Play interactive tour

Edit tour

Analysis Report RFQ.exe

Overview

General Information

Sample Name:	RFQ.exe
Analysis ID:	358327
MD5:	6733e06c6be5ca14ffc33763202f53c8
SHA1:	9412d3147b30a873b94e2d0f495eafdea1479ee1
SHA256:	72f30e8884110e06b133ecabfdbf523aef8cc5533273aa3e12afee785a5a45bc
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AntiVM_3

Yara detected Nanocore RAT

.NET source code contains very large array initializations

Drops PE files to the startup folder

Hides that the sample has been downloaded from the Internet (zone.identifier)

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Yara signature match

Classification

Startup

System is w10x64

RFQ.exe (PID: 6876 cmdline: 'C:\Users\user\Desktop\RFQ.exe' MD5: 6733E06C6BE5CA14FFC33763202F53C8)

cmd.exe (PID: 6032 cmdline: 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'audiomac' /t REG_SZ /d 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 1428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

reg.exe (PID: 6188 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'audiomac' /t REG_SZ /d 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)

enrnus.exe (PID: 2288 cmdline: 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe' MD5: 6733E06C6BE5CA14FFC33763202F53C8)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10b97:$x1: NanoCore.ClientPluginHost 0x43755:$x1: NanoCore.ClientPluginHost 0x10bd4:$x2: IClientNetworkHost 0x43792:$x2: IClientNetworkHost 0x14707:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x472c5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x108ff:$a: NanoCore 0x1090f:$a: NanoCore 0x10b43:$a: NanoCore 0x10b57:$a: NanoCore 0x10b97:$a: NanoCore 0x434bd:$a: NanoCore 0x434cd:$a: NanoCore 0x43701:$a: NanoCore 0x43715:$a: NanoCore 0x43755:$a: NanoCore 0x1095e:$b: ClientPlugin 0x10b60:$b: ClientPlugin 0x10ba0:$b: ClientPlugin 0x4351c:$b: ClientPlugin 0x4371e:$b: ClientPlugin 0x4375e:$b: ClientPlugin 0x10a85:$c: ProjectData 0x43643:$c: ProjectData 0x1148c:$d: DESCrypto 0x4404a:$d: DESCrypto 0x18e58:$e: KeepAlive
00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x43ca7:$x1: NanoCore.ClientPluginHost 0x76877:$x1: NanoCore.ClientPluginHost 0xa9437:$x1: NanoCore.ClientPluginHost 0x43ce4:$x2: IClientNetworkHost 0x768b4:$x2: IClientNetworkHost 0xa9474:$x2: IClientNetworkHost 0x47817:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7a3e7:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xacfa7:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x43a0f:$a: NanoCore 0x43a1f:$a: NanoCore 0x43c53:$a: NanoCore 0x43c67:$a: NanoCore 0x43ca7:$a: NanoCore 0x765df:$a: NanoCore 0x765ef:$a: NanoCore 0x76823:$a: NanoCore 0x76837:$a: NanoCore 0x76877:$a: NanoCore 0xa919f:$a: NanoCore 0xa91af:$a: NanoCore 0xa93e3:$a: NanoCore 0xa93f7:$a: NanoCore 0xa9437:$a: NanoCore 0x43a6e:$b: ClientPlugin 0x43c70:$b: ClientPlugin 0x43cb0:$b: ClientPlugin 0x7663e:$b: ClientPlugin 0x76840:$b: ClientPlugin 0x76880:$b: ClientPlugin
00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4339f:$x1: NanoCore.ClientPluginHost 0x75f6f:$x1: NanoCore.ClientPluginHost 0xa8b2f:$x1: NanoCore.ClientPluginHost 0x433dc:$x2: IClientNetworkHost 0x75fac:$x2: IClientNetworkHost 0xa8b6c:$x2: IClientNetworkHost 0x46f0f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x79adf:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xac69f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x43107:$a: NanoCore 0x43117:$a: NanoCore 0x4334b:$a: NanoCore 0x4335f:$a: NanoCore 0x4339f:$a: NanoCore 0x75cd7:$a: NanoCore 0x75ce7:$a: NanoCore 0x75f1b:$a: NanoCore 0x75f2f:$a: NanoCore 0x75f6f:$a: NanoCore 0xa8897:$a: NanoCore 0xa88a7:$a: NanoCore 0xa8adb:$a: NanoCore 0xa8aef:$a: NanoCore 0xa8b2f:$a: NanoCore 0x43166:$b: ClientPlugin 0x43368:$b: ClientPlugin 0x433a8:$b: ClientPlugin 0x75d36:$b: ClientPlugin 0x75f38:$b: ClientPlugin 0x75f78:$b: ClientPlugin
00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1028f:$x1: NanoCore.ClientPluginHost 0x42e4d:$x1: NanoCore.ClientPluginHost 0x7566d:$x1: NanoCore.ClientPluginHost 0x102cc:$x2: IClientNetworkHost 0x42e8a:$x2: IClientNetworkHost 0x756aa:$x2: IClientNetworkHost 0x13dff:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x469bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x791dd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfff7:$a: NanoCore 0x10007:$a: NanoCore 0x1023b:$a: NanoCore 0x1024f:$a: NanoCore 0x1028f:$a: NanoCore 0x42bb5:$a: NanoCore 0x42bc5:$a: NanoCore 0x42df9:$a: NanoCore 0x42e0d:$a: NanoCore 0x42e4d:$a: NanoCore 0x753d5:$a: NanoCore 0x753e5:$a: NanoCore 0x75619:$a: NanoCore 0x7562d:$a: NanoCore 0x7566d:$a: NanoCore 0x10056:$b: ClientPlugin 0x10258:$b: ClientPlugin 0x10298:$b: ClientPlugin 0x42c14:$b: ClientPlugin 0x42e16:$b: ClientPlugin 0x42e56:$b: ClientPlugin
Process Memory Space: RFQ.exe PID: 6876	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xc372d:$x1: NanoCore.ClientPluginHost 0xe23cf:$x1: NanoCore.ClientPluginHost 0x125bb1:$x1: NanoCore.ClientPluginHost 0x144857:$x1: NanoCore.ClientPluginHost 0x1634fd:$x1: NanoCore.ClientPluginHost 0xc378e:$x2: IClientNetworkHost 0xe2430:$x2: IClientNetworkHost 0x125c12:$x2: IClientNetworkHost 0x1448b8:$x2: IClientNetworkHost 0x16355e:$x2: IClientNetworkHost 0xc8b93:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xd6b05:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xe7835:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xf57a7:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x12b017:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x138f89:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x149cbd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x157c2f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x168963:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1768d5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: RFQ.exe PID: 6876	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RFQ.exe PID: 6876	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RFQ.exe PID: 6876	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xc3232:$a: NanoCore 0xc324e:$a: NanoCore 0xc33a9:$a: NanoCore 0xc33b8:$a: NanoCore 0xc3691:$a: NanoCore 0xc36bd:$a: NanoCore 0xc372d:$a: NanoCore 0xd316f:$a: NanoCore 0xd3181:$a: NanoCore 0xd31bd:$a: NanoCore 0xe1ed4:$a: NanoCore 0xe1ef0:$a: NanoCore 0xe204b:$a: NanoCore 0xe205a:$a: NanoCore 0xe2333:$a: NanoCore 0xe235f:$a: NanoCore 0xe23cf:$a: NanoCore 0xf1e11:$a: NanoCore 0xf1e23:$a: NanoCore 0xf1e5f:$a: NanoCore 0x1256b6:$a: NanoCore
