Analysis Report RFQ.exe

Overview

General Information

Sample Name:	RFQ.exe
Analysis ID:	358327
MD5:	6733e06c6be5ca14ffc33763202f53c8
SHA1:	9412d3147b30a873b94e2d0f495eafdea1479ee1
SHA256:	72f30e8884110e06b133ecabfdbf523aef8cc5533273aa3e12afee785a5a45bc
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AntiVM_3

Yara detected Nanocore RAT

.NET source code contains very large array initializations

Drops PE files to the startup folder

Hides that the sample has been downloaded from the Internet (zone.identifier)

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Yara signature match

Classification

Signatures

AV Detection:

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe

ReversingLabs: Detection: 14%

Yara detected Nanocore RAT

Source: Yara match	File source: 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ.exe PID: 6876, type: MEMORY
Source: Yara match	File source: Process Memory Space: enrnus.exe PID: 2288, type: MEMORY
Source: Yara match	File source: 0.2.RFQ.exe.48272aa.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48bf5c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46719a2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.488ca0a.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.460c212.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46719a2.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47c1b1a.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47f46ea.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47f46ea.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47c1b1a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.4709cc0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.460c212.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.463ede2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.4709cc0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.463ede2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48272aa.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48bf5c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.488ca0a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46d7102.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46d7102.6.raw.unpack, type: UNPACKEDPE

Compliance:

Uses 32bit PE files

Source: RFQ.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: RFQ.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Binary contains paths to debug symbols

Source:	Binary string: RegAsm.pdb source: RegAsm.exe.0.dr
Source:	Binary string: RegAsm.pdb4 source: RegAsm.exe.0.dr

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\RFQ.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_09537DD8
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_09536CCC
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 4x nop then xor edx, edx	0_2_095376B8
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	20_2_09307DD8
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	20_2_09306CCC
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 4x nop then xor edx, edx	20_2_093076B8
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	20_2_09309BC4
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	20_2_09306D25
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	20_2_09306F7C

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49756 -> 185.244.30.161:1985

Source: enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RFQ.exe, 00000000.00000002.474429338.0000000002ED3000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: RFQ.exe, 00000000.00000003.347926461.00000000098E4000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000003.494057230.00000000096F4000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adb
Source: RFQ.exe, 00000000.00000003.347926461.00000000098E4000.00000004.00000001.sdmp, RFQ.exe, 00000000.00000003.471130439.00000000098E5000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000003.494393505.00000000096F4000.00000004.00000001.sdmp	String found in binary or memory: http://ns.ado/1
Source: RFQ.exe, 00000000.00000003.347926461.00000000098E4000.00000004.00000001.sdmp, RFQ.exe, 00000000.00000003.471130439.00000000098E5000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000003.494393505.00000000096F4000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g
Source: RFQ.exe, 00000000.00000003.347926461.00000000098E4000.00000004.00000001.sdmp, RFQ.exe, 00000000.00000003.471130439.00000000098E5000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000003.494393505.00000000096F4000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.cobj
Source: enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: RFQ.exe, 00000000.00000002.474479540.0000000002F01000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: RFQ.exe, 00000000.00000002.474429338.0000000002ED3000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: RFQ.exe, 00000000.00000002.474429338.0000000002ED3000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: RFQ.exe, 00000000.00000002.474462948.0000000002EEB000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.595053339.0000000002D3A000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org/WebPage
Source: RFQ.exe, 00000000.00000002.474404366.0000000002EA1000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.594984683.0000000002CF1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: RFQ.exe, 00000000.00000002.474404366.0000000002EA1000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.594984683.0000000002CF1000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: RFQ.exe, 00000000.00000002.474404366.0000000002EA1000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.594984683.0000000002CF1000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: enrnus.exe, 00000014.00000002.593139988.000000000102B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match	File source: 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ.exe PID: 6876, type: MEMORY
Source: Yara match	File source: Process Memory Space: enrnus.exe PID: 2288, type: MEMORY
Source: Yara match	File source: 0.2.RFQ.exe.48272aa.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48bf5c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46719a2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.488ca0a.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.460c212.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46719a2.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47c1b1a.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47f46ea.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47f46ea.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47c1b1a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.4709cc0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.460c212.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.463ede2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.4709cc0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.463ede2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48272aa.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48bf5c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.488ca0a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46d7102.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46d7102.6.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RFQ.exe PID: 6876, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RFQ.exe PID: 6876, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: enrnus.exe PID: 2288, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: enrnus.exe PID: 2288, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.48272aa.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.48272aa.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.48bf5c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.48bf5c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.46719a2.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.46719a2.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.488ca0a.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.488ca0a.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.460c212.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.460c212.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.46719a2.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.46719a2.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.47c1b1a.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.47c1b1a.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.47f46ea.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.47f46ea.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.47f46ea.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.47f46ea.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.47c1b1a.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.47c1b1a.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.4709cc0.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.4709cc0.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.460c212.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.460c212.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.463ede2.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.463ede2.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.463ede2.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.4709cc0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.4709cc0.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.463ede2.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.48272aa.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.48272aa.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.48bf5c8.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.48bf5c8.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.488ca0a.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.488ca0a.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.46d7102.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.46d7102.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.46d7102.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.46d7102.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

