp,__amsg_exit,__cinit,__amsg_exit,__wwincmdln,LdrInitializeThunk,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_0014A35D BlockInput,
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00EFE4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_000FEE30 LoadLibraryA,GetProcAddress,
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00F06AF3 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00F0ACA1 GetProcessHeap,
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00EFE643 SetUnhandledExceptionFilter,
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00EFE4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00EFE7FB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00F07BE1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_0010F170 SetUnhandledExceptionFilter,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_0010A128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_00107CCD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeMemory allocated: page read and write | page guard

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Allocates memory in foreign processesShow sources
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifMemory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: E00000 protect: page execute and read and write
    Injects a PE file into a foreign processesShow sources
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: E00000 value starts with: 4D5A
    Writes to foreign memory regionsShow sources
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: E00000
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: C8C000
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_00126C61 LogonUserW,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_000FD7A0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_001243FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_00123321 __wcsicoll,mouse_event,__wcsicoll,mouse_event,
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeProcess created: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pif 'C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pif' odfugpcmco.org
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA342.tmp'
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_0013602A GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,
    Source: qtfarawjob.pif, 00000001.00000003.349718943.0000000003CC1000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000002.590886394.0000000003AA4000.00000004.00000001.sdmp, qtfarawjob.pif, 00000007.00000003.377040369.0000000003D6C000.00000004.00000001.sdmpBinary or memory string: Program Manager
    Source: qtfarawjob.pif.0.drBinary or memory string: IDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
    Source: qtfarawjob.pif, RegSvcs.exe, 00000002.00000002.587193227.0000000001E30000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: RegSvcs.exe, 00000002.00000002.590886394.0000000003AA4000.00000004.00000001.sdmpBinary or memory string: Program Manager0ZC
    Source: RegSvcs.exe, 00000002.00000002.587193227.0000000001E30000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: qtfarawjob.pif, 00000001.00000003.337787651.0000000003CB1000.00000004.00000001.sdmp, qtfarawjob.pif, 00000007.00000003.376441524.0000000003D51000.00000004.00000001.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" Then
    Source: RegSvcs.exe, 00000002.00000002.594498066.000000000748A000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
    Source: RegSvcs.exe, 00000002.00000002.593585386.0000000006BFC000.00000004.00000001.sdmpBinary or memory string: Program Managerram Managerj
    Source: odfugpcmco.org.0.drBinary or memory string: If WinGetText("Program Manager") = "0" Then
    Source: RegSvcs.exe, 00000002.00000002.587193227.0000000001E30000.00000002.00000001.sdmpBinary or memory string: &Program Manager
    Source: qtfarawjob.pif, 00000007.00000003.363857374.0000000003D41000.00000004.00000001.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" Thena
    Source: RegSvcs.exe, 00000002.00000002.587193227.0000000001E30000.00000002.00000001.sdmpBinary or memory string: Progmanlock
    Source: qtfarawjob.pif, 00000001.00000002.356124333.0000000000172000.00000002.00020000.sdmpBinary or memory string: ASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
    Source: RegSvcs.exe, 00000002.00000002.588118939.00000000035F8000.00000004.00000001.sdmpBinary or memory string: Program Manager
    Source: RegSvcs.exe, 00000002.00000002.593621947.0000000006D3C000.00000004.00000001.sdmpBinary or memory string: Program Manager x
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00EFE34B cpuid
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: GetLocaleInfoW,GetNumberFormatW,
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00EFCBB8 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_00162BF9 GetUserNameW,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_0010E284 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,
    Source: C:\Users\user\Desktop\SWIFTS.scr.exeCode function: 0_2_00EEA995 GetVersionExW,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

    Stealing of Sensitive Information:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000001.00000003.343262575.00000000049D1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.369835210.0000000003EF4000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.388090942.0000000000A02000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.371760898.0000000003EC1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.590990913.0000000004495000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.343194863.0000000004A51000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.370790447.0000000003E17000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.343095716.0000000004A84000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.371839238.0000000003FA6000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.345055331.00000000049D1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.371972017.0000000003F73000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.372073303.0000000003F41000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.369800232.0000000003F74000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.592048655.00000000051A7000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.345307078.0000000004A83000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.343476102.0000000004AB6000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.369871220.0000000003F41000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.370824550.0000000003DF5000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.371528290.0000000003EF3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.593310031.0000000005F70000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.343140164.0000000004A04000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.343507843.0000000004AE9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.343433163.0000000004AB6000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.369946595.0000000003EC1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.389362789.0000000003001000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.344666735.0000000004A03000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.345446557.0000000004A51000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.586093866.0000000000E02000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.343592182.0000000004B1B000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.389636385.0000000004009000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.587531110.0000000003441000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.370138817.0000000003FD9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.370011747.0000000003F73000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.345193902.0000000004AB6000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.343388307.0000000004A03000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: qtfarawjob.pif PID: 5900, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2932, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1972, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: qtfarawjob.pif PID: 6132, type: MEMORY
    Source: Yara matchFile source: 7.3.qtfarawjob.pif.400b028.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.3.qtfarawjob.pif.4b1b830.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.5f74629.22.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.44a95f8.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.RegSvcs.exe.404b7de.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.RegSvcs.exe.4054c3d.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.5f70000.21.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.51ac908.18.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.RegSvcs.exe.a00000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.3.qtfarawjob.pif.4a83000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.3.qtfarawjob.pif.4b1b830.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.3.qtfarawjob.pif.4b1b830.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.44a95f8.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.3.qtfarawjob.pif.3f73000.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.51ac908.18.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.RegSvcs.exe.4050614.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.3.qtfarawjob.pif.4b1b830.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.RegSvcs.exe.4050614.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.e00000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.3.qtfarawjob.pif.400b028.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.5f70000.21.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.51b0f31.17.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.51a7ad2.16.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.44adc21.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.3.qtfarawjob.pif.4a83000.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.3.qtfarawjob.pif.3f73000.0.raw.unpack, type: UNPACKEDPE
    Source: qtfarawjob.pifBinary or memory string: WIN_XP
    Source: qtfarawjob.pifBinary or memory string: WIN_XPe
    Source: qtfarawjob.pifBinary or memory string: WIN_VISTA
    Source: qtfarawjob.pif.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte!
    Source: qtfarawjob.pifBinary or memory string: WIN_7
    Source: qtfarawjob.pifBinary or memory string: WIN_8

    Remote Access Functionality:

    barindex
    Detected Nanocore RatShow sources
    Source: qtfarawjob.pif, 00000001.00000003.343262575.00000000049D1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: RegSvcs.exe, 00000002.00000002.593935065.0000000006F20000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: RegSvcs.exe, 00000002.00000002.593935065.0000000006F20000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
    Source: RegSvcs.exe, 00000002.00000003.536569006.00000000051C8000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
    Source: RegSvcs.exe, 00000002.00000003.536569006.00000000051C8000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
    Source: RegSvcs.exe, 00000002.00000003.536569006.00000000051C8000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Source: RegSvcs.exe, 00000002.00000002.592048655.00000000051A7000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: RegSvcs.exe, 00000002.00000002.591902295.00000000050A6000.00000004.00000001.sdmpString found in binary or memory: dsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExceptionNewGuidAddressFamilySocketTypeProtocolTypeDnsIPAddressGetHostAddressesConnectByteNextBytesget_ConnectedSocketFlagsConversionsFormatLogClientMessageSystem.Collections.SpecializedNameValueCollectionWebClientSystem.CollectionsIEnumeratorGetEnumeratorget_CurrentStringsCompareMethodSplitAddMoveNextIDisposableDisposeWebHeaderCollectio
    Source: qtfarawjob.pif, 00000007.00000003.369835210.0000000003EF4000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: RegSvcs.exe, 00000008.00000002.388090942.0000000000A02000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: RegSvcs.exe, 00000008.00000002.389362789.0000000003001000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000001.00000003.343262575.00000000049D1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.369835210.0000000003EF4000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.388090942.0000000000A02000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.371760898.0000000003EC1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.590990913.0000000004495000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.343194863.0000000004A51000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.370790447.0000000003E17000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.343095716.0000000004A84000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.371839238.0000000003FA6000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.345055331.00000000049D1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.371972017.0000000003F73000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.372073303.0000000003F41000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.369800232.0000000003F74000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.592048655.00000000051A7000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.345307078.0000000004A83000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.343476102.0000000004AB6000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.369871220.0000000003F41000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.370824550.0000000003DF5000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.371528290.0000000003EF3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.593310031.0000000005F70000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.343140164.0000000004A04000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.343507843.0000000004AE9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.343433163.0000000004AB6000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.369946595.0000000003EC1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.389362789.0000000003001000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.344666735.0000000004A03000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.345446557.0000000004A51000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.586093866.0000000000E02000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.343592182.0000000004B1B000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.389636385.0000000004009000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.587531110.0000000003441000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.370138817.0000000003FD9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000003.370011747.0000000003F73000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.345193902.0000000004AB6000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000003.343388307.0000000004A03000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: qtfarawjob.pif PID: 5900, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2932, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1972, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: qtfarawjob.pif PID: 6132, type: MEMORY
    Source: Yara matchFile source: 7.3.qtfarawjob.pif.400b028.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.3.qtfarawjob.pif.4b1b830.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.5f74629.22.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.44a95f8.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.RegSvcs.exe.404b7de.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.RegSvcs.exe.4054c3d.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.5f70000.21.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.51ac908.18.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.RegSvcs.exe.a00000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.3.qtfarawjob.pif.4a83000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.3.qtfarawjob.pif.4b1b830.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.3.qtfarawjob.pif.4b1b830.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.44a95f8.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.3.qtfarawjob.pif.3f73000.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.51ac908.18.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.RegSvcs.exe.4050614.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.3.qtfarawjob.pif.4b1b830.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.RegSvcs.exe.4050614.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.e00000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.3.qtfarawjob.pif.400b028.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.5f70000.21.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.51b0f31.17.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.51a7ad2.16.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 2.2.RegSvcs.exe.44adc21.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.3.qtfarawjob.pif.4a83000.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.3.qtfarawjob.pif.3f73000.0.raw.unpack, type: UNPACKEDPE
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_0015C06C OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_001665D3 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,
    Source: C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pifCode function: 1_2_00154EFB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts2Windows Management Instrumentation1DLL Side-Loading1Exploitation for Privilege Escalation1Disable or Modify Tools11Input Capture41System Time Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
    Default AccountsNative API1Valid Accounts2DLL Side-Loading1Deobfuscate/Decode Files or Information11LSASS MemoryAccount Discovery1Remote Desktop ProtocolInput Capture41Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsCommand and Scripting Interpreter2Scheduled Task/Job1Valid Accounts2Obfuscated Files or Information3Security Account ManagerFile and Directory Discovery3SMB/Windows Admin SharesClipboard Data2Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsScheduled Task/Job1Logon Script (Mac)Access Token Manipulation21Software Packing12NTDSSystem Information Discovery36Distributed Component Object ModelInput CaptureScheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptProcess Injection312DLL Side-Loading1LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonScheduled Task/Job1Masquerading11Cached Domain CredentialsSecurity Software Discovery41VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol11Jamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsValid Accounts2DCSyncVirtualization/Sandbox Evasion31Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion31Proc FilesystemProcess Discovery2Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Access Token Manipulation21/etc/passwd and /etc/shadowApplication Window Discovery11Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
    Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection312Network SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
    Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronHidden Files and Directories1Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 385150 Sample: SWIFTS.scr.exe Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Sigma detected: Scheduled temp file as task from temp location 2->50 52 6 other signatures 2->52 9 SWIFTS.scr.exe 29 2->9         started        13 RegSvcs.exe 2 2->13         started        15 qtfarawjob.pif 2->15         started        process3 file4 36 C:\Users\user\AppData\...\qtfarawjob.pif, PE32 9->36 dropped 60 Drops PE files with a suspicious file extension 9->60 17 qtfarawjob.pif 1 3 9->17         started        21 conhost.exe 13->21         started        23 RegSvcs.exe 2 15->23         started        signatures5 process6 file7 34 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 17->34 dropped 54 Writes to foreign memory regions 17->54 56 Allocates memory in foreign processes 17->56 58 Injects a PE file into a foreign processes 17->58 25 RegSvcs.exe 11 17->25         started        signatures8 process9 dnsIp10 42 ekuro.hopto.org 194.5.98.184, 1980, 49682, 49683 DANILENKODE Netherlands 25->42 44 192.168.2.1 unknown unknown 25->44 38 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 25->38 dropped 40 C:\Users\user\AppData\Local\...\tmpA342.tmp, XML 25->40 dropped 62 Uses schtasks.exe or at.exe to add and modify task schedules 25->62 64 Hides that the sample has been downloaded from the Internet (zone.identifier) 25->64 30 schtasks.exe 1 25->30         started        file11 signatures12 process13 process14 32 conhost.exe 30->32         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    No Antivirus matches

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Temp\RegSvcs.exe0%MetadefenderBrowse
    C:\Users\user\AppData\Local\Temp\RegSvcs.exe0%ReversingLabs