Process Memory Space: enrnus.exe PID: 2288	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1bd096:$x1: NanoCore.ClientPluginHost 0x1dbd3c:$x1: NanoCore.ClientPluginHost 0x1fa9e2:$x1: NanoCore.ClientPluginHost 0x224925:$x1: NanoCore.ClientPluginHost 0x2435c7:$x1: NanoCore.ClientPluginHost 0x261f34:$x1: NanoCore.ClientPluginHost 0x1bd0f7:$x2: IClientNetworkHost 0x1dbd9d:$x2: IClientNetworkHost 0x1faa43:$x2: IClientNetworkHost 0x224986:$x2: IClientNetworkHost 0x243628:$x2: IClientNetworkHost 0x261f95:$x2: IClientNetworkHost 0x1c24fc:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1d046e:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1e11a2:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1ef114:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1ffe48:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x20ddba:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x229d8b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x237cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x248a2d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: enrnus.exe PID: 2288	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: enrnus.exe PID: 2288	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1bcb9b:$a: NanoCore 0x1bcbb7:$a: NanoCore 0x1bcd12:$a: NanoCore 0x1bcd21:$a: NanoCore 0x1bcffa:$a: NanoCore 0x1bd026:$a: NanoCore 0x1bd096:$a: NanoCore 0x1ccad8:$a: NanoCore 0x1ccaea:$a: NanoCore 0x1ccb26:$a: NanoCore 0x1db841:$a: NanoCore 0x1db85d:$a: NanoCore 0x1db9b8:$a: NanoCore 0x1db9c7:$a: NanoCore 0x1dbca0:$a: NanoCore 0x1dbccc:$a: NanoCore 0x1dbd3c:$a: NanoCore 0x1eb77e:$a: NanoCore 0x1eb790:$a: NanoCore 0x1eb7cc:$a: NanoCore 0x1fa4e7:$a: NanoCore
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.RFQ.exe.48272aa.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.RFQ.exe.48272aa.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.RFQ.exe.48272aa.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.RFQ.exe.48272aa.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.RFQ.exe.48bf5c8.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.RFQ.exe.48bf5c8.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.RFQ.exe.48bf5c8.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.RFQ.exe.48bf5c8.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
20.2.enrnus.exe.46719a2.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.enrnus.exe.46719a2.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
20.2.enrnus.exe.46719a2.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.enrnus.exe.46719a2.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.RFQ.exe.488ca0a.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.RFQ.exe.488ca0a.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.RFQ.exe.488ca0a.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.RFQ.exe.488ca0a.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
20.2.enrnus.exe.460c212.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.enrnus.exe.460c212.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
20.2.enrnus.exe.460c212.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.enrnus.exe.460c212.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
20.2.enrnus.exe.46719a2.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.enrnus.exe.46719a2.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
20.2.enrnus.exe.46719a2.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.enrnus.exe.46719a2.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.RFQ.exe.47c1b1a.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.RFQ.exe.47c1b1a.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.RFQ.exe.47c1b1a.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.RFQ.exe.47c1b1a.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.RFQ.exe.47f46ea.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.RFQ.exe.47f46ea.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.RFQ.exe.47f46ea.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.RFQ.exe.47f46ea.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.RFQ.exe.47f46ea.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42d4d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42d8a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x468bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.RFQ.exe.47f46ea.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42ac5:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42d4d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x44386:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x4437a:$s2: FileCommand 0x1266b:$s3: PipeExists 0x4522b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4afe2:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42d77:$s5: IClientLoggingHost
0.2.RFQ.exe.47f46ea.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.RFQ.exe.47f46ea.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42ab5:$a: NanoCore 0x42ac5:$a: NanoCore 0x42cf9:$a: NanoCore 0x42d0d:$a: NanoCore 0x42d4d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b14:$b: ClientPlugin 0x42d16:$b: ClientPlugin 0x42d56:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42c3b:$c: ProjectData 0x10a82:$d: DESCrypto 0x43642:$d: DESCrypto 0x1844e:$e: KeepAlive
0.2.RFQ.exe.47c1b1a.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42d5d:$x1: NanoCore.ClientPluginHost 0x7591d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42d9a:$x2: IClientNetworkHost 0x7595a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x468cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7948d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.RFQ.exe.47c1b1a.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.RFQ.exe.47c1b1a.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42ac5:$a: NanoCore 0x42ad5:$a: NanoCore 0x42d09:$a: NanoCore 0x42d1d:$a: NanoCore 0x42d5d:$a: NanoCore 0x75685:$a: NanoCore 0x75695:$a: NanoCore 0x758c9:$a: NanoCore 0x758dd:$a: NanoCore 0x7591d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b24:$b: ClientPlugin 0x42d26:$b: ClientPlugin 0x42d66:$b: ClientPlugin
20.2.enrnus.exe.4709cc0.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.enrnus.exe.4709cc0.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
20.2.enrnus.exe.4709cc0.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.enrnus.exe.4709cc0.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