.NET source code contains very large array initializations

Source: RFQ.exe, Zz97/w6DE.cs	Large array initialization: .cctor: array initializer size 3785
Source: RFQ.exe, Zz97/w6DE.cs	Large array initialization: .cctor: array initializer size 2501
Source: RFQ.exe, Zz97/w6DE.cs	Large array initialization: .cctor: array initializer size 2389

Detected potential crypto function

Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_02D0C8F0	0_2_02D0C8F0
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_06897767	0_2_06897767
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_068964A8	0_2_068964A8
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_06894410	0_2_06894410
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_068985E8	0_2_068985E8
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689EE98	0_2_0689EE98
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_06896D08	0_2_06896D08
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689492F	0_2_0689492F
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689E690	0_2_0689E690
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689A758	0_2_0689A758
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689A768	0_2_0689A768
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_06896421	0_2_06896421
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689647D	0_2_0689647D
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_068985BF	0_2_068985BF
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_06899500	0_2_06899500
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_06899510	0_2_06899510
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_06897208	0_2_06897208
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689A0BA	0_2_0689A0BA
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689A0C8	0_2_0689A0C8
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689AC18	0_2_0689AC18
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689AC17	0_2_0689AC17
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689ADF0	0_2_0689ADF0
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689D8F8	0_2_0689D8F8
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689A992	0_2_0689A992
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689A9A0	0_2_0689A9A0
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_06895927	0_2_06895927
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0953B980	0_2_0953B980
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_09531BC1	0_2_09531BC1
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0953EF88	0_2_0953EF88
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_09532408	0_2_09532408
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0953A9D2	0_2_0953A9D2
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_01269028	20_2_01269028
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_052885E8	20_2_052885E8
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_05284410	20_2_05284410
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_052864A8	20_2_052864A8
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528775B	20_2_0528775B
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_05287208	20_2_05287208
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_05286D08	20_2_05286D08
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528EE98	20_2_0528EE98
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_05284920	20_2_05284920
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_05289500	20_2_05289500
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_05288503	20_2_05288503
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_05289510	20_2_05289510
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_05288583	20_2_05288583
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528640D	20_2_0528640D
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528647D	20_2_0528647D
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528A768	20_2_0528A768
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528A763	20_2_0528A763
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528E690	20_2_0528E690
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528A0BB	20_2_0528A0BB
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528A0C8	20_2_0528A0C8
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528ADF3	20_2_0528ADF3
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528AC0B	20_2_0528AC0B
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528AC18	20_2_0528AC18
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_05285918	20_2_05285918
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528A9A0	20_2_0528A9A0
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528A993	20_2_0528A993
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528D8F8	20_2_0528D8F8
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930B98B	20_2_0930B98B
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_09301C54	20_2_09301C54
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930EF88	20_2_0930EF88
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_09302408	20_2_09302408
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930A9BD	20_2_0930A9BD
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930A9D2	20_2_0930A9D2
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_093028B0	20_2_093028B0
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_093028A1	20_2_093028A1
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_093088E8	20_2_093088E8
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_093088DB	20_2_093088DB
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930AB00	20_2_0930AB00
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_09301BD5	20_2_09301BD5
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930CA3A	20_2_0930CA3A
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930AA76	20_2_0930AA76
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930AA61	20_2_0930AA61
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930AAEB	20_2_0930AAEB
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_09302DF9	20_2_09302DF9
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930CDCE	20_2_0930CDCE
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_09302E08	20_2_09302E08
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_09300013	20_2_09300013
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_09300040	20_2_09300040
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_09308338	20_2_09308338
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930832B	20_2_0930832B
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_09303468	20_2_09303468

Sample file is different than original file name gathered from version info

Source: RFQ.exe, 00000000.00000002.473701970.0000000001180000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs RFQ.exe
Source: RFQ.exe, 00000000.00000002.475260216.0000000003EA8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSHCore1.dll0 vs RFQ.exe
Source: RFQ.exe, 00000000.00000002.471971758.0000000000AF2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameagain.exeT vs RFQ.exe
Source: RFQ.exe, 00000000.00000002.479695620.00000000068A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs RFQ.exe
Source: RFQ.exe, 00000000.00000002.479258486.0000000005EA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs RFQ.exe
Source: RFQ.exe	Binary or memory string: OriginalFilenameagain.exeT vs RFQ.exe

Uses 32bit PE files

Source: RFQ.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses reg.exe to modify the Windows registry

Source: unknown

Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'audiomac' /t REG_SZ /d 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'