    Unpacked PE Files

    SourceDetectionScannerLabelLinkDownload
    8.2.RegSvcs.exe.a00000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    2.2.RegSvcs.exe.e00000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    2.2.RegSvcs.exe.5f70000.21.unpack100%AviraTR/NanoCore.fadteDownload File

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://secure.globalsign.net/cacert/PrimObject.crt00%VirustotalBrowse
    http://secure.globalsign.net/cacert/PrimObject.crt00%Avira URL Cloudsafe
    http://secure.globalsign.net/cacert/ObjectSign.crt090%URL Reputationsafe
    http://secure.globalsign.net/cacert/ObjectSign.crt090%URL Reputationsafe
    http://secure.globalsign.net/cacert/ObjectSign.crt090%URL Reputationsafe
    http://secure.globalsign.net/cacert/ObjectSign.crt090%URL Reputationsafe
    http://www.globalsign.net/repository090%VirustotalBrowse
    http://www.globalsign.net/repository090%Avira URL Cloudsafe
    ekuro.hopto.org0%Avira URL Cloudsafe
    http://www.globalsign.net/repository/00%URL Reputationsafe
    http://www.globalsign.net/repository/00%URL Reputationsafe
    http://www.globalsign.net/repository/00%URL Reputationsafe
    http://www.globalsign.net/repository/00%URL Reputationsafe
    127.0.0.10%Avira URL Cloudsafe
    http://www.globalsign.net/repository/030%URL Reputationsafe
    http://www.globalsign.net/repository/030%URL Reputationsafe
    http://www.globalsign.net/repository/030%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    ekuro.hopto.org
    		194.5.98.184
    		truetrue
      		unknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      ekuro.hopto.orgtrue
      • Avira URL Cloud: safe
      		unknown
      127.0.0.1true
      • Avira URL Cloud: safe
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://secure.globalsign.net/cacert/PrimObject.crt0qtfarawjob.pif.0.drfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://secure.globalsign.net/cacert/ObjectSign.crt09qtfarawjob.pif.0.drfalse
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      		unknown
      http://www.globalsign.net/repository09qtfarawjob.pif.0.drfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://www.autoitscript.com/autoit3/0qtfarawjob.pif.0.drfalse
        		high
        http://www.globalsign.net/repository/0qtfarawjob.pif.0.drfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://www.globalsign.net/repository/03qtfarawjob.pif.0.drfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown

        Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public

        IPDomainCountryFlagASNASN NameMalicious
        194.5.98.184
        		ekuro.hopto.orgNetherlands
        		208476DANILENKODEtrue

        Private

        IP
        192.168.2.1

        General Information

        Joe Sandbox Version:31.0.0 Emerald
        Analysis ID:385150
        Start date:12.04.2021
        Start time:05:06:16
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 12m 50s
        Hypervisor based Inspection enabled:false
        Report type:light
        Sample file name:SWIFTS.scr.exe
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Number of analysed new started processes analysed:14
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:MAL
        Classification:mal100.troj.spyw.evad.winEXE@13/32@16/2
        EGA Information:Failed
        HDC Information:
        • Successful, ratio: 8% (good quality ratio 7.6%)
        • Quality average: 77.9%
        • Quality standard deviation: 27.8%
        HCA Information:
        • Successful, ratio: 68%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Adjust boot time
        • Enable AMSI
        • Found application associated with file extension: .exe
        Warnings:
        Show All
        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
        • TCP Packets have been reduced to 100
        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, svchost.exe
        • Excluded IPs from analysis (whitelisted): 2.23.155.232, 2.23.155.186, 205.185.216.10, 205.185.216.42, 23.218.208.56
        • Excluded domains from analysis (whitelisted): fs.microsoft.com, 2-01-3cf7-0009.cdx.cedexis.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, download.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, a767.dspw65.akamai.net, wu-fg-shim.trafficmanager.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, download.windowsupdate.com.edgesuite.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size exceeded maximum capacity and may have missing disassembly code.
        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • Report size getting too big, too many NtSetInformationFile calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        05:07:16AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run WindowsUpdate C:\Users\user\AppData\Roaming\89378384\QTFARA~1.PIF C:\Users\user\AppData\Roaming\89378384\ODFUGP~1.ORG
        05:07:21API Interceptor932x Sleep call for process: RegSvcs.exe modified
        05:07:23Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\AppData\Local\Temp\RegSvcs.exe" s>$(Arg0)

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASN

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        DANILENKODE9pZezwiVaz.exeGet hashmaliciousBrowse
        • 194.5.97.116
        AIC7VMxudf.exeGet hashmaliciousBrowse
        • 194.5.98.250
        n4CeZTejKM.exeGet hashmaliciousBrowse
        • 194.5.98.9
        New Order request Ref E100-#3175704534,pdf.e.exeGet hashmaliciousBrowse
        • 194.5.97.14
        PO-#3175704534,PDF.exeGet hashmaliciousBrowse
        • 194.5.97.14
        Evgp2DqQha.exeGet hashmaliciousBrowse
        • 194.5.98.107
        Payment Copy #6578965432.exeGet hashmaliciousBrowse
        • 194.5.98.52
        PO SKP 149684.jarGet hashmaliciousBrowse
        • 194.5.98.48
        4EPXPkicIL.exeGet hashmaliciousBrowse
        • 194.5.97.158
        xoxd454e9q.exeGet hashmaliciousBrowse
        • 194.5.97.158
        1VzQLgPeAlfHSHQ.exeGet hashmaliciousBrowse
        • 194.5.97.214
        XJ1lVmdiCi.exeGet hashmaliciousBrowse
        • 194.5.97.237
        QUOTATIONs#280321_RFQ_PRODUCTS_ENQUIRY_TRINITY_VIETNAM_CO.exeGet hashmaliciousBrowse
        • 194.5.98.182
        Revised invoice30032021.exeGet hashmaliciousBrowse
        • 194.5.98.145
        QUOTATIONs#280321_RFQ_PRODUCTS_ENQUIRY_TRINITY_VIETNAM_CO.exeGet hashmaliciousBrowse
        • 194.5.98.182
        Vp0VO1U2oo.exeGet hashmaliciousBrowse
        • 194.5.98.107
        IpEtbpwMpM.exeGet hashmaliciousBrowse
        • 194.5.98.250
        LOT 15 - Transfer Manifest.xlsxGet hashmaliciousBrowse
        • 194.5.98.250
        2df27f1a3505dbd0995188d49c253f5bc53c0e994954c.exeGet hashmaliciousBrowse
        • 194.5.98.107
        1AQz4ua1TU.exeGet hashmaliciousBrowse
        • 194.5.98.107

        JA3 Fingerprints

        No context

        Dropped Files

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        C:\Users\user\AppData\Local\Temp\RegSvcs.exeJ62DQ7fO0b.exeGet hashmaliciousBrowse
          HSBc20210216B1.exeGet hashmaliciousBrowse
            zunUbtZ2Y3.exeGet hashmaliciousBrowse
              bank transfer.exeGet hashmaliciousBrowse
                nunu.exeGet hashmaliciousBrowse
                  quotation.exeGet hashmaliciousBrowse
                    GS_ PO NO.1862021.exeGet hashmaliciousBrowse
                      UPDATED SOA.exeGet hashmaliciousBrowse
                        comprobante de pago bancario.exeGet hashmaliciousBrowse
                          ANS_309487487_#049844874.exeGet hashmaliciousBrowse
                            Dekont_12VK2102526 VAKIF KATILIM.exeGet hashmaliciousBrowse
                              taiwan.exeGet hashmaliciousBrowse
                                SWIFT COPY.exeGet hashmaliciousBrowse
                                  GS_ PO NO.1862021.exeGet hashmaliciousBrowse
                                    purchase order.exeGet hashmaliciousBrowse
                                      Payment Advice.exeGet hashmaliciousBrowse
                                        Quotation.pdf...exeGet hashmaliciousBrowse
                                          PURCHASE ORDER.exeGet hashmaliciousBrowse
                                            money.exeGet hashmaliciousBrowse
                                              TT COPY.exeGet hashmaliciousBrowse