20.2.enrnus.exe.460c212.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42d5d:$x1: NanoCore.ClientPluginHost 0x7591d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42d9a:$x2: IClientNetworkHost 0x7595a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x468cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7948d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.enrnus.exe.460c212.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.enrnus.exe.460c212.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42ac5:$a: NanoCore 0x42ad5:$a: NanoCore 0x42d09:$a: NanoCore 0x42d1d:$a: NanoCore 0x42d5d:$a: NanoCore 0x75685:$a: NanoCore 0x75695:$a: NanoCore 0x758c9:$a: NanoCore 0x758dd:$a: NanoCore 0x7591d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b24:$b: ClientPlugin 0x42d26:$b: ClientPlugin 0x42d66:$b: ClientPlugin
20.2.enrnus.exe.463ede2.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.enrnus.exe.463ede2.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
20.2.enrnus.exe.463ede2.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.enrnus.exe.463ede2.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
20.2.enrnus.exe.463ede2.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42d4d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42d8a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x468bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.enrnus.exe.463ede2.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42ac5:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42d4d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x44386:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x4437a:$s2: FileCommand 0x1266b:$s3: PipeExists 0x4522b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4afe2:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42d77:$s5: IClientLoggingHost
20.2.enrnus.exe.4709cc0.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x429ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x429ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4651d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.enrnus.exe.4709cc0.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42725:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x429ad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x43fe6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x43fda:$s2: FileCommand 0x1266b:$s3: PipeExists 0x44e8b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ac42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x429d7:$s5: IClientLoggingHost
20.2.enrnus.exe.4709cc0.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.enrnus.exe.4709cc0.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42715:$a: NanoCore 0x42725:$a: NanoCore 0x42959:$a: NanoCore 0x4296d:$a: NanoCore 0x429ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42774:$b: ClientPlugin 0x42976:$b: ClientPlugin 0x429b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x4289b:$c: ProjectData 0x10a82:$d: DESCrypto 0x432a2:$d: DESCrypto 0x1844e:$e: KeepAlive
20.2.enrnus.exe.463ede2.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.enrnus.exe.463ede2.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42ab5:$a: NanoCore 0x42ac5:$a: NanoCore 0x42cf9:$a: NanoCore 0x42d0d:$a: NanoCore 0x42d4d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b14:$b: ClientPlugin 0x42d16:$b: ClientPlugin 0x42d56:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42c3b:$c: ProjectData 0x10a82:$d: DESCrypto 0x43642:$d: DESCrypto 0x1844e:$e: KeepAlive
0.2.RFQ.exe.48272aa.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.RFQ.exe.48272aa.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.RFQ.exe.48272aa.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.RFQ.exe.48272aa.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.RFQ.exe.48bf5c8.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.RFQ.exe.48bf5c8.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.RFQ.exe.48bf5c8.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.RFQ.exe.48bf5c8.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.RFQ.exe.488ca0a.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42d4b:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42d88:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x468bb:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.RFQ.exe.488ca0a.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42ac3:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42d4b:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x44384:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x44378:$s2: FileCommand 0x1266b:$s3: PipeExists 0x45229:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4afe0:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42d75:$s5: IClientLoggingHost
0.2.RFQ.exe.488ca0a.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.RFQ.exe.488ca0a.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42ab3:$a: NanoCore 0x42ac3:$a: NanoCore 0x42cf7:$a: NanoCore 0x42d0b:$a: NanoCore 0x42d4b:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b12:$b: ClientPlugin 0x42d14:$b: ClientPlugin 0x42d54:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42c39:$c: ProjectData 0x10a82:$d: DESCrypto 0x43640:$d: DESCrypto 0x1844e:$e: KeepAlive
20.2.enrnus.exe.46d7102.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.enrnus.exe.46d7102.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
20.2.enrnus.exe.46d7102.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.enrnus.exe.46d7102.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
20.2.enrnus.exe.46d7102.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42d4b:$x1: NanoCore.ClientPluginHost 0x7556b:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42d88:$x2: IClientNetworkHost 0x755a8:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x468bb:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x790db:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.enrnus.exe.46d7102.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.enrnus.exe.46d7102.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42ab3:$a: NanoCore 0x42ac3:$a: NanoCore 0x42cf7:$a: NanoCore 0x42d0b:$a: NanoCore 0x42d4b:$a: NanoCore 0x752d3:$a: NanoCore 0x752e3:$a: NanoCore 0x75517:$a: NanoCore 0x7552b:$a: NanoCore 0x7556b:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b12:$b: ClientPlugin 0x42d14:$b: ClientPlugin 0x42d54:$b: ClientPlugin
Click to see the 72 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe

ReversingLabs: Detection: 14%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ.exe PID: 6876, type: MEMORY
Source: Yara match	File source: Process Memory Space: enrnus.exe PID: 2288, type: MEMORY
Source: Yara match	File source: 0.2.RFQ.exe.48272aa.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48bf5c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46719a2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.488ca0a.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.460c212.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46719a2.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47c1b1a.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47f46ea.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47f46ea.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47c1b1a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.4709cc0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.460c212.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.463ede2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.4709cc0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.463ede2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48272aa.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48bf5c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.488ca0a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46d7102.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46d7102.6.raw.unpack, type: UNPACKEDPE

Compliance:

Uses 32bit PE files

Show sources

Source: RFQ.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: RFQ.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Binary contains paths to debug symbols

Show sources

Source:	Binary string: RegAsm.pdb source: RegAsm.exe.0.dr
Source:	Binary string: RegAsm.pdb4 source: RegAsm.exe.0.dr

Software Vulnerabilities:

Source: C:\Users\user\Desktop\RFQ.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_09537DD8
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_09536CCC
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 4x nop then xor edx, edx	0_2_095376B8
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	20_2_09307DD8
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	20_2_09306CCC
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 4x nop then xor edx, edx	20_2_093076B8
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	20_2_09309BC4
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	20_2_09306D25
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	20_2_09306F7C

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49756 -> 185.244.30.161:1985

Source: enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RFQ.exe, 00000000.00000002.474429338.0000000002ED3000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: RFQ.exe, 00000000.00000003.347926461.00000000098E4000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000003.494057230.00000000096F4000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adb
Source: RFQ.exe, 00000000.00000003.347926461.00000000098E4000.00000004.00000001.sdmp, RFQ.exe, 00000000.00000003.471130439.00000000098E5000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000003.494393505.00000000096F4000.00000004.00000001.sdmp	String found in binary or memory: http://ns.ado/1
Source: RFQ.exe, 00000000.00000003.347926461.00000000098E4000.00000004.00000001.sdmp, RFQ.exe, 00000000.00000003.471130439.00000000098E5000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000003.494393505.00000000096F4000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g
Source: RFQ.exe, 00000000.00000003.347926461.00000000098E4000.00000004.00000001.sdmp, RFQ.exe, 00000000.00000003.471130439.00000000098E5000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000003.494393505.00000000096F4000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.cobj
Source: enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: RFQ.exe, 00000000.00000002.474479540.0000000002F01000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: RFQ.exe, 00000000.00000002.474429338.0000000002ED3000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: RFQ.exe, 00000000.00000002.474429338.0000000002ED3000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: RFQ.exe, 00000000.00000002.474462948.0000000002EEB000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.595053339.0000000002D3A000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org/WebPage
Source: RFQ.exe, 00000000.00000002.474404366.0000000002EA1000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.594984683.0000000002CF1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: RFQ.exe, 00000000.00000002.474404366.0000000002EA1000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.594984683.0000000002CF1000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: RFQ.exe, 00000000.00000002.474404366.0000000002EA1000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.594984683.0000000002CF1000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: enrnus.exe, 00000014.00000002.593139988.000000000102B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ.exe PID: 6876, type: MEMORY
Source: Yara match	File source: Process Memory Space: enrnus.exe PID: 2288, type: MEMORY
Source: Yara match	File source: 0.2.RFQ.exe.48272aa.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48bf5c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46719a2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.488ca0a.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.460c212.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46719a2.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47c1b1a.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47f46ea.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47f46ea.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47c1b1a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.4709cc0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.460c212.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.463ede2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.4709cc0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.463ede2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48272aa.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48bf5c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.488ca0a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46d7102.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46d7102.6.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RFQ.exe PID: 6876, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RFQ.exe PID: 6876, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: enrnus.exe PID: 2288, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: enrnus.exe PID: 2288, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.48272aa.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.48272aa.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.48bf5c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.48bf5c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.46719a2.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.46719a2.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.488ca0a.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.488ca0a.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.460c212.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.460c212.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.46719a2.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.46719a2.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.47c1b1a.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.47c1b1a.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.47f46ea.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.47f46ea.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.47f46ea.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.47f46ea.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.47c1b1a.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.47c1b1a.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.4709cc0.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.4709cc0.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.460c212.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.460c212.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.463ede2.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.463ede2.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.463ede2.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.4709cc0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.4709cc0.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.463ede2.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.48272aa.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.48272aa.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.48bf5c8.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.48bf5c8.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.488ca0a.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.488ca0a.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.46d7102.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.46d7102.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.46d7102.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.46d7102.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

.NET source code contains very large array initializations

Show sources

Source: RFQ.exe, Zz97/w6DE.cs	Large array initialization: .cctor: array initializer size 3785
Source: RFQ.exe, Zz97/w6DE.cs	Large array initialization: .cctor: array initializer size 2501
Source: RFQ.exe, Zz97/w6DE.cs	Large array initialization: .cctor: array initializer size 2389

Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_02D0C8F0	0_2_02D0C8F0
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_06897767	0_2_06897767
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_068964A8	0_2_068964A8
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_06894410	0_2_06894410
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_068985E8	0_2_068985E8
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689EE98	0_2_0689EE98
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_06896D08	0_2_06896D08
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689492F	0_2_0689492F
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689E690	0_2_0689E690
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689A758	0_2_0689A758
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689A768	0_2_0689A768
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_06896421	0_2_06896421
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689647D	0_2_0689647D
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_068985BF	0_2_068985BF
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_06899500	0_2_06899500
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_06899510	0_2_06899510
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_06897208	0_2_06897208
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689A0BA	0_2_0689A0BA
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689A0C8	0_2_0689A0C8
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689AC18	0_2_0689AC18
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689AC17	0_2_0689AC17
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689ADF0	0_2_0689ADF0
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689D8F8	0_2_0689D8F8
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689A992	0_2_0689A992
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689A9A0	0_2_0689A9A0
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_06895927	0_2_06895927
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0953B980	0_2_0953B980
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_09531BC1	0_2_09531BC1
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0953EF88	0_2_0953EF88
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_09532408	0_2_09532408
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0953A9D2	0_2_0953A9D2
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_01269028	20_2_01269028
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_052885E8	20_2_052885E8
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_05284410	20_2_05284410
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_052864A8	20_2_052864A8
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528775B	20_2_0528775B
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_05287208	20_2_05287208
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_05286D08	20_2_05286D08
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528EE98	20_2_0528EE98
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_05284920	20_2_05284920
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_05289500	20_2_05289500
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_05288503	20_2_05288503
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_05289510	20_2_05289510
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_05288583	20_2_05288583
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528640D	20_2_0528640D
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528647D	20_2_0528647D
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528A768	20_2_0528A768
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528A763	20_2_0528A763
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528E690	20_2_0528E690
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528A0BB	20_2_0528A0BB
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528A0C8	20_2_0528A0C8
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528ADF3	20_2_0528ADF3
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528AC0B	20_2_0528AC0B
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528AC18	20_2_0528AC18
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_05285918	20_2_05285918
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528A9A0	20_2_0528A9A0
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528A993	20_2_0528A993
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528D8F8	20_2_0528D8F8
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930B98B	20_2_0930B98B
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_09301C54	20_2_09301C54
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930EF88	20_2_0930EF88
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_09302408	20_2_09302408
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930A9BD	20_2_0930A9BD
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930A9D2	20_2_0930A9D2
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_093028B0	20_2_093028B0
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_093028A1	20_2_093028A1
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_093088E8	20_2_093088E8
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_093088DB	20_2_093088DB
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930AB00	20_2_0930AB00
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_09301BD5	20_2_09301BD5
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930CA3A	20_2_0930CA3A
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930AA76	20_2_0930AA76
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930AA61	20_2_0930AA61
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930AAEB	20_2_0930AAEB
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_09302DF9	20_2_09302DF9
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930CDCE	20_2_0930CDCE
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_09302E08	20_2_09302E08
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_09300013	20_2_09300013
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_09300040	20_2_09300040
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_09308338	20_2_09308338
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930832B	20_2_0930832B
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_09303468	20_2_09303468

Source: RFQ.exe, 00000000.00000002.473701970.0000000001180000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs RFQ.exe
Source: RFQ.exe, 00000000.00000002.475260216.0000000003EA8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSHCore1.dll0 vs RFQ.exe
Source: RFQ.exe, 00000000.00000002.471971758.0000000000AF2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameagain.exeT vs RFQ.exe
Source: RFQ.exe, 00000000.00000002.479695620.00000000068A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs RFQ.exe
Source: RFQ.exe, 00000000.00000002.479258486.0000000005EA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs RFQ.exe
Source: RFQ.exe	Binary or memory string: OriginalFilenameagain.exeT vs RFQ.exe

Source: RFQ.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: unknown

Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'audiomac' /t REG_SZ /d 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'

Source: 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RFQ.exe PID: 6876, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RFQ.exe PID: 6876, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: enrnus.exe PID: 2288, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: enrnus.exe PID: 2288, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.48272aa.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.48272aa.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ.exe.48272aa.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.48bf5c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.48bf5c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ.exe.48bf5c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.46719a2.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.46719a2.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.enrnus.exe.46719a2.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.488ca0a.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.488ca0a.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ.exe.488ca0a.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.460c212.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.460c212.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.enrnus.exe.460c212.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.46719a2.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.46719a2.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.enrnus.exe.46719a2.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.47c1b1a.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.47c1b1a.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ.exe.47c1b1a.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.47f46ea.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.47f46ea.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ.exe.47f46ea.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.47f46ea.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.47f46ea.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ.exe.47f46ea.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.47c1b1a.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.47c1b1a.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.4709cc0.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.4709cc0.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.enrnus.exe.4709cc0.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.460c212.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.460c212.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.463ede2.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.463ede2.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.enrnus.exe.463ede2.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.463ede2.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.463ede2.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.enrnus.exe.4709cc0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.4709cc0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.enrnus.exe.4709cc0.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.463ede2.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.48272aa.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.48272aa.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ.exe.48272aa.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.48bf5c8.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.48bf5c8.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ.exe.48bf5c8.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.488ca0a.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.488ca0a.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ.exe.488ca0a.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.46d7102.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.46d7102.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.enrnus.exe.46d7102.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.46d7102.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.46d7102.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: classification engine

Classification label: mal100.troj.adwa.evad.winEXE@8/4@0/0

Source: C:\Users\user\Desktop\RFQ.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1428:120:WilError_01

Source: C:\Users\user\Desktop\RFQ.exe

File created: C:\Users\user\AppData\Local\Temp\RegAsm.exe

Jump to behavior

Source: RFQ.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\RFQ.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe

File read: C:\Users\user\Desktop\RFQ.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\RFQ.exe 'C:\Users\user\Desktop\RFQ.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'audiomac' /t REG_SZ /d 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'audiomac' /t REG_SZ /d 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'
Source: unknown	Process created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'
Source: C:\Users\user\Desktop\RFQ.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'audiomac' /t REG_SZ /d 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'audiomac' /t REG_SZ /d 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'	Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: RFQ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: RFQ.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: RegAsm.pdb source: RegAsm.exe.0.dr
Source:	Binary string: RegAsm.pdb4 source: RegAsm.exe.0.dr

Data Obfuscation:

Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F86A3 push edi; ret	0_2_009F86A4
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F42C7 push edi; ret	0_2_009F42C8
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F261E push ebx; iretd	0_2_009F262B
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F743D pushad ; ret	0_2_009F7445
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F8673 push edi; ret	0_2_009F8674
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F7DA4 pushad ; ret	0_2_009F7DA5
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F73E4 pushad ; ret	0_2_009F7405
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F7B07 push ecx; retf	0_2_009F7B08
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F5900 push es; iretd	0_2_009F590D
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F675C push ss; retf	0_2_009F675D
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F857E push ecx; retf	0_2_009F857F
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689A612 push es; iretd	0_2_0689A61C
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689854F push es; ret	0_2_06898580
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_06899211 pushfd ; iretd	0_2_0689921D
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689525A push ecx; ret	0_2_0689525E
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689B0FC push ecx; iretd	0_2_0689B0FE
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_068961DC pushad ; iretd	0_2_068961DD
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C8673 push edi; ret	20_2_007C8674
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C743D pushad ; ret	20_2_007C7445
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C261E push ebx; iretd	20_2_007C262B
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C42C7 push edi; ret	20_2_007C42C8
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C86A3 push edi; ret	20_2_007C86A4
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C857E push ecx; retf	20_2_007C857F
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C675C push ss; retf	20_2_007C675D
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C7B07 push ecx; retf	20_2_007C7B08
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C5900 push es; iretd	20_2_007C590D
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C73E4 pushad ; ret	20_2_007C7405
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C7DA4 pushad ; ret	20_2_007C7DA5
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_052861DC pushad ; iretd	20_2_052861DD
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528B0FC push ecx; iretd	20_2_0528B0FE
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528525A push ecx; ret	20_2_0528525E

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\RFQ.exe	File created: C:\Users\user\AppData\Local\Temp\RegAsm.exe			Jump to dropped file
Source: C:\Users\user\Desktop\RFQ.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe			Jump to dropped file

Source: C:\Users\user\Desktop\RFQ.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe

Jump to dropped file

Boot Survival:

Drops PE files to the startup folder

Show sources

Source: C:\Users\user\Desktop\RFQ.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe

Jump to dropped file

Source: C:\Users\user\Desktop\RFQ.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july

Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe\:Zone.Identifier:$DATA	Jump to behavior

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run audiomac			Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run audiomac			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\RFQ.exe	File opened: C:\Users\user\Desktop\RFQ.exe\:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	File opened: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe\:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match

File source: Process Memory Space: RFQ.exe PID: 6876, type: MEMORY

Source: C:\Users\user\Desktop\RFQ.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe	Window / User API: threadDelayed 885	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Window / User API: threadDelayed 8833	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Window / User API: threadDelayed 834	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Window / User API: threadDelayed 8921	Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RegAsm.exe

Jump to dropped file

Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7156	Thread sleep count: 885 > 30	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7156	Thread sleep count: 8833 > 30	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -45000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -44859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -44750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -44640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -44531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -44422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -44312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -44203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -44094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -42890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -42781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -42672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -42562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -42453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -42344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -42234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -42125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -42015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -41906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -41797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -41687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -41578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -41469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -41359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -41250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -41125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -40984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -40875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -40765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -40656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -40547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -40406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -40297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -40187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -40078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -39969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -39859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -39750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -39640s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -22136092888451448s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6720	Thread sleep count: 834 > 30	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6720	Thread sleep count: 8921 > 30	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -45000s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -44828s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -44719s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -44594s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -44484s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -44375s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -44266s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -44156s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -44047s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -43938s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -43797s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -43625s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -43516s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -43406s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -43297s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -43178s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -43063s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -42953s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -42531s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -42406s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -42297s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -42141s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -41485s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -41344s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -41234s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -41125s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -41016s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -40891s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -40750s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -40641s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -40500s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -40391s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -40250s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -40141s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -40031s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -39922s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -39813s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -39703s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -39594s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -39485s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -39344s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -39234s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -39125s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -39016s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -38906s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -38797s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -38672s >= -30000s	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -38563s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmware vmci bus device!vmware virtual s scsi disk device
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmware svga
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vboxservice
Source: RFQ.exe, 00000000.00000002.474828984.000000000311C000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-Vmicrosoft
Source: RFQ.exe, 00000000.00000002.479258486.0000000005EA0000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.351516586.0000000003520000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmware usb pointing device
Source: RFQ.exe, 00000000.00000002.474828984.000000000311C000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmusrvc
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmware pointing device
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmware sata
Source: RFQ.exe, 00000000.00000003.470481099.000000000699D000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Pb
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmsrvc
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmtools
Source: RFQ.exe, 00000000.00000002.474828984.000000000311C000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-V
Source: RFQ.exe, 00000000.00000002.479258486.0000000005EA0000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.351516586.0000000003520000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RFQ.exe, 00000000.00000002.479258486.0000000005EA0000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.351516586.0000000003520000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmware virtual s scsi disk device
Source: RFQ.exe, 00000000.00000003.470481099.000000000699D000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmware vmci bus device
Source: enrnus.exe, 00000014.00000002.593271485.000000000105D000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RFQ.exe, 00000000.00000002.479258486.0000000005EA0000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.351516586.0000000003520000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\RFQ.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\Desktop\RFQ.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Users\user\Desktop\RFQ.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'audiomac' /t REG_SZ /d 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'audiomac' /t REG_SZ /d 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'	Jump to behavior