Yara signature match

Source: 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RFQ.exe PID: 6876, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RFQ.exe PID: 6876, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: enrnus.exe PID: 2288, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: enrnus.exe PID: 2288, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.48272aa.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.48272aa.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ.exe.48272aa.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.48bf5c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.48bf5c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ.exe.48bf5c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.46719a2.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.46719a2.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.enrnus.exe.46719a2.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.488ca0a.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.488ca0a.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ.exe.488ca0a.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.460c212.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.460c212.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.enrnus.exe.460c212.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.46719a2.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.46719a2.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.enrnus.exe.46719a2.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.47c1b1a.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.47c1b1a.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ.exe.47c1b1a.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.47f46ea.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.47f46ea.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ.exe.47f46ea.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.47f46ea.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.47f46ea.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ.exe.47f46ea.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.47c1b1a.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.47c1b1a.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.4709cc0.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.4709cc0.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.enrnus.exe.4709cc0.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.460c212.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.460c212.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.463ede2.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.463ede2.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.enrnus.exe.463ede2.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.463ede2.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.463ede2.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.enrnus.exe.4709cc0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.4709cc0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.enrnus.exe.4709cc0.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.463ede2.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.48272aa.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.48272aa.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ.exe.48272aa.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.48bf5c8.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.48bf5c8.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ.exe.48bf5c8.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.488ca0a.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.488ca0a.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ.exe.488ca0a.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.46d7102.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.46d7102.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.enrnus.exe.46d7102.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.46d7102.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.46d7102.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: classification engine

Classification label: mal100.troj.adwa.evad.winEXE@8/4@0/0

Source: C:\Users\user\Desktop\RFQ.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1428:120:WilError_01

Source: C:\Users\user\Desktop\RFQ.exe

File created: C:\Users\user\AppData\Local\Temp\RegAsm.exe

Jump to behavior

Source: RFQ.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\RFQ.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe

File read: C:\Users\user\Desktop\RFQ.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\RFQ.exe 'C:\Users\user\Desktop\RFQ.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'audiomac' /t REG_SZ /d 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'audiomac' /t REG_SZ /d 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'
Source: unknown	Process created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'
Source: C:\Users\user\Desktop\RFQ.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'audiomac' /t REG_SZ /d 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'audiomac' /t REG_SZ /d 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'	Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: RFQ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: RFQ.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: RegAsm.pdb source: RegAsm.exe.0.dr
Source:	Binary string: RegAsm.pdb4 source: RegAsm.exe.0.dr

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F86A3 push edi; ret	0_2_009F86A4
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F42C7 push edi; ret	0_2_009F42C8
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F261E push ebx; iretd	0_2_009F262B
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F743D pushad ; ret	0_2_009F7445
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F8673 push edi; ret	0_2_009F8674
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F7DA4 pushad ; ret	0_2_009F7DA5
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F73E4 pushad ; ret	0_2_009F7405
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F7B07 push ecx; retf	0_2_009F7B08
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F5900 push es; iretd	0_2_009F590D
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F675C push ss; retf	0_2_009F675D
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F857E push ecx; retf	0_2_009F857F
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689A612 push es; iretd	0_2_0689A61C
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689854F push es; ret	0_2_06898580
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_06899211 pushfd ; iretd	0_2_0689921D
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689525A push ecx; ret	0_2_0689525E
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689B0FC push ecx; iretd	0_2_0689B0FE
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_068961DC pushad ; iretd	0_2_068961DD
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C8673 push edi; ret	20_2_007C8674
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C743D pushad ; ret	20_2_007C7445
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C261E push ebx; iretd	20_2_007C262B
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C42C7 push edi; ret	20_2_007C42C8
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C86A3 push edi; ret	20_2_007C86A4
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C857E push ecx; retf	20_2_007C857F
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C675C push ss; retf	20_2_007C675D
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C7B07 push ecx; retf	20_2_007C7B08
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C5900 push es; iretd	20_2_007C590D
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C73E4 pushad ; ret	20_2_007C7405
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C7DA4 pushad ; ret	20_2_007C7DA5
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_052861DC pushad ; iretd	20_2_052861DD
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528B0FC push ecx; iretd	20_2_0528B0FE
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528525A push ecx; ret	20_2_0528525E

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\RFQ.exe	File created: C:\Users\user\AppData\Local\Temp\RegAsm.exe			Jump to dropped file
Source: C:\Users\user\Desktop\RFQ.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe			Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\RFQ.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe

Jump to dropped file

Boot Survival:

Drops PE files to the startup folder

Source: C:\Users\user\Desktop\RFQ.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\RFQ.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\RFQ.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe\:Zone.Identifier:$DATA	Jump to behavior

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run audiomac			Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run audiomac			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\RFQ.exe	File opened: C:\Users\user\Desktop\RFQ.exe\:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	File opened: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe\:Zone.Identifier read attributes \| delete			Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\RFQ.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match