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
                                                Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:modified
                                                Size (bytes):142
                                                Entropy (8bit):5.090621108356562
                                                Encrypted:false
                                                SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                MD5:8C0458BB9EA02D50565175E38D577E35
                                                SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                Malicious:false
                                                Reputation:moderate, very likely benign file
                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                Process:C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pif
                                                File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):45152
                                                Entropy (8bit):6.149629800481177
                                                Encrypted:false
                                                SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
                                                MD5:2867A3817C9245F7CF518524DFD18F28
                                                SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
                                                SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                                                SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                Joe Sandbox View:
                                                • Filename: J62DQ7fO0b.exe, Detection: malicious, Browse
                                                • Filename: HSBc20210216B1.exe, Detection: malicious, Browse
                                                • Filename: zunUbtZ2Y3.exe, Detection: malicious, Browse
                                                • Filename: bank transfer.exe, Detection: malicious, Browse
                                                • Filename: nunu.exe, Detection: malicious, Browse
                                                • Filename: quotation.exe, Detection: malicious, Browse
                                                • Filename: GS_ PO NO.1862021.exe, Detection: malicious, Browse
                                                • Filename: UPDATED SOA.exe, Detection: malicious, Browse
                                                • Filename: comprobante de pago bancario.exe, Detection: malicious, Browse
                                                • Filename: ANS_309487487_#049844874.exe, Detection: malicious, Browse
                                                • Filename: Dekont_12VK2102526 VAKIF KATILIM.exe, Detection: malicious, Browse
                                                • Filename: taiwan.exe, Detection: malicious, Browse
                                                • Filename: SWIFT COPY.exe, Detection: malicious, Browse
                                                • Filename: GS_ PO NO.1862021.exe, Detection: malicious, Browse
                                                • Filename: purchase order.exe, Detection: malicious, Browse
                                                • Filename: Payment Advice.exe, Detection: malicious, Browse
                                                • Filename: Quotation.pdf...exe, Detection: malicious, Browse
                                                • Filename: PURCHASE ORDER.exe, Detection: malicious, Browse
                                                • Filename: money.exe, Detection: malicious, Browse
                                                • Filename: TT COPY.exe, Detection: malicious, Browse
                                                Reputation:moderate, very likely benign file
                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...
                                                C:\Users\user\AppData\Local\Temp\tmpA342.tmp
                                                Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1311
                                                Entropy (8bit):5.096491999374021
                                                Encrypted:false
                                                SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Vakxtn:cbk4oL600QydbQxIYODOLedq3Bkj
                                                MD5:61B1AA63000F5F8ADEBA5BDF446B86BB
                                                SHA1:31771D1A80ABC92944BD4A9911BE9C1DC8A23C7E
                                                SHA-256:2546B14C7A9400557DE43FD855BA4A09A96FC1780BAA32AEE5BC2C22B4DD022C
                                                SHA-512:78DC27D462B0D41D190975D9515E50E50D39063C9DEF877652E16C9091D0C67004945F7B6D414F83EA2AFDD8B150890451E06D142A5E54F6DC17724F1D60942D
                                                Malicious:true
                                                Reputation:low
                                                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                C:\Users\user\AppData\Roaming\89378384\ajwiqng.bin
                                                Process:C:\Users\user\Desktop\SWIFTS.scr.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):551
                                                Entropy (8bit):5.577187279572449
                                                Encrypted:false
                                                SSDEEP:12:jLSFYaDhiinTz2ZaDUGP35mfEUTQv/sReYpo9LbpRXr8I:QDhiwTe0zY0VBbpJz
                                                MD5:96690BBFA85CA3E6131B8E8CE455E2DD
                                                SHA1:800AE71F3FEF2A123342D980E9F40F5705477B45
                                                SHA-256:A297ED796C37784A40430A3B0A03A299040A8F3D98BB728A34DA8E09F5123276
                                                SHA-512:69C657B11AD791C4C1E23BC8F3F81446565DC5125963118D30B80BE34AECB0227AECF8FBF190F1976ED176691D809F61FC014902DBDD95EC30B9FE1E2F55CBA3
                                                Malicious:false
                                                Reputation:low
                                                Preview: SEr6WCVm519gXv52S5n8jMFzRI90eY2d84t4k9NVRQ79F0Bz52lv6EMRwO7f302QeR1hQO..3y96u0A54pYz96c114r3F91A8bVWxZ01xbiEC5vW0V2qIV7PMu1802TkLv6W2988otNZ22U8h1998o8rf821010221rJ716i..6GC9OzFPbSlkFYS2448b8O2ag43nZg9t73Gyf1nU69C6V33S4FGQ328rzj17y9J1R2r5020d665Dnk44z20p10Qz4Segio3g03eMbXN6a6a16i7z0a96p66Ms9K8..xh94TqQDfx35Nfr2WMhu73k174VgCokH2N1GwM225VN7832idvs9808Z51F32Qqt4V4ge50ib6b62M529H21fLpAOx94338S4648P4EIKp8Joh9rdiQ5u..o9t2EjecJ7ZfRh2499EZ196M30ze0LB13yay80g27aHWn7E0E1GIL748A7QB43CJZM2kSe319nS4fPf8FHT4P48BVnEDGFS48j052qnd4M9mc878akOm2C87F230D4j6500R86..
                                                C:\Users\user\AppData\Roaming\89378384\ckcsljuf.txt
                                                Process:C:\Users\user\Desktop\SWIFTS.scr.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):570
                                                Entropy (8bit):5.462095602197949
                                                Encrypted:false
                                                SSDEEP:12:bh3te9cIvgdPsV37WMqcQyOm+pX7Z+/8vA3vW0PDnovn:bh33Iv8sV3PqcQyOmJn3xun
                                                MD5:E83757A7EBD5201586D5CDA68BC0BEF7
                                                SHA1:FFA8D214260A5507C886558C9B3A2557E34D425E
                                                SHA-256:3D6CD22B560546BF0929D4E15F493BD420859E4F54E0F6E3B4E8973F99852687
                                                SHA-512:458C9E23216608B93FE9D108942AC54DB2D68B0AD2F1A7C77B48635EFF27BB8ED21760777E20741F644036104694F7F85BA632AD15C3AC1498F3E7B882ADDB80
                                                Malicious:false
                                                Reputation:low
                                                Preview: wrp3bm5cl9a1YWHH8ZMxT4v..423dQ512U8G147uOY2Z7f9PFK9670217ewXUgfzk8xhn27539bqlkC9ZQk53O564x26X1z36CuX3..s6A45v9a0F9309rl0K9u4maJ0F3R2Pk0566i081Tu19Hq2705Z5Sas9t..81F3057v25410143475iZ5J0242Ku5S0jf25WVM8v511l9g21mr6p031907XR08h42dVeLir3L6jB3WDJs3q42w40rBs4a2E22aM8S341IR0o19h8927781Pg9Npl857245o3nfZl047K6lUmFi17z..2HXLJ8V4004dfQ2yMMF177fyVB7Y6228KS7I1Vb153987Abe1402601704945s0YTFe74o3g691JE9c6YK9Se2E432hF40fi58YIS99GN580bktoe404n..L519453F38w5r8j9ryGV84dg138i38985R81DE79KD..A12WM5EAMa4WV6081X5l1g38wscE8w7PvHBVQF2j88Z48P80YL707DQEJ4262MX8f27VrtC27T02MT0W4e7mG7301H76..
                                                C:\Users\user\AppData\Roaming\89378384\crfgiqf.ini
                                                Process:C:\Users\user\Desktop\SWIFTS.scr.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):528
                                                Entropy (8bit):5.432323738929293
                                                Encrypted:false
                                                SSDEEP:12:M8wnoDHtPkUsEJgHkywOwSsrxOyVySPlYCZfsgsdG:aeLsZE9Ow3rxBADCZfEG
                                                MD5:23566124F507E82A5A885836EDB695A2
                                                SHA1:5D38583BAA7DBD138CE8835D50D64BAC17F8CD2A
                                                SHA-256:8A6B557B093C17C8A0EAF31E3649A9DC83E7DE1E77A2133718C812418981B0EC
                                                SHA-512:437D18CC71142321831540B9CC95063898DC2D3BFFEB019D002474C680E4B185690924605F3746CE7F67C831E7192C6AF3F65E50CEDC740510DF4D827167DAEC
                                                Malicious:false
                                                Preview: es94855rt4O9mUI6137254725e7Sr6M79g26bO0qd15..Cap293h8t0Ht9p60933ghX40zO793350o7yc581525f0j29Ebvt2GV390136o7j0h90X72W5X0A6eq914b72V4h79488JZ4i21Lg1h3H059o0898F17q59U578w52Ag1pUL590T7hu39d2Q219y..gV6ZM8v7Nfu24sqfur0W41E..hVN8V109s7tNn9J3G9Y07d280R70qu0EfDEM0pZOi..rnuQ9G58r2k17an3EW9616S47s775Up0J1mJ4xV9e6c6869j064m44av80819727gfs64PMcnWPo2ClL8dypd155eQl5G2349Z8zng32Pd4VWfNS6v8tE7G027Bm295f1YDJ2y0zX57x3f93..6z900Gu8b1MP30Nj87UDZ3cK88Vxc2w2A190358S41F5kHw86643Frhw844j40V26c69hu733h63MM5j4kG544imB42c5m4YL19qeOSc8P39gDA4QZZ98V..
                                                C:\Users\user\AppData\Roaming\89378384\cxijg.ico
                                                Process:C:\Users\user\Desktop\SWIFTS.scr.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):596
                                                Entropy (8bit):5.513841828081032
                                                Encrypted:false
                                                SSDEEP:12:oSD1Z3dUc5yVe+VE+ZIV47v23xgFFYh+KrVIJVlY:oGXdRygJSMxg6+pJVlY
                                                MD5:3A2175769609498B68B21C91C1592CBF
                                                SHA1:150166C7F5F211F65231E784CBA68F740B2A5FAE
                                                SHA-256:53D5311B18DA2BB40832BAFD877A36224ED8253DF947BFF81A3ABEC75F216CEA
                                                SHA-512:C2BD5344EB62494CCCE463ACFD609FD4004527429EEA3073247BBC80CC901BC4846479D43D7495BD37F40FEE28D9315FC1DC4A2D8F361DE951FFE4C1FC0FDBFC
                                                Malicious:false
                                                Preview: n12Tu85KO8P7g822OZuQ5qf53Fnqr39g00e59KN65897708a2nu2j4k2Z1Qx04um786h9U3UDzVShP3023Y76cwvv38NuN1z68538TabdH6859lX9B09WNEy96q86sMUB9b81L065Vh1ULD8G4om3Ym661DY11f9uUfVtub8..vX61Df276G2GW0J11lBd1l19DX82z337o03dx3o2LC66jx1z9615Vx5Abu66A7F4SgOHN2H0d9e3I1yTcw72PPw..u830g95iU66nJ3Y4bJyM0qA..v813xZ8vL40w57GMviw5229183dZmi32dIzf977aK584RCcz382q9909869U103..Z1K5Uw61l8988l17V2zo1GTSg3h1oN44639wOIt..c62mvv3U21bnPG980463M718082..2WqM8bI96A3Cof4v16i00Z32hhtZhRD38fxQD8..c82F45NagU94d92jhIB12xXN4k0ic90b80EQ3y7G2wri7eWFm62Biv8a3Pnf4ic7D5183hL5148uwd5i7392zU4J0q45e04mKEsq5G7X1m1a2O11U0z8umxX5AqV6Q1hb6793F1..
                                                C:\Users\user\AppData\Roaming\89378384\fvltkxlub.jpg
                                                Process:C:\Users\user\Desktop\SWIFTS.scr.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):529
                                                Entropy (8bit):5.559152430474837
                                                Encrypted:false
                                                SSDEEP:12:ucBsfeejVkIdQhYHGjGKXSSpAebQ2pyPIc7raPeo4L53dTgThOw9n:ucBsdSgQhYHcGKXSAa2p4eeFXwhOw9n
                                                MD5:B6556F044811B2C8F7D4CA3DBFA66126
                                                SHA1:62996F61B47DCFD5D95D47EFC8D5FA855EFCA0AA
                                                SHA-256:C93F8AEE15C3A7BE1A4FFD3865E9C2EF534EDAE06DE6C129B221417F1BE35EA8
                                                SHA-512:9B213424CE0C98359FD4C3C784F278AAB514E660B277EADBB8B1581114226741A633AB9827972882FF72250DA0308BA639C06B3853D638D1B805FF74AC9316CB
                                                Malicious:false
                                                Preview: T1xbKVWxk26W6Zvb33L7n60u0IMP1jI237Im383kP70ahX74oQh08803Cy0hlea6VuRON4KEH5e58R8..2C241brD954o15yku1S21xyDIXny27f92302X0o9x9u5g88Sg0a0C4Gb36e40x0xg105604VkY04AOOU02..k6M6yer0m0098BD5148Ywsfd55p323PvwKf7..835T6g01XV4pl88LI9o22Y591hzHO09024BJuN727n4nKU7JjM9J2Lu9n1w69NGPt53FW4R9..0H55Plg2l15..Tspp08NT98I8D2o41m38h10K0219Y35E8AU32rqkr7x8wye2w311q03O4bHS43978G7q8545lHX1o3T7WYtr4NEfG2p5p78Z8s0P6EoD238EBb117..88qH567am4GgdFiXOJ63A24z..wE32j1563WxRz824O5llj3AnC0A58heDhRTd955w22X86zZY8F7UoG041964FD0LRF31d8bQ792814nDGIJCo17FV3APbL6c..
                                                C:\Users\user\AppData\Roaming\89378384\gencjb.ico
                                                Process:C:\Users\user\Desktop\SWIFTS.scr.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):534
                                                Entropy (8bit):5.4724932938444555
                                                Encrypted:false
                                                SSDEEP:12:Xy+Mdvok6YwUZhhVXSKqZgDahE+AGSb6QgzuIa0Pv:CZAMFhDTRDahE+A5bGMa
                                                MD5:19D70FB9676D949E164957896690110D
                                                SHA1:AD0DACF83D0493D394D3B0AD13BE389E29DC1C28
                                                SHA-256:D1C6EEDE5958CA88872235C6C1D93C9EF5D16878E7C84AEF20C2FD8D2C2F4E9F
                                                SHA-512:4A3223F9CF62CD906BC2E3F360BC0CA6E8AB2C8C6B65EE48BEE91943385408DDB1D7D8795393485B47B9F3E1DFED5518B75DBFEFCD0190ADAC76904124B7967C
                                                Malicious:false
                                                Preview: 818bW6z9gcBy74p43uWf971B67367t2FqTR41..9A20N8JLtu9I90O2108B8Fx2913333r3GQ334B7b221sO3KH9uE601i30l386JNI03602F0Rd28agOGF9XM3..7723KL445j5h24j4F80x8885Y42Y9N17x52TJ2j9rE4MB4h48f84076P1Vo0y83530hSp2H0g9tKwU440M53mJw123Z2hnGtB10975Zh0Z9V69v4pu8zR4S3H8P2E63jUe7LOl9t0SrF59657y..6RA1M9352K3C9R6YoBz3M13WFCzb38amc4p74cb445c2Qe61gmXF59xQ5ggO665265Kq7i1avfd76038b5FV3DU1t32y240T9yIiI85Q526EO491E7i0C420h75J..122Urbq37J81pCXHX4cuv1C61zJv857h19uM6m3x9NyptND9mb45G1pvmB796R9z00U4R77Pvb910U41724YIDo2768s4McL0XWN5M9AK5d8Ku07PU7No1b8G6k8n5Hf4EyeU..
                                                C:\Users\user\AppData\Roaming\89378384\hwbmxx.dll
                                                Process:C:\Users\user\Desktop\SWIFTS.scr.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):504
                                                Entropy (8bit):5.493963089744754
                                                Encrypted:false
                                                SSDEEP:12:pFGSL4sZmygfWl09BglWhX2t1fYeWBAQUIzRz8SDpa/CU1JRgraR4DF:pFksjgI0L4tBM3zFh9a/XLRP4h
                                                MD5:5457DA4088B48B18E4F8EAFEA201713D
                                                SHA1:C239D6F9BB6414DD850BCB75CB0DBF40AC234EB9
                                                SHA-256:62054307C143635C361ECC57C58A7970ED39498EED84485D115765C47FAB23F3
                                                SHA-512:7D035A2E8C51E6F343CAB4BF380CA37DF97F62D180745774C87A03E17138804443094ED44090B90474CC2A135B65839BCD495C5AED1CF558466188BB76137821
                                                Malicious:false
                                                Preview: 96o7A0DuZ2D960txm8A1T6919731272aiz0e2Ej7uEYR0VG7ZXP90FH6g5O04JXA4z0t458PZZlk1Uk0H7po210DGPh70G1..j559q6xLB9GRpD7I..xki1D63TCC1Vo66288hw5E6s8R56L272b41bv05Egdv24Ir63..Ico0dd9ad0Fvn0863a31S202z1e93KNFA69A85K13wdY62Yshw53LJ762i7Yr6Cb1m681q9FHT0Y03246LW84V03GO5x1W0344rnCW53RD4Z8d0P4AKJr45918Kap0k19QR4Piv5j90s86HV..8W74w50ij1107jK70U9M3M335r2k4x1F9AA708Prum2tLoUEK4uSic6I874304sgarw8t274i74i9267L810S..1qNg0s2rr5076jE1392F95OwXiMvGS4843tR15A7qhm6MD..M86e9f5zv8g6509226dAR34o0EeZ4uq7pRY4t8767601c928m8NZlM3..