Source: enrnus.exe, 00000014.00000002.594827399.0000000001730000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: enrnus.exe, 00000014.00000002.594827399.0000000001730000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: enrnus.exe, 00000014.00000002.594827399.0000000001730000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: enrnus.exe, 00000014.00000002.594827399.0000000001730000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\RFQ.exe	Queries volume information: C:\Users\user\Desktop\RFQ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ.exe PID: 6876, type: MEMORY
Source: Yara match	File source: Process Memory Space: enrnus.exe PID: 2288, type: MEMORY
Source: Yara match	File source: 0.2.RFQ.exe.48272aa.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48bf5c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46719a2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.488ca0a.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.460c212.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46719a2.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47c1b1a.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47f46ea.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47f46ea.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47c1b1a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.4709cc0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.460c212.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.463ede2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.4709cc0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.463ede2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48272aa.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48bf5c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.488ca0a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46d7102.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46d7102.6.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: RFQ.exe, 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: enrnus.exe, 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ.exe PID: 6876, type: MEMORY
Source: Yara match	File source: Process Memory Space: enrnus.exe PID: 2288, type: MEMORY
Source: Yara match	File source: 0.2.RFQ.exe.48272aa.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48bf5c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46719a2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.488ca0a.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.460c212.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46719a2.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47c1b1a.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47f46ea.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47f46ea.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47c1b1a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.4709cc0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.460c212.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.463ede2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.4709cc0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.463ede2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48272aa.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48bf5c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.488ca0a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46d7102.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46d7102.6.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Startup Items1	Startup Items1	Masquerading1	Input Capture1	Query Registry1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Registry Run Keys / Startup Folder121	Process Injection12	Modify Registry1	LSASS Memory	Security Software Discovery111	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Remote Access Software1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Registry Run Keys / Startup Folder121	Virtualization/Sandbox Evasion3	Security Account Manager	Virtualization/Sandbox Evasion3	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Disable or Modify Tools1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection12	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information2	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery12	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	15%	ReversingLabs	Win32.Trojan.Wacatac
C:\Users\user\AppData\Local\Temp\RegAsm.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\RegAsm.exe	0%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://ns.adb	0%	Avira URL Cloud	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
http://ns.adobe.cobj	0%	URL Reputation	safe
http://ns.adobe.cobj	0%	URL Reputation	safe
http://ns.adobe.cobj	0%	URL Reputation	safe
http://ns.adobe.cobj	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://ns.ado/1	0%	URL Reputation	safe
http://ns.ado/1	0%	URL Reputation	safe
http://ns.ado/1	0%	URL Reputation	safe
http://ns.ado/1	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ns.adb	RFQ.exe, 00000000.00000003.347926461.00000000098E4000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000003.494057230.00000000096F4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://pki.goog/gsr2/GTS1O1.crt0	RFQ.exe, 00000000.00000002.474429338.0000000002ED3000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ns.adobe.c/g	RFQ.exe, 00000000.00000003.347926461.00000000098E4000.00000004.00000001.sdmp, RFQ.exe, 00000000.00000003.471130439.00000000098E5000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000003.494393505.00000000096F4000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pki.goog/gsr2/gsr2.crl0?	enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.pki.goog/gsr202	enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://pki.goog/repository/0	enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ns.adobe.cobj	RFQ.exe, 00000000.00000003.347926461.00000000098E4000.00000004.00000001.sdmp, RFQ.exe, 00000000.00000003.471130439.00000000098E5000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000003.494393505.00000000096F4000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.pki.goog/gts1o1core0	RFQ.exe, 00000000.00000002.474429338.0000000002ED3000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RFQ.exe, 00000000.00000002.474404366.0000000002EA1000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.594984683.0000000002CF1000.00000004.00000001.sdmp	false		high
http://schema.org/WebPage	RFQ.exe, 00000000.00000002.474462948.0000000002EEB000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.595053339.0000000002D3A000.00000004.00000001.sdmp	false		high
http://crl.pki.goog/GTS1O1core.crl0	RFQ.exe, 00000000.00000002.474429338.0000000002ED3000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ns.ado/1	RFQ.exe, 00000000.00000003.347926461.00000000098E4000.00000004.00000001.sdmp, RFQ.exe, 00000000.00000003.471130439.00000000098E5000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000003.494393505.00000000096F4000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	358327
Start date:	25.02.2021
Start time:	12:15:39
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	RFQ.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.adwa.evad.winEXE@8/4@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 3.1% (good quality ratio 1.5%) Quality average: 26.8% Quality standard deviation: 33.7%
HCA Information:	Successful, ratio: 85% Number of executed functions: 36 Number of non-executed functions: 16
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 23.211.6.115, 168.61.161.212, 13.88.21.125, 142.250.185.164, 131.253.33.200, 13.107.22.200, 104.43.193.48, 51.11.168.160, 205.185.216.10, 205.185.216.42, 51.103.5.186, 52.155.217.156, 20.54.26.129, 92.122.213.247, 92.122.213.194, 184.30.20.56, 51.104.139.180 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, www.google.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, cds.d2s7q6s2.hwcdn.net, skypedataprdcolcus15.cloudapp.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:16:42	API Interceptor	306x Sleep call for process: RFQ.exe modified
12:16:45	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run audiomac C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe
12:16:54	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run audiomac C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe
12:17:49	API Interceptor	318x Sleep call for process: enrnus.exe modified
12:18:37	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\RegAsm.exe	CI & PL 2021 shipment for correction,pdf.exe	Get hash	malicious	Browse
	BL COPY.exe	Get hash	malicious	Browse
	IDS_ScanCopy6754588899.exe	Get hash	malicious	Browse
	Order 01001O02.exe	Get hash	malicious	Browse
	PAYMENT DETAILS.exe	Get hash	malicious	Browse
	PAYMENT ADVICE 09680820210111091448.exe	Get hash	malicious	Browse
	CN-Invoice-XXXXX9808-19011143287989.exe	Get hash	malicious	Browse
	qsiEm04k63.exe	Get hash	malicious	Browse
	Payment slip.exe	Get hash	malicious	Browse
	2Dd20YdQDR.exe	Get hash	malicious	Browse
	atikmdag-patcher 1.4.7.exe	Get hash	malicious	Browse
	Scan_00059010189_ ref. 004118379411_ pdf.exe	Get hash	malicious	Browse
	hfix.exe	Get hash	malicious	Browse
	atikmdag-patcher 1.4.8.exe	Get hash	malicious	Browse
	Client1.exe	Get hash	malicious	Browse
	miner.exe	Get hash	malicious	Browse
	PhoenixMiner_5.4c_Windows.exe	Get hash	malicious	Browse
	74725794.exe	Get hash	malicious	Browse
	PO-498475-ORDER.vbs	Get hash	malicious	Browse
	Payment Advice Note from 19.11.2020.exe	Get hash	malicious	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe Download File
Process:	C:\Users\user\Desktop\RFQ.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1045504
Entropy (8bit):	6.571163294446179
Encrypted:	false
SSDEEP:	24576:fMjaXzO4jx8swe2M14J8bLMN86APmFsnIBaOhYvO4LPjlDy4XBc+:fMjaXzO4l8swe2k4J8bLMN86APmFNBWO
MD5:	6733E06C6BE5CA14FFC33763202F53C8
SHA1:	9412D3147B30A873B94E2D0F495EAFDEA1479EE1
SHA-256:	72F30E8884110E06B133ECABFDBF523AEF8CC5533273AA3E12AFEE785A5A45BC
SHA-512:	95E4B792853D583ACB7C2BCC1AF974CCBD20EAD31A917208F7BF070E71C15D226EF1A0D61C7E18D8679C33E07A9E9739EDD858F450B00B13C2433758AAAAB143
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 15%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H.X................................. ... ....@.. .......................`............`.....................................W.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........\.........(....I..............................................E.<y...y&..Y..~W.[..2...,.Z..C .+..J..GD..k...da...y....d.@..[...b.....(...y>...\|f.U...S..L...v..C}_......M..`S#`..k...........p.>.Gn8...RO.X.i.mz.f.....M...#.x..!9...{......c......^....o.......W.7..s...-[..s.s..oi.X....n6.........Z.....Q.y./.r....c^."N..'yp...]...0..W...BQ..0..."{y..R.d..E.-...-....)...<...6.M..8.b.^.*".......E.rR...p5..IaDF.O)4h&P...>A...S.<.u...=.n.o.$..7..C.....X