File source: Process Memory Space: RFQ.exe PID: 6876, type: MEMORY

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\RFQ.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\RFQ.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\RFQ.exe	Window / User API: threadDelayed 885	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Window / User API: threadDelayed 8833	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Window / User API: threadDelayed 834	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Window / User API: threadDelayed 8921	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\RFQ.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RegAsm.exe

Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7156	Thread sleep count: 885 > 30	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7156	Thread sleep count: 8833 > 30	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -45000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -44859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -44750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -44640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -44531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -44422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -44312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -44203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -44094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -42890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -42781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -42672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -42562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -42453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -42344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -42234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -42125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -42015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -41906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -41797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -41687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -41578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -41469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -41359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -41250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -41125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -40984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -40875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -40765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -40656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -40547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -40406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -40297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -40187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -40078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -39969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -39859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -39750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -39640s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -22136092888451448s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6720	Thread sleep count: 834 > 30	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6720	Thread sleep count: 8921 > 30	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -45000s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -44828s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -44719s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -44594s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -44484s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -44375s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -44266s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -44156s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -44047s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -43938s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -43797s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -43625s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -43516s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -43406s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -43297s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -43178s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -43063s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -42953s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -42531s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -42406s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -42297s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -42141s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -41485s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -41344s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -41234s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -41125s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -41016s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -40891s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -40750s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -40641s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -40500s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -40391s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -40250s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -40141s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -40031s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -39922s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -39813s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -39703s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -39594s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -39485s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -39344s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -39234s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -39125s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -39016s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -38906s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -38797s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -38672s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -38563s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmware vmci bus device!vmware virtual s scsi disk device
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmware svga
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vboxservice
Source: RFQ.exe, 00000000.00000002.474828984.000000000311C000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-Vmicrosoft
Source: RFQ.exe, 00000000.00000002.479258486.0000000005EA0000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.351516586.0000000003520000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmware usb pointing device
Source: RFQ.exe, 00000000.00000002.474828984.000000000311C000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmusrvc
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmware pointing device
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmware sata
Source: RFQ.exe, 00000000.00000003.470481099.000000000699D000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Pb
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmsrvc
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmtools
Source: RFQ.exe, 00000000.00000002.474828984.000000000311C000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-V
Source: RFQ.exe, 00000000.00000002.479258486.0000000005EA0000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.351516586.0000000003520000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RFQ.exe, 00000000.00000002.479258486.0000000005EA0000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.351516586.0000000003520000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmware virtual s scsi disk device
Source: RFQ.exe, 00000000.00000003.470481099.000000000699D000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmware vmci bus device
Source: enrnus.exe, 00000014.00000002.593271485.000000000105D000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RFQ.exe, 00000000.00000002.479258486.0000000005EA0000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.351516586.0000000003520000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\RFQ.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\RFQ.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\RFQ.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'audiomac' /t REG_SZ /d 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'audiomac' /t REG_SZ /d 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'	Jump to behavior

Source: enrnus.exe, 00000014.00000002.594827399.0000000001730000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: enrnus.exe, 00000014.00000002.594827399.0000000001730000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: enrnus.exe, 00000014.00000002.594827399.0000000001730000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: enrnus.exe, 00000014.00000002.594827399.0000000001730000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\RFQ.exe	Queries volume information: C:\Users\user\Desktop\RFQ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Source: Yara match	File source: 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ.exe PID: 6876, type: MEMORY
Source: Yara match	File source: Process Memory Space: enrnus.exe PID: 2288, type: MEMORY
Source: Yara match	File source: 0.2.RFQ.exe.48272aa.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48bf5c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46719a2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.488ca0a.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.460c212.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46719a2.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47c1b1a.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47f46ea.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47f46ea.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47c1b1a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.4709cc0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.460c212.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.463ede2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.4709cc0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.463ede2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48272aa.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48bf5c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.488ca0a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46d7102.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46d7102.6.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Source: RFQ.exe, 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: enrnus.exe, 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match	File source: 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ.exe PID: 6876, type: MEMORY
Source: Yara match	File source: Process Memory Space: enrnus.exe PID: 2288, type: MEMORY
Source: Yara match	File source: 0.2.RFQ.exe.48272aa.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48bf5c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46719a2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.488ca0a.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.460c212.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46719a2.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47c1b1a.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47f46ea.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47f46ea.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47c1b1a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.4709cc0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.460c212.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.463ede2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.4709cc0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.463ede2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48272aa.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48bf5c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.488ca0a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46d7102.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46d7102.6.raw.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

AV Detection:

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe

ReversingLabs: Detection: 14%

Yara detected Nanocore RAT

Source: Yara match	File source: 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ.exe PID: 6876, type: MEMORY
Source: Yara match	File source: Process Memory Space: enrnus.exe PID: 2288, type: MEMORY
Source: Yara match	File source: 0.2.RFQ.exe.48272aa.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48bf5c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46719a2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.488ca0a.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.460c212.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46719a2.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47c1b1a.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47f46ea.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47f46ea.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47c1b1a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.4709cc0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.460c212.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.463ede2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.4709cc0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.463ede2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48272aa.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48bf5c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.488ca0a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46d7102.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46d7102.6.raw.unpack, type: UNPACKEDPE

Compliance:

Uses 32bit PE files

Source: RFQ.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: RFQ.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Binary contains paths to debug symbols

Source:	Binary string: RegAsm.pdb source: RegAsm.exe.0.dr
Source:	Binary string: RegAsm.pdb4 source: RegAsm.exe.0.dr

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\RFQ.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_09537DD8
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_09536CCC
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 4x nop then xor edx, edx	0_2_095376B8
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	20_2_09307DD8
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	20_2_09306CCC
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 4x nop then xor edx, edx	20_2_093076B8
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	20_2_09309BC4
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	20_2_09306D25
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	20_2_09306F7C

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49756 -> 185.244.30.161:1985

Source: enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RFQ.exe, 00000000.00000002.474429338.0000000002ED3000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: RFQ.exe, 00000000.00000003.347926461.00000000098E4000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000003.494057230.00000000096F4000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adb
Source: RFQ.exe, 00000000.00000003.347926461.00000000098E4000.00000004.00000001.sdmp, RFQ.exe, 00000000.00000003.471130439.00000000098E5000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000003.494393505.00000000096F4000.00000004.00000001.sdmp	String found in binary or memory: http://ns.ado/1
Source: RFQ.exe, 00000000.00000003.347926461.00000000098E4000.00000004.00000001.sdmp, RFQ.exe, 00000000.00000003.471130439.00000000098E5000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000003.494393505.00000000096F4000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g
Source: RFQ.exe, 00000000.00000003.347926461.00000000098E4000.00000004.00000001.sdmp, RFQ.exe, 00000000.00000003.471130439.00000000098E5000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000003.494393505.00000000096F4000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.cobj
Source: enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: RFQ.exe, 00000000.00000002.474479540.0000000002F01000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: RFQ.exe, 00000000.00000002.474429338.0000000002ED3000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: RFQ.exe, 00000000.00000002.474429338.0000000002ED3000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: RFQ.exe, 00000000.00000002.474462948.0000000002EEB000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.595053339.0000000002D3A000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org/WebPage
Source: RFQ.exe, 00000000.00000002.474404366.0000000002EA1000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.594984683.0000000002CF1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: RFQ.exe, 00000000.00000002.474404366.0000000002EA1000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.594984683.0000000002CF1000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: RFQ.exe, 00000000.00000002.474404366.0000000002EA1000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.594984683.0000000002CF1000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: enrnus.exe, 00000014.00000002.593139988.000000000102B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match	File source: 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ.exe PID: 6876, type: MEMORY
Source: Yara match	File source: Process Memory Space: enrnus.exe PID: 2288, type: MEMORY
Source: Yara match	File source: 0.2.RFQ.exe.48272aa.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48bf5c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46719a2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.488ca0a.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.460c212.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46719a2.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47c1b1a.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47f46ea.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47f46ea.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47c1b1a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.4709cc0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.460c212.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.463ede2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.4709cc0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.463ede2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48272aa.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48bf5c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.488ca0a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46d7102.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46d7102.6.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RFQ.exe PID: 6876, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RFQ.exe PID: 6876, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: enrnus.exe PID: 2288, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: enrnus.exe PID: 2288, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.48272aa.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.48272aa.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.48bf5c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.48bf5c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.46719a2.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.46719a2.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.488ca0a.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.488ca0a.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.460c212.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.460c212.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.46719a2.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.46719a2.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.47c1b1a.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.47c1b1a.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.47f46ea.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.47f46ea.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.47f46ea.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.47f46ea.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.47c1b1a.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.47c1b1a.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.4709cc0.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.4709cc0.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.460c212.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.460c212.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.463ede2.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.463ede2.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.463ede2.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.4709cc0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.4709cc0.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.463ede2.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.48272aa.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.48272aa.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.48bf5c8.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.48bf5c8.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.488ca0a.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.488ca0a.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.46d7102.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.46d7102.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.46d7102.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.46d7102.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

.NET source code contains very large array initializations

Source: RFQ.exe, Zz97/w6DE.cs	Large array initialization: .cctor: array initializer size 3785
Source: RFQ.exe, Zz97/w6DE.cs	Large array initialization: .cctor: array initializer size 2501
Source: RFQ.exe, Zz97/w6DE.cs	Large array initialization: .cctor: array initializer size 2389