                                                C:\Users\user\AppData\Roaming\89378384\jlotan.ini
                                                Process:C:\Users\user\Desktop\SWIFTS.scr.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):574
                                                Entropy (8bit):5.533885609378276
                                                Encrypted:false
                                                SSDEEP:12:sDN4Bbh2ZTZdX+U/EeQuQ99dOKMkaUpianCNic:nb2dXN/U3MspianY
                                                MD5:CE2680210226A652203FA1EB5B67AD10
                                                SHA1:2C40A04295588E353F8DBCE8DBEF02DBE45C90EC
                                                SHA-256:835BE0A24E1CA0321101AE5D66F3873A00B82680320148D27EC163A216FEA010
                                                SHA-512:C8F881E9DE01FE0D8E61349CFCF4A68E1C83A92943D2036E5435403633D4B75F8BC9665AFF7DFA13670F06A20BC015FD38851C1211E3F280C5821E0618681303
                                                Malicious:false
                                                Preview: 6119v07LC8L4JA5DR0ABN637zwW0dt2..HJ3W5c94o2K5kO70h2HW5D2H03LsbE2BiEk3uL0x8..6SPa66TS56o8J0k1c44Gx413364CM5JG8DT30883e1404u9n08v625341017Ni5yd5pYkb418t111242SA1ajg012Y7Oz010ayVk23nL23h205289Wf368..0C65qkW500U0T2NsfQ517D8z7n4m..aS969s3yyXu810UEM92LZIqKvvI0s7sBt248Ho9yIWR7Kd0CuJO7SCPinh..h99yse6JV680OSgijk4jmV3R1BK3OR8H48u71Bb245LQq01zZ91TJ277EZ822p6..q5DFn950A8MYdg292J8JJ4zGy2MtU3Z1VR0F6G0493kKl8t825N74T1557O87w0y3ML6e0R8B5E89hHN55y5q93tYp260GM489Ef80AsiF96L8mKq..0aX25701c3rQ0KxP1O0m33UaA7e9ghY724I7LG85074SM4597A9AM0mU306062oL1Dm4FJ06UK7F5037V2jhwf4fn6uL97r12fMjjAwU2O..
                                                C:\Users\user\AppData\Roaming\89378384\ksbjboc.xml
                                                Process:C:\Users\user\Desktop\SWIFTS.scr.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):627
                                                Entropy (8bit):5.433173452980452
                                                Encrypted:false
                                                SSDEEP:12:oV5ntosObqszp24HXMSxGjjHCiRpO7PtaySpAPmbRoc8koup6TDOn:oV5ntAbtBcSUniiyd2Pbakb6TDO
                                                MD5:FD3665C28A5AD4CD7AFA2D37F6A2A013
                                                SHA1:73E8ECBB23CA1DA919528D358BC1865D42DAF60A
                                                SHA-256:5D33E12D3BC86FEE648E7A0F847A08C74A1CDBC1B17EBD723D9E8A0B7B2C3731
                                                SHA-512:04921991551F53B20811E9E71FAEC2A50F0C62F84EC302A38FC0DFA4C569DE0C1A7624DBF93B6597B1F7D9AC7EE388BF594E8E8275A0B5B9760321D72194CD2F
                                                Malicious:false
                                                Preview: 2Y6YB5972Q045mz3q37P2h8e4l375zO288b8489..w875u4920N6LY1Z4y8y4aHXz9Q939hezE15j4v65vr1UUz6hr3U884T5S8..h4299Nc316z1Y..3v1F..9h1Mp8o2i78U316e2tzWvUa07gn9Z6k77l9377K1wrqc06baeqM..81Te2uWs4xvr1B854zjr2JXAKqYS3E..6577zHUe3x1T16w2I05pT24695J30dxL6289I33LR3RArz97i89N65g5D23ul1Cq61o33ruXA7X029B14Bv15cY226QS546wh5C0X4C7u743oB5fsY7G204H4v06YF968X3p28N8399L6MN451lq0mF2sd21do53Gf2VR25p703l2..09G841UpL1t2K96o1486c1a3rtC2o62fI893Y5680J943V140Ko116Y9F3D278716U862773qwO9Z4B266HmtD4rZ8Fyr..07i32fEJ8429l23Q431982327b23Fb7NWQTQqL9122d8icuC994t1ANkXe8D0J2n19yy9KZlK217E9S3fNnda467qp0vR6YPAM8I2y727zr13R8g4Tzv849e56w811QV80f60se2W76P46jYrS2h..
                                                C:\Users\user\AppData\Roaming\89378384\ksfdlrauwr.mp3
                                                Process:C:\Users\user\Desktop\SWIFTS.scr.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):563
                                                Entropy (8bit):5.535718601608044
                                                Encrypted:false
                                                SSDEEP:12:QTHBJU3HGtRp21fMT4HvGsF4Yz57QidfnrSnelRjW7WoiY:OHImtD2lG4PGsF4IRpt677z
                                                MD5:ADCE3CC91704D3F8F129D799534DCB7C
                                                SHA1:70D31CFE92A031230BB629A8CAC8827ACD2EDA48
                                                SHA-256:2D18AA7B8C1CA86C08EE88F4744FD2FE19E46FC05E5262D52EECE73BE58D3D35
                                                SHA-512:16DA313E04B9FD5FA22EF6ECA6C9B3AECB3E4A7C04CA2B4A4578E05E2BF9216CAA9B927DC29C4817D6CB316DA06D3640ACC150E91F2DD5C53EFABF6160C6CE97
                                                Malicious:false
                                                Preview: 1V69RYo7Et31RE4ET1678uBh99088Y3g44R169d69wxQk9Amo5MC11N..712c904a7oZVNGyu86LjcS3H77k6b5dje36F75AV4Y3987GZ07uZW6RZa3P0C0hQ1K2k0Q4gzK6l3..KFb3a41D6C66Ouvl1b0BwOX24v08TbX289L716Jz9HZ0S6NDRKu84rG9UT2681KgymGR3PY3nO4i6Xbdsz8018it64WE100AxCdKJZg2v2d0..08H8dmh6E7GZ5sg8761K14b232540i2dusB65h0594otn11Un69r685k6v9yg355Ppqd0fY32A123s1bLI7vJi6083110cz0r097952s0q8a8lB3c5l5v4yerR5S3OLM565E747101J6W73iO04..10ER1aPQObta1352z63o29112y1S8B2YN0LM3RI60J90b2iXz4k0giDuTiJ62G7i6v5q9Bk65R444P4qj1zMC2PvFkhYU4835o..e97cz5X26g14j3MsA1R25BFyt2785UB2S06tnt276p8d4PZIa08q3er24s7Qm6V020..
                                                C:\Users\user\AppData\Roaming\89378384\ljqg.dat
                                                Process:C:\Users\user\Desktop\SWIFTS.scr.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):601
                                                Entropy (8bit):5.531138280612808
                                                Encrypted:false
                                                SSDEEP:12:r9n4zfKK9+9JihjMdzXhNUjvaHwjdSdcQDoxufi7Xwm7wzvaf9WaIzi9sw/AQerF:10K++rzdVNUsOdbQYQi7XvwDaEasGIQs
                                                MD5:C733796CBDC744AD5A3185CEE4B8F924
                                                SHA1:72E1D7082605BD623E4BA26264EB7D826890594D
                                                SHA-256:44522886B7DB539DD03FC01520B541484494EEAC15CBC0868AE2E9CFDEC96C64
                                                SHA-512:2909D444D7C028852B3BB4EEFB30BC08E4BE89D69CBB23B7701D77EF15550059A19A7F02B75C1521499D6F9D6DA8D1A6E90F90CB25E12E21009A9CBD85F7BB45
                                                Malicious:false
                                                Preview: bQ5OGrjz4NOg2LXZvR0nNN6Et2aR1n89i44R518n8GVM5E00b92l60pT2z1Lx4oHu0A44ZyHDHZLeY..uK6rNlxE3WhL8pU95Z3x9P1yZjdH5G020b2sr820tm8S12wwd926KY633C7S0jQ54i0cj650w8p..8ZR92S43P444dLie0ltFYzwdP0elFRVqx773x77AJ2j802236470gF0A4K57tK2Yq02H2zw8l2rs0613ZGnJroJ74r560Qz..4cA8n889fmY55882ya8pABF2SA1s5T2P964fSa3v6G606rRHbr3cP275H86Dz86fp05j6vXJ5086Sa9vL7ocJ0s3Zz6rU1jo6V5uczH98..p4K6MmQw3uHV2OX39826w8E922N8L088d27BjPl2l8h..25vo51v2c50jz998xF5oEGV58..29TyeV42j8Z71EL7w38Bp9bVKc1DJ26t3T3f021951621285u970w215Y3eVdOaw79PUF778e6JIT723RFD0120N7c92597237Cw5xR5MB0cK4n2qyz10pv6m8e77c43z1YU50NU54S6Z35DG3yohY8us7074X8186JSLu..
                                                C:\Users\user\AppData\Roaming\89378384\lklphvrvl.dll
                                                Process:C:\Users\user\Desktop\SWIFTS.scr.exe
                                                File Type:ASCII text, with very long lines, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):474485
                                                Entropy (8bit):4.406207301813423
                                                Encrypted:false
                                                SSDEEP:6144:7g79IKy0B266k1tvpN5KinwYBrFSKrQlTKLJEdaLj1PUbq786:0fyH6n1tRN5KiwYll0lChj1PUbU86
                                                MD5:42A8B623A2CE95FCEF78600C98D10194
                                                SHA1:7C377211B176A5648F67DCB316B105EC4002D1A4
                                                SHA-256:67E831370377703A709D9C19AA91DEB997AC4A48F0627E5F1656CDD773195C5A
                                                SHA-512:1551C857309CD0CC1E790863B2F66D13DFAF93EC52CF75BE57B75C0530B541EB7636CED9ABF0A6ED159D51B5FAE5B3273EF60C1B992E7EFB555A389C160F96C2
                                                Malicious:false
                                                Preview: 9322J2lO38892691lzr5RN27cSe09t9O251j0KT59323qCTk..042HJI2k4q4Cq34bQsnRi92qba6WUq9m874IdS3X29424X0AFo2T535B98o99030GpB6..3cy8Atz247hz8Y4wdqRM1D28lU0WJL..S22E7490neW8ojls2K6HK8853j8V1RdC868dl41m0t8C628i0D9BW8GjjoU8..sK7t409952P48496tT3QtNnJm48G37B6enNX94Y26h9ZvwK409154N13fqcv11n..wc94bF3Y746bQ7I47a5OSZx5m55Klw12271lo8Lx7w823cglPt67C8K2hs14hD4n1703lU9zJR6m556g4K15nlt1T5Z13o50E7M..668yH777Is078a0fY818sou996994y803Ie87145CE02G15b65sv8yK5n45YpQ279X..dp7y76n71L25Am308Si77VonH480G0MgBtjp..9G0g9pm304X996gA03Fpgt6Pm9VGY9YwFh0573YA4l136Vdo92GW9..6Y8jG5n56Cw2mapS74RJ846V790d5P92430RuL76l6US19PBZHB0ER6g77oM9fC111829f3F63124981jlAO065nL1120oh3..LgV40GR4kQ7QGM3k5p99Xs564fTjDMAaYRiS043l47..32WCO8cb201FO48g74sK12Cl7C1L4e7kf3Zx4XKUS0imG8JxLm5BaND7q1W1en9E5p8859t8831ex5629VDl0..EGQ57Lw197S7G5Pf148834W4hW3vdG..ZDI7F2TY84276xDb034wkm5J9zA6i597U6EUl773tc1..zi8Ez6P888M6Q5O8l96yh3c37W5618N..927k26150E63Y4308Dvs78Emi7143L46W37A09RqB8YqD38v4289VVbai2SjnTO..6Q609A9276278805gV67zAx81eLlojXq0Sya25I68RknCY..6sOAT2l
                                                C:\Users\user\AppData\Roaming\89378384\lpiuchwp.xls
                                                Process:C:\Users\user\Desktop\SWIFTS.scr.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):534
                                                Entropy (8bit):5.521012864241686
                                                Encrypted:false
                                                SSDEEP:12:HzdDesWWSGdiDYRwbgj84NEnPcrNoTUbdN8k286ROp49dnmy:TkW9iMybgjT+k+23yO4bH
                                                MD5:4E80011AFAFFFE6CBF94D0386EEFCFA3
                                                SHA1:ECCCE856AB86E77C5506FF5E99543686B451ED98
                                                SHA-256:FD1AAA2ABF8BFE45E52271D437CB8BCE342E337A05E7EF318BE218E30D0259C7
                                                SHA-512:DF5DF86F42FD635F294554D58402F86D11DBF7AB72A6CB4D550491854B46EDED2FFA86419C46D7444C274F9CC1939746D9941AE046E1934486E6ADEAE7CAB508
                                                Malicious:false
                                                Preview: 45MSA257tQeu3ahvB87975797Z6UL9ozy53L8f6cC7z2G2558JiYZ3..KA9k5wMv84igd3TDqwB4zVinPN1jkf67p803r025y779S0i2B4f1Q1j69P369N745X78HF3mS492gh223mt992CB01nvl047884q98..2k8937C46vH036KC896dc0OdOcCqR1l3b76YJXvp181BJ41v49..dzzJsotY38837zP58AZ7qit859q1J56mE65009161..42W9ofT5HWR7rPpvJqT9..68Z838t1T94mgQr8QF3E7YF25g1T83pnL5B2A08G913G80a1U08Gaz96qg9D4F08luj8RSYWj7d54333y8ak945qKc76t4Kv4..89F5201cPSn398a7f6m4h2k783nGpb4368d0gn712eK3fX4Cl20p147z6oa7u3seea0hurKFzqu6jaFz9HF400I406p8DiECebq8Fc6D1W5W4syfT942H545MIM8H4Z74r5JfA9B36dtnx24qof410N41dam..
                                                C:\Users\user\AppData\Roaming\89378384\mheqq.log
                                                Process:C:\Users\user\Desktop\SWIFTS.scr.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):549
                                                Entropy (8bit):5.480205164580472
                                                Encrypted:false
                                                SSDEEP:12:UQTG4kUTBMrhybYZbhv0J7nB5oQiV1D4W/XZr2S2VOoIrcRryGG+z+97qSzS5s:tGqOwbQMJ7nBiNVN4MF2SGZrygQqcSe
                                                MD5:37C227E14C6946E4ED3A0B76F94CE0B4
                                                SHA1:0FFA76F2E34CEDED902E4709EAA229A00CC96755
                                                SHA-256:7762A1FD9088AE1DC65510BE15F2542E993329B0A8F65901BB9E45ECAFD199BE
                                                SHA-512:4C6E035E5DDBE04BC03D95C8FEF9AA4ECF946762BA91E9D84A4265BDF8E6F976F1C7C8E9D68B9F024A2152011301A894C3F7B51E6B1C6E7AA526FA0C884C0A0B
                                                Malicious:false
                                                Preview: V60ZE2115599B12I25HzOBIM91qvNOmWkgEnr98Qa5dT7p..wh416mZtKycGm85x3J91W0I05wDAO36OS046Ur4NiX580dm31wP3Wc8HyE006Fx5..X0z10I862CYq27466SRl95y0ol1ud79r51oa1k3Z69rE77W4es6QX409Vn777Y2hb3sT794452Qt99T25J6bt67P1u06EXHM62Fw466Z..7855E32945848uq126aW70Cm5EZ4FgN1P28Ag..75RSQi288g7tBU..Je764f56R450W4459..V4N77W0Td79ue80477zIVpgl3VD3x9Zd2QbT8f6o9342RqJ9Or..4btv0623m1F63SvV8wc6k5Wub1fKRTR8QF0CFDeOi1g849v205k9w4Os6j97w562uM29HfDAr194JO0612auFd018NZdN74977po5fTi8q045s1P39I86v5l3sJ09PE743cy3ygB..7A5350287002na25V7O3330WCgC998B113861g8jR9Xrb99x8fF475G1B136982..
                                                C:\Users\user\AppData\Roaming\89378384\mvadg.xl
                                                Process:C:\Users\user\Desktop\SWIFTS.scr.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):589
                                                Entropy (8bit):5.59344746108483
                                                Encrypted:false
                                                SSDEEP:12:7BZ7fownIHabPIURAEFr5RDxMJYc1HZcRpUYGtU9:/fownIHaLIG5RDxMJd15cRpqi9
                                                MD5:B3A1A09E867E85C01BD6118F173EC6E5
                                                SHA1:255AA2149CF96BE8B336C4CFFFBAE461DA3E4894
                                                SHA-256:CF4692B4983E4CCEE77DCC64C6CC775B8A453168DD329864A4331789C7294673
                                                SHA-512:4B7392540244646C1C3E4F9C1F7CB0869A7BCA0422A5E488EF7E99534EE4CAC693D0C41021BC0E8D59EFEC92D58491E71A9DBB75B254F591CFFDD3DC8A042A57
                                                Malicious:false
                                                Preview: Z811OaygtX7nlstb5Jad84KT43C03ZsdR7n2uY51dqA3VSy7..Xu0z8m79exFwW2RLC07oAhZ2Hy8Q42P9J51O0g463RR5bk200aILzpRV56W0319eC8371jy177Sm5465BV3gCh004973n9oR5G9Z5Uno84kA884..k05W31K32h9H81q3orvi2Mhdq2608co97f24fT7t2a23yG8jV7XI68X09N4emjMWyMp6JbAUo4isk011zI25lmA40Ml121kOG64266jR8FfofM71Bqr..1tHhKL9z59ckLtnq8bg7p1Bw65r2Rc44vXVY41253OUAh2k77G8doqBOjM2cUA..45sC55OVtH1zK3np125U27fh17EL5dX65Q0dv464Z5260sT25w96..QE5Z76FtI9X65S3I9s339uz70V6181k00j2h27w79rMMjCW96PBRCbBrv1..yS59396073K2871m4V6UW4FM21H7Rv492NT7Rmpt7724Sv3D6w9C82aY9q1JE54825586tO6724O7SzT7p84U9SVHagU7WF5Hxv20Q0YEa82rA4o3z8yx4uD7a4zJ646E..
                                                C:\Users\user\AppData\Roaming\89378384\neirnbgp.txt
                                                Process:C:\Users\user\Desktop\SWIFTS.scr.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):591
                                                Entropy (8bit):5.439152650222553
                                                Encrypted:false
                                                SSDEEP:12:Zn3ILv9K1kCLEdTyK4A4bHqgJW02bIwMQ1peKsjduj02oLPShw3:Zn0lQZ0TyQqKD8wzkK3w2orSha
                                                MD5:DF4BB8A2B65B0745977157B4BA904B0F
                                                SHA1:F58B8E0EBF696A83C84A32E0BBCBBFD4CD4CFF0C
                                                SHA-256:0320A702B3684D4E8765AC0046DE266B79B050ACF9280E3D788BF5E84FB0B68B
                                                SHA-512:C91E29F6FF4CE040AB43C07213FE0EDD125DD70A800754E16C5023B6374680B175D1591A127D82FC1EC94223BEF5D08AC437D56D458B6075B1357130F8C4D6B0
                                                Malicious:false
                                                Preview: 6u8fl7F0WR68YaT89tx1P4g2BCEC5..5J6qiavde3uwT413795F5rX32I19L49Jrc61L572p..O32B995..5245z12wIXUJN93U8iGe859FL7F934n1744HYtw6JO128625Vw5D5V8o4iaw76x5419zPC8912876MfMVRGO5U8az10N2kx2r9hctOpml01279m..145205wMj999oV02w4JQ6Gn9r23uHbatr56h86l4X43B9VxJ0LS2z83n6P15Zhy9V62lC9657m7i8927X486fun512S54W6..015q5Ww21OtHBz7X432A92F4d14GFKQ93uhQ4xFEY16Lf94291465N9nC05f3sHR4w7e405C91P83v50231K8ua00Y3IJ4ZWvNAYy31P107491oQ9aA0IU8M8er359iqOj7R4..h5j7o3v0por5w73S1t1lVr802Fq1Wi..eWSG7155bS0IC1OnG2wE82P2I59z3382N79p577I79unM331e72HIt141J3pPaUog0u7L4aA70N083133488fz672990x24G6QhG53y866424uN0dUG7G1q2V067kju47..
                                                C:\Users\user\AppData\Roaming\89378384\odfugpcmco.org
                                                Process:C:\Users\user\Desktop\SWIFTS.scr.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):124716950
                                                Entropy (8bit):7.015438985316352
                                                Encrypted:false
                                                SSDEEP:196608:BCW+5DVqqFiaQllbRtmbHQsJVkYba/yVYSmexrxyGy72T5skD8lYPsBQ0jPWLX52:D
                                                MD5:39FA527A3B0A8650434BE4083D7FEB0A
                                                SHA1:DD0E9B5DC0A018B12E9A9EC419F07CC573832DBF
                                                SHA-256:2B338EC693FA6CA76C046D0E1F62ED5B3A20F6D7B21910486C580327C894F4B7
                                                SHA-512:9FE9BD5445FDE2DFA3A7F4D105567FA4034E7F4984493D1070CA8FF4E2492DDE394DF0EC817D2538FF4268C90B7001BD56E72E4A28E9A863805C4649DF98F8B9
                                                Malicious:false
                                                Preview: ..;..O]]......C..sh.........#.c.s.........|....!^Sex....Ri@..*.a.^......K......).a....3..{....9.x.....T..c..&7.h....*...~P..4.......h .<E.......a..?.W5.g. .`E_.M@..LM..z.FR|...v.1"eJ.3[......o......TW...T...J.....s.....A.pj$...."...&Q./_3.....l.ly.K7......F.~.a...Hd...7...8..2............'..!<Gx#................Gc$.H.{.q,~.u......._.$.%....Z.o.3.Y.8.4.t.9.5.H.C.7.8.3.G.S.E.z.0.1.0.l.5.b.U.4.C.5.....4.1.4.7.j.9.4.L.6.9.e.6.1.6.i.3.A......(.......9 ............}....c.....#....o.$f>.....2...j..G.....70.d.{b...' Z4.Sb."}...mL........>.C+|...t......F.Y...v.^t.O.M|s.S.it..{.&B..VW...+A....C0L......}...R..x...-,.M.kx..j....W.?..'...aW..l.$07.3....H.D..sB..?.o.z..O.f3...9.^...7..7B....i..#.E..........%i.Mx.H.U...S.7.:.F.......^uo.'ELZ.<}...)..f./.%..F_..E.[....`)A.J..z...3.h...&..a..=ud^.'..u.I...z..f.....5C."A.......;.h~ ...C.{j1.P.H.....M.%...y./....Fs..|o<......Ze.0....bI>..."Zu.. ...yo.Fa.s..F|c.i^]s^.l.....1..Bo.......H...]}..x>..x..
                                                C:\Users\user\AppData\Roaming\89378384\olvljot.icm
                                                Process:C:\Users\user\Desktop\SWIFTS.scr.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):553
                                                Entropy (8bit):5.432434398168419
                                                Encrypted:false
                                                SSDEEP:
                                                MD5:384165B9E6C84F131D4A63EE529EEB05
                                                SHA1:B6FC12C6EDC5803F786AC9266F59FBA7F24514C7
                                                SHA-256:99E8D6B9065EBE32F36FA12CD09BC1C3F9BCEDEFA3966118C1F2FF53AFEDD4F2
                                                SHA-512:257D2EE7DEB346D1C89C84679A7C2B0CB60A87D15837C019DE57B45AC35F869B489AAAFBDC44F6DA49D561B022E444F5A208F46BC592F6794CBA4BCD48C2BA34
                                                Malicious:false
                                                Preview: 85Va5DGRx4292b957Tb40n5U7H14FU09fa67186d3cD..3377t8m781iyR31NN3gpo4S0b69C2fa7hH41ws745iFH28377NL842901E299E86J7W7648M850p6934KQz6G7w21255fF60..27UXhX024RQuul42jy89T7m5p6j776158g17819..c8m411qtuo184p762M3537e416AOyqQcsvvwaPG4431j4MGW7026bIw6P4k5HS..cd6ui457zSkMSg69K905M1RAJ32cGN80Wso2l7f39XSB1572D9D4Inv9R2JVyrua07WFstHRT50Rh43392Q14M03P8Y4E8H93FU1icV33zBNK0H51S9sCHoIox87g04X3fN9S4U9..o75f9V576x416jpiWYtrr55p325rQ5..5My1VF7jY8UDX236f9E3Ts7438OA45h967U1117CxqtHE70Tu52Nu2D14J307EqD0To344uxi63f9..u2ps1F7E0411Dm4m20138m39Z32J09MM298s590I2UUYi8u543624Z..
                                                C:\Users\user\AppData\Roaming\89378384\pravpih.msc
                                                Process:C:\Users\user\Desktop\SWIFTS.scr.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):573
                                                Entropy (8bit):5.462559461768957
                                                Encrypted:false
                                                SSDEEP:
                                                MD5:B155B473CC9DEF0D4B2B38F5C9BBF7F2
                                                SHA1:430CF6A0262CC7A67ABA6D1DB0573291B4EAABB2
                                                SHA-256:9B7B77279DD6A3FF5526FC18142459BC3475D8EA92DB90E5DEACD0CC2E8261DE
                                                SHA-512:886A123DD9AD700F08115F7BEBD480C459329446C2E6B12F2811A193B83FA39442FA438570B3DA5330084C73042341B6D643F8F1F696AB66A24BFAC06AE459BA
                                                Malicious:false
                                                Preview: 3l4e97342mqJ1b218Gaq34s1978nE01932tEc3EMAulL8..4wi047M436Y91Vloy3DEY60fJ31qg7275569vGxfaJOJ7d3EBUh15S22zYCP8g12780g5yTRqiB4W6wW6J659xjiD9IP8Vx0D10332conxv322pfPQXq23611K38Yt7C5Z3O699Q73qh0E3t59mEY177C73..Vq9675t53E661F2g7q26DA850fyy2Uzy3D59fK5TkBb0601Je6vWys48074..1cL7645knXZx690S8VrneKO9wWybw972hkEo78532p37vKk5BH47B22613210Y20Q937ws3a9753575gqzVKV781w2O1757H1Tf7W14tp6UA8I455pDH1E8U542MV2URn3bI1kq4RB06Al9LU7372p24qjvrM2041Z3og9VLX29OvY..83460811Ca1H1j3982n..64yp7c17VKvx5namos2264m0q641eWB0MDZ5vr90l6Es428MQfM26q89Z2N8o2Vv413oj58oA6M89ep34Fc8hfWZOR75L6465s57YLq99L5e9..
                                                C:\Users\user\AppData\Roaming\89378384\pssktmsip.ppt
                                                Process:C:\Users\user\Desktop\SWIFTS.scr.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):679
                                                Entropy (8bit):5.524374021299318
                                                Encrypted:false
                                                SSDEEP:
                                                MD5:4824754E653B24D4BD4223120722413D
                                                SHA1:6A5177A850F7A2C48B16ADFC890310098497BDCF
                                                SHA-256:1AD8F76ABE067A25D5623FEFD4A540D61E6F49690A7BF0BC1E9D4229F11E1678
                                                SHA-512:70D0F7C09A1560533F96D33B9A2B363D4226A41EE94A4AB1F37DE8A4282E9490229CE5CB7D4FF0FC34C42834C39E373ECF374F7C7DCA564ADDAFA14D9776D208
                                                Malicious:false
                                                Preview: 023B5r1368E24NT679JZ92WeG0HB1YAAuo10m267Ln9yNptJ5377Cu005i2clN7E554aDJ89kH..Prh6P85kjl5NN081G9dxo4nwtynAan23l6w61j3EoiRj3C1210qj934qwi258sW315rgO4M6o5W851BX6EeWrHH0LF30pxj3xX5n7FmXh4A47HnS6m1241h23OaaSR951g2043814062Q13uL88bwW7w..47SegE27314A5giDqKSf2ja3289oG4sW7327WmP7M5VqzBW69w453Ip..k74093Y483b5095S82691wr28z99kUJ7T48a0mUBAAu653Bu1fUAP33z4P7fde9e48523RFy5HL0unZOO14G1OJez8iW5K13nz6Hv163Ta0X5..5KA8001Ijb98olriT5YY5..6hv907K3496ck6N3i627KDF18zG7A95K9j1n5M4729o5316j581p8wf743z5F8L486U7s..6YZ3y33o30aUw50yIFD4EA96YMZ9EsCcf323KC12k9L37aF486WKBdll55Qp4Hu4jUwPv9hm0nP26f8iLpUgJg5nL7bINP89H5Q8T06W0843sua60A739852897Zcwpp762h5JsO570nM6he3Lh5002vr44O5611zgvw1f36T1p459451N0zx896L..
                                                C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pif
                                                Process:C:\Users\user\Desktop\SWIFTS.scr.exe
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):662768
                                                Entropy (8bit):6.567604064397569
                                                Encrypted:false
                                                SSDEEP:
                                                MD5:F471B7C16D5B01AF9F67F5F4A921F81F
                                                SHA1:D84A2ABAAC3E7FA6E5D4918DDBCDEC47AAF91D5B
                                                SHA-256:BE75E476ECA46172219A1EBD97D0F37B464D4DC079F25728D99A0F85F6060220
                                                SHA-512:0F1C6315F5E510C943DBE3A68C47E9C531F39CC08E3C155AC3D886F8861CD4978D6179EA23FA2D34E3499338D5CEBD0FDDE8F7F0D54B1662E582D6D7DC877986
                                                Malicious:true
                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................1b.....P.)....Q.....y.....i.......}...N......d.....`.....m.....g....Rich............PE..L....%O.........."..................d....... ....@..........................p.......6....@...@.......@.........................T.......04.......................c................................................... ..D............................text............................... ..`.rdata....... ......................@..@.data...X........h..................@....rsrc...04.......6...R..............@..@.reloc...u.......v..................@..B................................................................................................................................................................................................................................................................................................................
                                                C:\Users\user\AppData\Roaming\89378384\rvhkj.pdf
                                                Process:C:\Users\user\Desktop\SWIFTS.scr.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):665
                                                Entropy (8bit):5.490381038410321
                                                Encrypted:false
                                                SSDEEP:
                                                MD5:23C2CDF4FF1C342864FEDD5E2EE521C1
                                                SHA1:68F2B63E08D26183411F4DA12EE0B6A22E597147
                                                SHA-256:5A358AC70C2DC504CE79751FC8F94FB93BF9D9EA8DB1914172E1D17D9CD6A4B3
                                                SHA-512:20B2F8162879E3B664AFFF91FA467DF6AB5784FD8C69B73823A7F272E9910137CC1522B3DF59EBDB1E9AB11D86E8316105EFB31CFD4112AD70EFF8046CA46902
                                                Malicious:false
                                                Preview: Re84z516x0VxX229zn63pa4qF862nCI1378Gu217..60v1q10F28f72624958t2L78wK4HI5V9Z5i5069kp7xM1V74I8f2g929113sD79E5a9R9V21xuHcZ1o43I771pe9s35KTt958kFdZ791t..EepJ625i6V32R635jvXsms95XJ5Sa14N..OT4Nrm5K4d5Y14jjm39YgtJC9h19191n1sO60C26ef9..164ZH5qb7o50s607X..39l5R6REe10tG9LJI3466l4AqS83LB9149Uly70r9d9oeT33P..ca34s89Nw0S9708kHKbt3HK1NGJ3180..s1tU5HjN15222028uWjuq8g1Q06379pk14S56..u6ME703OKD2Z274N175ni8KK43u54sKIlmo14t31lCfK6l6b08bm283C34sPefh3538067D147..03WH015IXaW45D9h2y1U77uNa1T6768IAjGA2..60n437PHyeC6V..c9ckX3s3q8UlP86Xqi50mC365i7497P04EB2Ff7p8POJn3jwJ06x399qOg69se8Oo46o29bef9wrpU581h96668791k42odAHCZ47Xacs95xCHuoh5n88ep0r6bk36254b9vc5Okt0U7MM3y5T563R4J1i687u4wMlm..
                                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):2088
                                                Entropy (8bit):7.024371743172393
                                                Encrypted:false
                                                SSDEEP:
                                                MD5:0D6805D12813A857D50D42D6EE2CCAB0
                                                SHA1:78D83F009D842F21FE2AB0EAFFD00E5AAD1776F4
                                                SHA-256:182E0F8AA959549D61C66D049645BA8445D86AEAD2B8C3552A9836FA1E5BD484
                                                SHA-512:5B29496F3AB3CCB915CF37042F4956BB00E577B5F15457A5A739BE1BD50C481FB7E3297EED575DCA7A7BD30ECBC140DD3666CD7DEDD25DFB7AEB41A1B5BEDA4A
                                                Malicious:false
                                                Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                File Type:Non-ISO extended-ASCII text, with NEL line terminators
                                                Category:dropped
                                                Size (bytes):8
                                                Entropy (8bit):3.0
                                                Encrypted:false
                                                SSDEEP:
                                                MD5:184D6E973996EE47090F6CDAD2A1AEF9
                                                SHA1:5B5DA257DBE8C2320C7F7BF006055AC700414F47
                                                SHA-256:7333A4089B969A2398FC56B13F1F8A2DF56EF1F3F9453FF6FEC6ACA9722E5A94
                                                SHA-512:B0524F62FB8BED6318D00EF9E71D5E375C8EE775A0A5D8D2406A40CDB9B30EE0C4CFA255E6653F48839E41758B814E44A0985F26F6451B5705217A58CB84C5DE
                                                Malicious:true
                                                Preview: jP.....H
                                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                                Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):40
                                                Entropy (8bit):5.153055907333276
                                                Encrypted:false
                                                SSDEEP:
                                                MD5:4E5E92E2369688041CC82EF9650EDED2
                                                SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                                                SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                                                SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                                                Malicious:false
                                                Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                                Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):327432
                                                Entropy (8bit):7.99938831605763
                                                Encrypted:true
                                                SSDEEP:
                                                MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                                                SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                                                SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                                                SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                                                Malicious:false
                                                Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                                Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):48
                                                Entropy (8bit):4.297995052579129
                                                Encrypted:false
                                                SSDEEP:
                                                MD5:CE0CB1FF5FD6AF478BC9B018A60C6268
                                                SHA1:375BAD43F493898F0F7836FF08C4C9E98381717B
                                                SHA-256:6B93E1A15031E86950FFEDA4F5066EF4683D8ED62223AE3053E1098374E50B67
                                                SHA-512:7CEF4E7006C3B53454777CC356EC7F76D0BCD082CEE1B7FDAD1968260251660D133C477AB4548AE96E164D6DB280E49DD14C3FFA721A581769D0C5FDD34789FF
                                                Malicious:false
                                                Preview: C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                C:\Users\user\temp\lklphvrvl.dll
                                                Process:C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pif
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):89
                                                Entropy (8bit):4.991316195702863
                                                Encrypted:false
                                                SSDEEP:
                                                MD5:5800002E9E3FC9321110CB9AAAEBCD4A
                                                SHA1:1004452BFF4A12EC0D8DF35C47F7DEB6C80CFCD3
                                                SHA-256:BF9250550F0A5FB651D48C09A25C2FA85D718558B071EE3E67B922D4621EB5E1
                                                SHA-512:086C5AD55EF93FBA1662BBA5D3A8BA38A5A8380058F20ADC7EFD9586D355C7BE5BD33A4E3DC888E8E5425D00D3D647AB3358F49A65BBFCB4F31F867E8A114BF6
                                                Malicious:false
                                                Preview: [S3tt!ng]..stpth=%appdata%..Key=WindowsUpdate..Dir3ctory=89378384..ExE_c=qtfarawjob.pif..
                                                \Device\ConDrv
                                                Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                File Type:ASCII text, with CRLF, LF line terminators
                                                Category:dropped
                                                Size (bytes):215
                                                Entropy (8bit):4.911407397013505
                                                Encrypted:false
                                                SSDEEP:
                                                MD5:623152A30E4F18810EB8E046163DB399
                                                SHA1:5D640A976A0544E2DDA22E9DF362F455A05CFF2A
                                                SHA-256:4CA51BAF6F994B93FE9E1FDA754A4AE74277360C750C04B630DA3DEC33E65FEA
                                                SHA-512:1AD53476A05769502FF0BCA9E042273237804B63873B0D5E0613936B91766A444FCA600FD68AFB1EF2EA2973242CF1A0FF617522D719F2FA63DF074E118F370B
                                                Malicious:false
                                                Preview: Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved......The following installation error occurred:..1: Assembly not found: '0'...