Detected potential crypto function

Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_02D0C8F0	0_2_02D0C8F0
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_06897767	0_2_06897767
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_068964A8	0_2_068964A8
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_06894410	0_2_06894410
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_068985E8	0_2_068985E8
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689EE98	0_2_0689EE98
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_06896D08	0_2_06896D08
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689492F	0_2_0689492F
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689E690	0_2_0689E690
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689A758	0_2_0689A758
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689A768	0_2_0689A768
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_06896421	0_2_06896421
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689647D	0_2_0689647D
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_068985BF	0_2_068985BF
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_06899500	0_2_06899500
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_06899510	0_2_06899510
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_06897208	0_2_06897208
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689A0BA	0_2_0689A0BA
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689A0C8	0_2_0689A0C8
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689AC18	0_2_0689AC18
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689AC17	0_2_0689AC17
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689ADF0	0_2_0689ADF0
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689D8F8	0_2_0689D8F8
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689A992	0_2_0689A992
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689A9A0	0_2_0689A9A0
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_06895927	0_2_06895927
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0953B980	0_2_0953B980
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_09531BC1	0_2_09531BC1
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0953EF88	0_2_0953EF88
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_09532408	0_2_09532408
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0953A9D2	0_2_0953A9D2
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_01269028	20_2_01269028
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_052885E8	20_2_052885E8
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_05284410	20_2_05284410
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_052864A8	20_2_052864A8
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528775B	20_2_0528775B
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_05287208	20_2_05287208
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_05286D08	20_2_05286D08
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528EE98	20_2_0528EE98
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_05284920	20_2_05284920
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_05289500	20_2_05289500
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_05288503	20_2_05288503
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_05289510	20_2_05289510
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_05288583	20_2_05288583
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528640D	20_2_0528640D
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528647D	20_2_0528647D
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528A768	20_2_0528A768
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528A763	20_2_0528A763
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528E690	20_2_0528E690
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528A0BB	20_2_0528A0BB
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528A0C8	20_2_0528A0C8
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528ADF3	20_2_0528ADF3
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528AC0B	20_2_0528AC0B
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528AC18	20_2_0528AC18
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_05285918	20_2_05285918
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528A9A0	20_2_0528A9A0
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528A993	20_2_0528A993
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528D8F8	20_2_0528D8F8
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930B98B	20_2_0930B98B
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_09301C54	20_2_09301C54
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930EF88	20_2_0930EF88
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_09302408	20_2_09302408
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930A9BD	20_2_0930A9BD
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930A9D2	20_2_0930A9D2
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_093028B0	20_2_093028B0
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_093028A1	20_2_093028A1
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_093088E8	20_2_093088E8
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_093088DB	20_2_093088DB
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930AB00	20_2_0930AB00
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_09301BD5	20_2_09301BD5
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930CA3A	20_2_0930CA3A
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930AA76	20_2_0930AA76
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930AA61	20_2_0930AA61
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930AAEB	20_2_0930AAEB
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_09302DF9	20_2_09302DF9
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930CDCE	20_2_0930CDCE
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_09302E08	20_2_09302E08
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_09300013	20_2_09300013
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_09300040	20_2_09300040
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_09308338	20_2_09308338
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930832B	20_2_0930832B
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_09303468	20_2_09303468

Sample file is different than original file name gathered from version info

Source: RFQ.exe, 00000000.00000002.473701970.0000000001180000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs RFQ.exe
Source: RFQ.exe, 00000000.00000002.475260216.0000000003EA8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSHCore1.dll0 vs RFQ.exe
Source: RFQ.exe, 00000000.00000002.471971758.0000000000AF2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameagain.exeT vs RFQ.exe
Source: RFQ.exe, 00000000.00000002.479695620.00000000068A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs RFQ.exe
Source: RFQ.exe, 00000000.00000002.479258486.0000000005EA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs RFQ.exe
Source: RFQ.exe	Binary or memory string: OriginalFilenameagain.exeT vs RFQ.exe

Uses 32bit PE files

Source: RFQ.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses reg.exe to modify the Windows registry

Source: unknown

Yara signature match

Source: 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RFQ.exe PID: 6876, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RFQ.exe PID: 6876, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: enrnus.exe PID: 2288, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: enrnus.exe PID: 2288, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.48272aa.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.48272aa.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ.exe.48272aa.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.48bf5c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.48bf5c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ.exe.48bf5c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.46719a2.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.46719a2.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.enrnus.exe.46719a2.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.488ca0a.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.488ca0a.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ.exe.488ca0a.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.460c212.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.460c212.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.enrnus.exe.460c212.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.46719a2.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.46719a2.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.enrnus.exe.46719a2.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.47c1b1a.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.47c1b1a.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ.exe.47c1b1a.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.47f46ea.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.47f46ea.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ.exe.47f46ea.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.47f46ea.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.47f46ea.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ.exe.47f46ea.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.47c1b1a.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.47c1b1a.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.4709cc0.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.4709cc0.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.enrnus.exe.4709cc0.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.460c212.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.460c212.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.463ede2.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.463ede2.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.enrnus.exe.463ede2.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.463ede2.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.463ede2.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.enrnus.exe.4709cc0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.4709cc0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.enrnus.exe.4709cc0.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.463ede2.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.48272aa.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.48272aa.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ.exe.48272aa.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.48bf5c8.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.48bf5c8.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ.exe.48bf5c8.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.488ca0a.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.488ca0a.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ.exe.488ca0a.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.46d7102.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.46d7102.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.enrnus.exe.46d7102.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.46d7102.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.46d7102.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: classification engine