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Entropy (8bit):7.815157465823464
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                • DOS Executable Generic (2002/1) 0.02%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:SWIFTS.scr.exe
                                                File size:1020808
                                                MD5:0984d8481d809d2715214d220d5f3224
                                                SHA1:be4bfdae28308590b04709935794109a77d5ecee
                                                SHA256:f2597b91433ba86188dd0e53cf04d2c43d97f5231bc3077df18e75447f15c77c
                                                SHA512:6d3bc4b24ea6b426890310a9ddaa27047ae4dbe983790d367889a1c5452d964e11c7a3d0ead8ff96cc7f27067ffa5c9f5925e75e1d7d994c8504b01b662ff2f9
                                                SSDEEP:24576:BAOcZpJdk843dd0aChdB45NNgo0UBXUUHhh:bIr4tWapHP0Uy2h
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...,...._......._..'...._f.'...._..'..

                                                File Icon

                                                Icon Hash:1ab8e6e663d6c77a

                                                Static PE Info

                                                General

                                                Entrypoint:0x41e1f9
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                Time Stamp:0x5E7C7DC7 [Thu Mar 26 10:02:47 2020 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:5
                                                OS Version Minor:1
                                                File Version Major:5
                                                File Version Minor:1
                                                Subsystem Version Major:5
                                                Subsystem Version Minor:1
                                                Import Hash:fcf1390e9ce472c7270447fc5c61a0c1

                                                Entrypoint Preview

                                                Instruction
                                                call 00007F39F8B186BFh
                                                jmp 00007F39F8B180B3h
                                                cmp ecx, dword ptr [0043D668h]
                                                jne 00007F39F8B18225h
                                                ret
                                                jmp 00007F39F8B18835h
                                                ret
                                                and dword ptr [ecx+04h], 00000000h
                                                mov eax, ecx
                                                and dword ptr [ecx+08h], 00000000h
                                                mov dword ptr [ecx+04h], 00433068h
                                                mov dword ptr [ecx], 00434284h
                                                ret
                                                push ebp
                                                mov ebp, esp
                                                push esi
                                                push dword ptr [ebp+08h]
                                                mov esi, ecx
                                                call 00007F39F8B0B631h
                                                mov dword ptr [esi], 00434290h
                                                mov eax, esi
                                                pop esi
                                                pop ebp
                                                retn 0004h
                                                and dword ptr [ecx+04h], 00000000h
                                                mov eax, ecx
                                                and dword ptr [ecx+08h], 00000000h
                                                mov dword ptr [ecx+04h], 00434298h
                                                mov dword ptr [ecx], 00434290h
                                                ret
                                                lea eax, dword ptr [ecx+04h]
                                                mov dword ptr [ecx], 00434278h
                                                push eax
                                                call 00007F39F8B1B3CDh
                                                pop ecx
                                                ret
                                                push ebp
                                                mov ebp, esp
                                                push esi
                                                mov esi, ecx
                                                lea eax, dword ptr [esi+04h]
                                                mov dword ptr [esi], 00434278h
                                                push eax
                                                call 00007F39F8B1B3B6h
                                                test byte ptr [ebp+08h], 00000001h
                                                pop ecx
                                                je 00007F39F8B1822Ch
                                                push 0000000Ch
                                                push esi
                                                call 00007F39F8B177EFh
                                                pop ecx
                                                pop ecx
                                                mov eax, esi
                                                pop esi
                                                pop ebp
                                                retn 0004h
                                                push ebp
                                                mov ebp, esp
                                                sub esp, 0Ch
                                                lea ecx, dword ptr [ebp-0Ch]
                                                call 00007F39F8B1818Eh
                                                push 0043A410h
                                                lea eax, dword ptr [ebp-0Ch]
                                                push eax
                                                call 00007F39F8B1AAB5h
                                                int3
                                                push ebp
                                                mov ebp, esp
                                                sub esp, 0Ch

                                                Rich Headers

                                                Programming Language:
                                                • [ C ] VS2008 SP1 build 30729
                                                • [EXP] VS2015 UPD3.1 build 24215
                                                • [LNK] VS2015 UPD3.1 build 24215
                                                • [IMP] VS2008 SP1 build 30729
                                                • [C++] VS2015 UPD3.1 build 24215
                                                • [RES] VS2015 UPD3 build 24213

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x3b5400x34.rdata
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x3b5740x3c.rdata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x620000x57e8.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x680000x210c.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x397d00x54.rdata
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x342180x40.rdata
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x320000x260.rdata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3aaec0x120.rdata
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000x305810x30600False0.589268410853data6.70021125825IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                .rdata0x320000xa3320xa400False0.455030487805data5.23888424127IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .data0x3d0000x238b00x1200False0.368272569444data3.83993526939IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                .gfids0x610000xe80x200False0.333984375data2.12166381533IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .rsrc0x620000x57e80x5800False0.618430397727data6.34217881671IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x680000x210c0x2200False0.786534926471data6.61038519378IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                PNG0x625240xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States
                                                PNG0x6306c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States
                                                RT_ICON0x646180xea8data
                                                RT_DIALOG0x654c00x286dataEnglishUnited States
                                                RT_DIALOG0x657480x13adataEnglishUnited States
                                                RT_DIALOG0x658840xecdataEnglishUnited States
                                                RT_DIALOG0x659700x12edataEnglishUnited States
                                                RT_DIALOG0x65aa00x338dataEnglishUnited States
                                                RT_DIALOG0x65dd80x252dataEnglishUnited States
                                                RT_STRING0x6602c0x1e2dataEnglishUnited States
                                                RT_STRING0x662100x1ccdataEnglishUnited States
                                                RT_STRING0x663dc0x1b8dataEnglishUnited States
                                                RT_STRING0x665940x146Hitachi SH big-endian COFF object file, not stripped, 17152 sections, symbol offset=0x73006500EnglishUnited States
                                                RT_STRING0x666dc0x446dataEnglishUnited States
                                                RT_STRING0x66b240x166dataEnglishUnited States
                                                RT_STRING0x66c8c0x152dataEnglishUnited States
                                                RT_STRING0x66de00x10adataEnglishUnited States
                                                RT_STRING0x66eec0xbcdataEnglishUnited States
                                                RT_STRING0x66fa80xd6dataEnglishUnited States
                                                RT_GROUP_ICON0x670800x14data
                                                RT_MANIFEST0x670940x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

                                                Imports

                                                DLLImport
                                                KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer
                                                gdiplus.dllGdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

                                                Possible Origin

                                                Language of compilation systemCountry where language is spokenMap
                                                EnglishUnited States

                                                Network Behavior

                                                Snort IDS Alerts

                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                04/12/21-05:07:09.165021ICMP384ICMP PING192.168.2.62.23.155.232
                                                04/12/21-05:07:09.202370ICMP449ICMP Time-To-Live Exceeded in Transit84.17.52.126192.168.2.6
                                                04/12/21-05:07:09.206372ICMP384ICMP PING192.168.2.62.23.155.232
                                                04/12/21-05:07:09.245462ICMP449ICMP Time-To-Live Exceeded in Transit149.11.89.129192.168.2.6
                                                04/12/21-05:07:09.245877ICMP384ICMP PING192.168.2.62.23.155.232
                                                04/12/21-05:07:09.281909ICMP449ICMP Time-To-Live Exceeded in Transit130.117.50.25192.168.2.6
                                                04/12/21-05:07:09.285417ICMP384ICMP PING192.168.2.62.23.155.232
                                                04/12/21-05:07:09.326911ICMP449ICMP Time-To-Live Exceeded in Transit130.117.0.62192.168.2.6
                                                04/12/21-05:07:09.328747ICMP384ICMP PING192.168.2.62.23.155.232
                                                04/12/21-05:07:09.375725ICMP449ICMP Time-To-Live Exceeded in Transit154.54.36.253192.168.2.6
                                                04/12/21-05:07:09.376183ICMP384ICMP PING192.168.2.62.23.155.232
                                                04/12/21-05:07:09.424608ICMP449ICMP Time-To-Live Exceeded in Transit130.117.14.78192.168.2.6
                                                04/12/21-05:07:09.425435ICMP384ICMP PING192.168.2.62.23.155.232
                                                04/12/21-05:07:09.488302ICMP449ICMP Time-To-Live Exceeded in Transit195.22.208.117192.168.2.6
                                                04/12/21-05:07:09.488998ICMP384ICMP PING192.168.2.62.23.155.232
                                                04/12/21-05:07:09.541933ICMP449ICMP Time-To-Live Exceeded in Transit93.186.128.39192.168.2.6
                                                04/12/21-05:07:09.542454ICMP384ICMP PING192.168.2.62.23.155.232
                                                04/12/21-05:07:09.596007ICMP408ICMP Echo Reply2.23.155.232192.168.2.6

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Apr 12, 2021 05:07:24.300146103 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:24.553714037 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:24.553814888 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:24.594976902 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:24.899915934 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:24.907613993 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:24.963887930 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:25.011607885 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:25.175003052 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:25.175143957 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:25.416940928 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:25.455415010 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:25.731025934 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:25.731199026 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:25.807913065 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:25.808948040 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:25.809035063 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:25.809077024 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:25.809874058 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:25.809917927 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:25.810072899 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:25.810098886 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:25.818993092 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:25.819137096 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:25.819881916 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:25.820030928 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:25.820038080 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:25.820077896 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:25.820125103 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:25.820127964 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:25.820137024 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:25.820167065 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:25.820280075 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:25.820377111 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:26.021815062 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.049962997 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.050889969 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.052901983 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:26.063838959 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.073951960 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.073997974 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.074018955 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:26.076772928 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.076828003 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.076905966 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:26.077017069 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.077320099 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:26.078788996 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.079766989 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.079808950 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.079879999 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:26.079926968 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.080810070 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.080892086 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:26.081938028 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.082828999 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:26.082921982 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.084777117 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.084990025 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:26.085860014 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.086765051 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.086896896 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:26.088843107 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.089823961 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.089993000 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:26.290015936 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.291001081 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.291099072 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:26.291941881 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.292927027 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.293257952 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:26.306014061 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.307832003 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.308118105 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:26.308803082 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.309818983 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.310132980 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:26.315963030 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.327943087 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.327994108 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.328058004 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:26.328855991 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.329191923 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:26.329983950 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.330846071 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.330985069 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:26.331796885 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.333993912 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.334151030 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:26.334886074 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.335721970 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.335932016 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:26.337846994 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.340035915 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.340250969 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:26.340881109 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.341854095 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.341958046 CEST496821980192.168.2.6194.5.98.184
                                                Apr 12, 2021 05:07:26.343851089 CEST198049682194.5.98.184192.168.2.6
                                                Apr 12, 2021 05:07:26.344822884 CEST198049682194.5.98.184192.168.2.6

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Apr 12, 2021 05:07:09.095623970 CEST4936653192.168.2.68.8.8.8
                                                Apr 12, 2021 05:07:09.163144112 CEST53493668.8.8.8192.168.2.6
                                                Apr 12, 2021 05:07:24.227725029 CEST4928853192.168.2.68.8.8.8
                                                Apr 12, 2021 05:07:24.287436962 CEST53492888.8.8.8192.168.2.6
                                                Apr 12, 2021 05:07:30.764930964 CEST6089253192.168.2.68.8.8.8
                                                Apr 12, 2021 05:07:30.824862003 CEST53608928.8.8.8192.168.2.6
                                                Apr 12, 2021 05:07:37.741466999 CEST5215753192.168.2.68.8.8.8
                                                Apr 12, 2021 05:07:37.800221920 CEST53521578.8.8.8192.168.2.6
                                                Apr 12, 2021 05:07:44.768863916 CEST6118253192.168.2.68.8.8.8
                                                Apr 12, 2021 05:07:44.825712919 CEST53611828.8.8.8192.168.2.6
                                                Apr 12, 2021 05:07:51.925920963 CEST5567353192.168.2.68.8.8.8
                                                Apr 12, 2021 05:07:51.984498978 CEST53556738.8.8.8192.168.2.6
                                                Apr 12, 2021 05:07:54.926422119 CEST5777353192.168.2.68.8.8.8
                                                Apr 12, 2021 05:07:54.976605892 CEST53577738.8.8.8192.168.2.6
                                                Apr 12, 2021 05:07:58.989599943 CEST5998653192.168.2.68.8.8.8
                                                Apr 12, 2021 05:07:59.047719955 CEST53599868.8.8.8192.168.2.6
                                                Apr 12, 2021 05:08:05.927719116 CEST5247853192.168.2.68.8.8.8
                                                Apr 12, 2021 05:08:05.984985113 CEST53524788.8.8.8192.168.2.6
                                                Apr 12, 2021 05:08:12.949404955 CEST5893153192.168.2.68.8.8.8
                                                Apr 12, 2021 05:08:13.006405115 CEST53589318.8.8.8192.168.2.6
                                                Apr 12, 2021 05:08:20.316972017 CEST5772553192.168.2.68.8.8.8
                                                Apr 12, 2021 05:08:20.374080896 CEST53577258.8.8.8192.168.2.6
                                                Apr 12, 2021 05:08:26.702847958 CEST4928353192.168.2.68.8.8.8
                                                Apr 12, 2021 05:08:26.762236118 CEST53492838.8.8.8192.168.2.6
                                                Apr 12, 2021 05:08:33.967689991 CEST5837753192.168.2.68.8.8.8
                                                Apr 12, 2021 05:08:34.026248932 CEST53583778.8.8.8192.168.2.6
                                                Apr 12, 2021 05:08:40.731115103 CEST5507453192.168.2.68.8.8.8
                                                Apr 12, 2021 05:08:40.781503916 CEST53550748.8.8.8192.168.2.6
                                                Apr 12, 2021 05:08:41.169373989 CEST5451353192.168.2.68.8.8.8
                                                Apr 12, 2021 05:08:41.229949951 CEST53545138.8.8.8192.168.2.6
                                                Apr 12, 2021 05:08:47.781793118 CEST6204453192.168.2.68.8.8.8
                                                Apr 12, 2021 05:08:47.841530085 CEST53620448.8.8.8192.168.2.6
                                                Apr 12, 2021 05:08:56.024343014 CEST6379153192.168.2.68.8.8.8
                                                Apr 12, 2021 05:08:56.081618071 CEST53637918.8.8.8192.168.2.6
                                                Apr 12, 2021 05:09:03.148418903 CEST6426753192.168.2.68.8.8.8
                                                Apr 12, 2021 05:09:03.205610037 CEST53642678.8.8.8192.168.2.6
                                                Apr 12, 2021 05:09:10.201092005 CEST4944853192.168.2.68.8.8.8
                                                Apr 12, 2021 05:09:10.259608030 CEST53494488.8.8.8192.168.2.6