Classification label: mal100.troj.adwa.evad.winEXE@8/4@0/0

Source: C:\Users\user\Desktop\RFQ.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1428:120:WilError_01

Source: C:\Users\user\Desktop\RFQ.exe

File created: C:\Users\user\AppData\Local\Temp\RegAsm.exe

Jump to behavior

Source: RFQ.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\RFQ.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe

File read: C:\Users\user\Desktop\RFQ.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\RFQ.exe 'C:\Users\user\Desktop\RFQ.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'audiomac' /t REG_SZ /d 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'audiomac' /t REG_SZ /d 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'
Source: unknown	Process created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'
Source: C:\Users\user\Desktop\RFQ.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'audiomac' /t REG_SZ /d 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'audiomac' /t REG_SZ /d 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'	Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: RFQ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: RFQ.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: RegAsm.pdb source: RegAsm.exe.0.dr
Source:	Binary string: RegAsm.pdb4 source: RegAsm.exe.0.dr

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F86A3 push edi; ret	0_2_009F86A4
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F42C7 push edi; ret	0_2_009F42C8
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F261E push ebx; iretd	0_2_009F262B
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F743D pushad ; ret	0_2_009F7445
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F8673 push edi; ret	0_2_009F8674
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F7DA4 pushad ; ret	0_2_009F7DA5
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F73E4 pushad ; ret	0_2_009F7405
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F7B07 push ecx; retf	0_2_009F7B08
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F5900 push es; iretd	0_2_009F590D
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F675C push ss; retf	0_2_009F675D
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F857E push ecx; retf	0_2_009F857F
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689A612 push es; iretd	0_2_0689A61C
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689854F push es; ret	0_2_06898580
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_06899211 pushfd ; iretd	0_2_0689921D
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689525A push ecx; ret	0_2_0689525E
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689B0FC push ecx; iretd	0_2_0689B0FE
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_068961DC pushad ; iretd	0_2_068961DD
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C8673 push edi; ret	20_2_007C8674
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C743D pushad ; ret	20_2_007C7445
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C261E push ebx; iretd	20_2_007C262B
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C42C7 push edi; ret	20_2_007C42C8
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C86A3 push edi; ret	20_2_007C86A4
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C857E push ecx; retf	20_2_007C857F
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C675C push ss; retf	20_2_007C675D
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C7B07 push ecx; retf	20_2_007C7B08
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C5900 push es; iretd	20_2_007C590D
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C73E4 pushad ; ret	20_2_007C7405
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C7DA4 pushad ; ret	20_2_007C7DA5
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_052861DC pushad ; iretd	20_2_052861DD
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528B0FC push ecx; iretd	20_2_0528B0FE
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528525A push ecx; ret	20_2_0528525E

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\RFQ.exe	File created: C:\Users\user\AppData\Local\Temp\RegAsm.exe			Jump to dropped file
Source: C:\Users\user\Desktop\RFQ.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe			Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\RFQ.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe

Jump to dropped file

Boot Survival:

Drops PE files to the startup folder

Source: C:\Users\user\Desktop\RFQ.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\RFQ.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\RFQ.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe\:Zone.Identifier:$DATA	Jump to behavior

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run audiomac			Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run audiomac			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\RFQ.exe	File opened: C:\Users\user\Desktop\RFQ.exe\:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	File opened: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe\:Zone.Identifier read attributes \| delete			Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\RFQ.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match

File source: Process Memory Space: RFQ.exe PID: 6876, type: MEMORY

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\RFQ.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\RFQ.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\RFQ.exe	Window / User API: threadDelayed 885	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Window / User API: threadDelayed 8833	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Window / User API: threadDelayed 834	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Window / User API: threadDelayed 8921	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\RFQ.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RegAsm.exe

Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7156	Thread sleep count: 885 > 30	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7156	Thread sleep count: 8833 > 30	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -45000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -44859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -44750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -44640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -44531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -44422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -44312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -44203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -44094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -42890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -42781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -42672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -42562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -42453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -42344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -42234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -42125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -42015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -41906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -41797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -41687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -41578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -41469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -41359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -41250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -41125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -40984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -40875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -40765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -40656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -40547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -40406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -40297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -40187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -40078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -39969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -39859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -39750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -39640s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -22136092888451448s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6720	Thread sleep count: 834 > 30	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6720	Thread sleep count: 8921 > 30	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -45000s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -44828s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -44719s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -44594s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -44484s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -44375s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -44266s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -44156s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -44047s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -43938s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -43797s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -43625s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -43516s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -43406s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -43297s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -43178s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -43063s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -42953s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -42531s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -42406s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -42297s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -42141s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -41485s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -41344s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -41234s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -41125s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -41016s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -40891s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -40750s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -40641s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -40500s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -40391s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -40250s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -40141s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -40031s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -39922s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -39813s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -39703s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -39594s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -39485s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -39344s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -39234s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -39125s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -39016s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -38906s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -38797s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -38672s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -38563s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmware vmci bus device!vmware virtual s scsi disk device
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmware svga
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vboxservice
Source: RFQ.exe, 00000000.00000002.474828984.000000000311C000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-Vmicrosoft
Source: RFQ.exe, 00000000.00000002.479258486.0000000005EA0000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.351516586.0000000003520000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmware usb pointing device
Source: RFQ.exe, 00000000.00000002.474828984.000000000311C000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmusrvc
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmware pointing device
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmware sata
Source: RFQ.exe, 00000000.00000003.470481099.000000000699D000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Pb
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmsrvc
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmtools
Source: RFQ.exe, 00000000.00000002.474828984.000000000311C000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-V
Source: RFQ.exe, 00000000.00000002.479258486.0000000005EA0000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.351516586.0000000003520000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RFQ.exe, 00000000.00000002.479258486.0000000005EA0000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.351516586.0000000003520000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmware virtual s scsi disk device
Source: RFQ.exe, 00000000.00000003.470481099.000000000699D000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmware vmci bus device
Source: enrnus.exe, 00000014.00000002.593271485.000000000105D000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RFQ.exe, 00000000.00000002.479258486.0000000005EA0000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.351516586.0000000003520000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\RFQ.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\RFQ.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\RFQ.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'audiomac' /t REG_SZ /d 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'audiomac' /t REG_SZ /d 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'	Jump to behavior

Source: enrnus.exe, 00000014.00000002.594827399.0000000001730000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: enrnus.exe, 00000014.00000002.594827399.0000000001730000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: enrnus.exe, 00000014.00000002.594827399.0000000001730000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: enrnus.exe, 00000014.00000002.594827399.0000000001730000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\RFQ.exe	Queries volume information: C:\Users\user\Desktop\RFQ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Source: Yara match	File source: 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ.exe PID: 6876, type: MEMORY
Source: Yara match	File source: Process Memory Space: enrnus.exe PID: 2288, type: MEMORY
Source: Yara match	File source: 0.2.RFQ.exe.48272aa.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48bf5c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46719a2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.488ca0a.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.460c212.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46719a2.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47c1b1a.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47f46ea.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47f46ea.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47c1b1a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.4709cc0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.460c212.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.463ede2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.4709cc0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.463ede2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48272aa.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48bf5c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.488ca0a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46d7102.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46d7102.6.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Source: RFQ.exe, 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: enrnus.exe, 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match	File source: 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ.exe PID: 6876, type: MEMORY
Source: Yara match	File source: Process Memory Space: enrnus.exe PID: 2288, type: MEMORY
Source: Yara match	File source: 0.2.RFQ.exe.48272aa.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48bf5c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46719a2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.488ca0a.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.460c212.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46719a2.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47c1b1a.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47f46ea.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47f46ea.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47c1b1a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.4709cc0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.460c212.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.463ede2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.4709cc0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.463ede2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48272aa.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48bf5c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.488ca0a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46d7102.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46d7102.6.raw.unpack, type: UNPACKEDPE

ID:	358327
Product:	CloudBasic
Start time:	12:15:39
Start date:	25.02.2021
Sample:	RFQ.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	6733e06c6be5ca14ffc33763202f53c8
SHA1:	9412d3147b30a873b94e2d0f495eafdea1479ee1
SHA256:	72f30e8884110e06b133ecabfdbf523aef8cc5533273aa3e12afee785a5a45bc
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	6733E06C6BE5CA14FFC33763202F53C8	9412D3147B30A873B94E2D0F495EAFDEA1479EE1	72F30E8884110E06B133ECABFDBF523AEF8CC5533273AA3E12AFEE785A5A45BC
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ.exe.log	ASCII text, with CRLF line terminators	C752BC4289E47E13AECB02FB0A525249	FA76430425B22B6D1BB8F737DE9F36DA996FFD9C	19F546CEC9D3F9217584617117869E36A742D78D070D78212C64518317C0E45F
C:\Users\user\AppData\Local\Temp\RegAsm.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	6FD7592411112729BF6B1F2F6C34899F	5E5C839726D6A43C478AB0B95DBF52136679F5EA	FFE4480CCC81B061F725C54587E9D1BA96547D27FE28083305D75796F2EB3E74

Analysis Report RFQ.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map