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                Apr 12, 2021 05:07:24.227725029 CEST192.168.2.68.8.8.80x4f37Standard query (0)ekuro.hopto.orgA (IP address)IN (0x0001)
                                                Apr 12, 2021 05:07:30.764930964 CEST192.168.2.68.8.8.80xbb27Standard query (0)ekuro.hopto.orgA (IP address)IN (0x0001)
                                                Apr 12, 2021 05:07:37.741466999 CEST192.168.2.68.8.8.80x5273Standard query (0)ekuro.hopto.orgA (IP address)IN (0x0001)
                                                Apr 12, 2021 05:07:44.768863916 CEST192.168.2.68.8.8.80x386Standard query (0)ekuro.hopto.orgA (IP address)IN (0x0001)
                                                Apr 12, 2021 05:07:51.925920963 CEST192.168.2.68.8.8.80x61d2Standard query (0)ekuro.hopto.orgA (IP address)IN (0x0001)
                                                Apr 12, 2021 05:07:58.989599943 CEST192.168.2.68.8.8.80x3d6bStandard query (0)ekuro.hopto.orgA (IP address)IN (0x0001)
                                                Apr 12, 2021 05:08:05.927719116 CEST192.168.2.68.8.8.80x6d7fStandard query (0)ekuro.hopto.orgA (IP address)IN (0x0001)
                                                Apr 12, 2021 05:08:12.949404955 CEST192.168.2.68.8.8.80x448eStandard query (0)ekuro.hopto.orgA (IP address)IN (0x0001)
                                                Apr 12, 2021 05:08:20.316972017 CEST192.168.2.68.8.8.80x8276Standard query (0)ekuro.hopto.orgA (IP address)IN (0x0001)
                                                Apr 12, 2021 05:08:26.702847958 CEST192.168.2.68.8.8.80x957dStandard query (0)ekuro.hopto.orgA (IP address)IN (0x0001)
                                                Apr 12, 2021 05:08:33.967689991 CEST192.168.2.68.8.8.80xaac5Standard query (0)ekuro.hopto.orgA (IP address)IN (0x0001)
                                                Apr 12, 2021 05:08:40.731115103 CEST192.168.2.68.8.8.80xc55Standard query (0)ekuro.hopto.orgA (IP address)IN (0x0001)
                                                Apr 12, 2021 05:08:47.781793118 CEST192.168.2.68.8.8.80x2e24Standard query (0)ekuro.hopto.orgA (IP address)IN (0x0001)
                                                Apr 12, 2021 05:08:56.024343014 CEST192.168.2.68.8.8.80xc69bStandard query (0)ekuro.hopto.orgA (IP address)IN (0x0001)
                                                Apr 12, 2021 05:09:03.148418903 CEST192.168.2.68.8.8.80xf8d4Standard query (0)ekuro.hopto.orgA (IP address)IN (0x0001)
                                                Apr 12, 2021 05:09:10.201092005 CEST192.168.2.68.8.8.80xeee6Standard query (0)ekuro.hopto.orgA (IP address)IN (0x0001)

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                Apr 12, 2021 05:07:24.287436962 CEST8.8.8.8192.168.2.60x4f37No error (0)ekuro.hopto.org194.5.98.184A (IP address)IN (0x0001)
                                                Apr 12, 2021 05:07:30.824862003 CEST8.8.8.8192.168.2.60xbb27No error (0)ekuro.hopto.org194.5.98.184A (IP address)IN (0x0001)
                                                Apr 12, 2021 05:07:37.800221920 CEST8.8.8.8192.168.2.60x5273No error (0)ekuro.hopto.org194.5.98.184A (IP address)IN (0x0001)
                                                Apr 12, 2021 05:07:44.825712919 CEST8.8.8.8192.168.2.60x386No error (0)ekuro.hopto.org194.5.98.184A (IP address)IN (0x0001)
                                                Apr 12, 2021 05:07:51.984498978 CEST8.8.8.8192.168.2.60x61d2No error (0)ekuro.hopto.org194.5.98.184A (IP address)IN (0x0001)
                                                Apr 12, 2021 05:07:59.047719955 CEST8.8.8.8192.168.2.60x3d6bNo error (0)ekuro.hopto.org194.5.98.184A (IP address)IN (0x0001)
                                                Apr 12, 2021 05:08:05.984985113 CEST8.8.8.8192.168.2.60x6d7fNo error (0)ekuro.hopto.org194.5.98.184A (IP address)IN (0x0001)
                                                Apr 12, 2021 05:08:13.006405115 CEST8.8.8.8192.168.2.60x448eNo error (0)ekuro.hopto.org194.5.98.184A (IP address)IN (0x0001)
                                                Apr 12, 2021 05:08:20.374080896 CEST8.8.8.8192.168.2.60x8276No error (0)ekuro.hopto.org194.5.98.184A (IP address)IN (0x0001)
                                                Apr 12, 2021 05:08:26.762236118 CEST8.8.8.8192.168.2.60x957dNo error (0)ekuro.hopto.org194.5.98.184A (IP address)IN (0x0001)
                                                Apr 12, 2021 05:08:34.026248932 CEST8.8.8.8192.168.2.60xaac5No error (0)ekuro.hopto.org194.5.98.184A (IP address)IN (0x0001)
                                                Apr 12, 2021 05:08:40.781503916 CEST8.8.8.8192.168.2.60xc55No error (0)ekuro.hopto.org194.5.98.184A (IP address)IN (0x0001)
                                                Apr 12, 2021 05:08:47.841530085 CEST8.8.8.8192.168.2.60x2e24No error (0)ekuro.hopto.org194.5.98.184A (IP address)IN (0x0001)
                                                Apr 12, 2021 05:08:56.081618071 CEST8.8.8.8192.168.2.60xc69bNo error (0)ekuro.hopto.org194.5.98.184A (IP address)IN (0x0001)
                                                Apr 12, 2021 05:09:03.205610037 CEST8.8.8.8192.168.2.60xf8d4No error (0)ekuro.hopto.org194.5.98.184A (IP address)IN (0x0001)
                                                Apr 12, 2021 05:09:10.259608030 CEST8.8.8.8192.168.2.60xeee6No error (0)ekuro.hopto.org194.5.98.184A (IP address)IN (0x0001)

                                                Code Manipulations

                                                Statistics

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                Analysis Process: SWIFTS.scr.exe PID: 4104 Parent PID: 6036

                                                General

                                                Start time:05:07:05
                                                Start date:12/04/2021
                                                Path:C:\Users\user\Desktop\SWIFTS.scr.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\Desktop\SWIFTS.scr.exe'
                                                Imagebase:0xee0000
                                                File size:1020808 bytes
                                                MD5 hash:0984D8481D809D2715214D220D5F3224
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low

                                                Analysis Process: qtfarawjob.pif PID: 6132 Parent PID: 4104

                                                General

                                                Start time:05:07:12
                                                Start date:12/04/2021
                                                Path:C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pif
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pif' odfugpcmco.org
                                                Imagebase:0xf0000
                                                File size:662768 bytes
                                                MD5 hash:F471B7C16D5B01AF9F67F5F4A921F81F
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000003.343262575.00000000049D1000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000003.343262575.00000000049D1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000001.00000003.343262575.00000000049D1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000003.343194863.0000000004A51000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000003.343194863.0000000004A51000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000001.00000003.343194863.0000000004A51000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000003.343095716.0000000004A84000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000003.343095716.0000000004A84000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000001.00000003.343095716.0000000004A84000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000003.345055331.00000000049D1000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000003.345055331.00000000049D1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000001.00000003.345055331.00000000049D1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000003.345307078.0000000004A83000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000003.345307078.0000000004A83000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000001.00000003.345307078.0000000004A83000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000003.343476102.0000000004AB6000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000003.343476102.0000000004AB6000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000001.00000003.343476102.0000000004AB6000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000003.343140164.0000000004A04000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000003.343140164.0000000004A04000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000001.00000003.343140164.0000000004A04000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000003.343507843.0000000004AE9000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000003.343507843.0000000004AE9000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000001.00000003.343507843.0000000004AE9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000003.343433163.0000000004AB6000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000003.343433163.0000000004AB6000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000001.00000003.343433163.0000000004AB6000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000003.344666735.0000000004A03000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000003.344666735.0000000004A03000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000001.00000003.344666735.0000000004A03000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000003.345446557.0000000004A51000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000003.345446557.0000000004A51000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000001.00000003.345446557.0000000004A51000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000003.343592182.0000000004B1B000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000003.343592182.0000000004B1B000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000001.00000003.343592182.0000000004B1B000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000003.345193902.0000000004AB6000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000003.345193902.0000000004AB6000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000001.00000003.345193902.0000000004AB6000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000003.343388307.0000000004A03000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000003.343388307.0000000004A03000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000001.00000003.343388307.0000000004A03000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                Reputation:low

                                                Analysis Process: RegSvcs.exe PID: 1972 Parent PID: 6132

                                                General

                                                Start time:05:07:17
                                                Start date:12/04/2021
                                                Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                Imagebase:0xa00000
                                                File size:45152 bytes
                                                MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.593935065.0000000006F20000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.593935065.0000000006F20000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.590990913.0000000004495000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.593967539.0000000006F30000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.593967539.0000000006F30000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.594092572.0000000006F80000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.594092572.0000000006F80000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.536569006.00000000051C8000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.593813593.0000000006EC0000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.593813593.0000000006EC0000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.592048655.00000000051A7000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.592048655.00000000051A7000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.594107341.0000000006F90000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.594107341.0000000006F90000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.591934672.00000000050BC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.591488895.0000000004E76000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.594522145.0000000007490000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.594522145.0000000007490000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.593310031.0000000005F70000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.593310031.0000000005F70000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.593310031.0000000005F70000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.593746192.0000000006EB0000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.593746192.0000000006EB0000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.594053531.0000000006F60000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.594053531.0000000006F60000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.593208278.0000000005D90000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.593208278.0000000005D90000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.593916225.0000000006F10000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.593916225.0000000006F10000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.593893788.0000000006F00000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.593893788.0000000006F00000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.591902295.00000000050A6000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.587691040.00000000034AC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.586093866.0000000000E02000.00000040.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.586093866.0000000000E02000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.586093866.0000000000E02000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.594026273.0000000006F50000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.594026273.0000000006F50000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.593985539.0000000006F40000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.593985539.0000000006F40000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.587531110.0000000003441000.00000004.00000001.sdmp, Author: Joe Security
                                                Antivirus matches:
                                                • Detection: 0%, Metadefender, Browse
                                                • Detection: 0%, ReversingLabs
                                                Reputation:high

                                                Analysis Process: schtasks.exe PID: 3120 Parent PID: 1972

                                                General

                                                Start time:05:07:20
                                                Start date:12/04/2021
                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                Wow64 process (32bit):true
                                                Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA342.tmp'
                                                Imagebase:0xcf0000
                                                File size:185856 bytes
                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: conhost.exe PID: 2404 Parent PID: 3120

                                                General

                                                Start time:05:07:20
                                                Start date:12/04/2021
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff61de10000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: RegSvcs.exe PID: 5864 Parent PID: 936

                                                General

                                                Start time:05:07:23
                                                Start date:12/04/2021
                                                Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0
                                                Imagebase:0x7e0000
                                                File size:45152 bytes
                                                MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Reputation:high

                                                Analysis Process: conhost.exe PID: 4908 Parent PID: 5864

                                                General

                                                Start time:05:07:23
                                                Start date:12/04/2021
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff61de10000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: qtfarawjob.pif PID: 5900 Parent PID: 3440

                                                General

                                                Start time:05:07:24
                                                Start date:12/04/2021
                                                Path:C:\Users\user\AppData\Roaming\89378384\qtfarawjob.pif
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\AppData\Roaming\89378384\QTFARA~1.PIF' C:\Users\user\AppData\Roaming\89378384\ODFUGP~1.ORG
                                                Imagebase:0xf0000
                                                File size:662768 bytes
                                                MD5 hash:F471B7C16D5B01AF9F67F5F4A921F81F
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000003.369835210.0000000003EF4000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000003.369835210.0000000003EF4000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000007.00000003.369835210.0000000003EF4000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000003.371760898.0000000003EC1000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000003.371760898.0000000003EC1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000007.00000003.371760898.0000000003EC1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000003.370790447.0000000003E17000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000003.370790447.0000000003E17000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000007.00000003.370790447.0000000003E17000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000003.371839238.0000000003FA6000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000003.371839238.0000000003FA6000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000007.00000003.371839238.0000000003FA6000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000003.371972017.0000000003F73000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000003.371972017.0000000003F73000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000007.00000003.371972017.0000000003F73000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000003.372073303.0000000003F41000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000003.372073303.0000000003F41000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000007.00000003.372073303.0000000003F41000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000003.369800232.0000000003F74000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000003.369800232.0000000003F74000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000007.00000003.369800232.0000000003F74000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000003.369871220.0000000003F41000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000003.369871220.0000000003F41000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000007.00000003.369871220.0000000003F41000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000003.370824550.0000000003DF5000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000003.370824550.0000000003DF5000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000007.00000003.370824550.0000000003DF5000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000003.371528290.0000000003EF3000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000003.371528290.0000000003EF3000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000007.00000003.371528290.0000000003EF3000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000003.369946595.0000000003EC1000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000003.369946595.0000000003EC1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000007.00000003.369946595.0000000003EC1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000003.370138817.0000000003FD9000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000003.370138817.0000000003FD9000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000007.00000003.370138817.0000000003FD9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000003.370011747.0000000003F73000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000003.370011747.0000000003F73000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000003.370011747.0000000003F73000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000007.00000003.370011747.0000000003F73000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                Reputation:low

                                                Analysis Process: RegSvcs.exe PID: 2932 Parent PID: 5900

                                                General

                                                Start time:05:07:29
                                                Start date:12/04/2021
                                                Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                                Imagebase:0x620000
                                                File size:45152 bytes
                                                MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.388090942.0000000000A02000.00000040.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.388090942.0000000000A02000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.388090942.0000000000A02000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.389362789.0000000003001000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.389362789.0000000003001000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.389636385.0000000004009000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.389636385.0000000004009000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                Reputation:high

                                                Disassembly

                                                Code Analysis

                                                Reset < >