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\RFQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ.exe.log Download File
Process:	C:\Users\user\Desktop\RFQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1318
Entropy (8bit):	5.35748495629225
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4bE4K5AE4Kzr7K84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoyE4P:MIHK5HKXE1qHbHK5AHKzvKviYHKhQnov
MD5:	C752BC4289E47E13AECB02FB0A525249
SHA1:	FA76430425B22B6D1BB8F737DE9F36DA996FFD9C
SHA-256:	19F546CEC9D3F9217584617117869E36A742D78D070D78212C64518317C0E45F
SHA-512:	98F2B88340F01B00FDB2EDAEFFB4AE9454B7F87E542CD827538D91A70B3EF59CD6B8E6FB63CA94D7750829D12415599C3B6D0C932CBDDCB33F10D887ACF59187
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Co

C:\Users\user\AppData\Local\Temp\RegAsm.exe Download File
Process:	C:\Users\user\Desktop\RFQ.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64616
Entropy (8bit):	6.037264560032456
Encrypted:	false
SSDEEP:	768:J8XcJiMjm2ieHlPyCsSuJbn8dBhFVBSMQ6Iq8TSYDKpgLaDViRLNdr:9YMaNylPYSAb8dBnTHv8DKKaDVkX
MD5:	6FD7592411112729BF6B1F2F6C34899F
SHA1:	5E5C839726D6A43C478AB0B95DBF52136679F5EA
SHA-256:	FFE4480CCC81B061F725C54587E9D1BA96547D27FE28083305D75796F2EB3E74
SHA-512:	21EFCC9DEE3960F1A64C6D8A44871742558666BB792D77ACE91236C7DBF42A6CA77086918F363C4391D9C00904C55A952E2C18BE5FA1A67A509827BFC630070D
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: CI & PL 2021 shipment for correction,pdf.exe, Detection: malicious, Browse Filename: BL COPY.exe, Detection: malicious, Browse Filename: IDS_ScanCopy6754588899.exe, Detection: malicious, Browse Filename: Order 01001O02.exe, Detection: malicious, Browse Filename: PAYMENT DETAILS.exe, Detection: malicious, Browse Filename: PAYMENT ADVICE 09680820210111091448.exe, Detection: malicious, Browse Filename: CN-Invoice-XXXXX9808-19011143287989.exe, Detection: malicious, Browse Filename: qsiEm04k63.exe, Detection: malicious, Browse Filename: Payment slip.exe, Detection: malicious, Browse Filename: 2Dd20YdQDR.exe, Detection: malicious, Browse Filename: atikmdag-patcher 1.4.7.exe, Detection: malicious, Browse Filename: Scan_00059010189_ ref. 004118379411_ pdf.exe, Detection: malicious, Browse Filename: hfix.exe, Detection: malicious, Browse Filename: atikmdag-patcher 1.4.8.exe, Detection: malicious, Browse Filename: Client1.exe, Detection: malicious, Browse Filename: miner.exe, Detection: malicious, Browse Filename: PhoenixMiner_5.4c_Windows.exe, Detection: malicious, Browse Filename: 74725794.exe, Detection: malicious, Browse Filename: PO-498475-ORDER.vbs, Detection: malicious, Browse Filename: Payment Advice Note from 19.11.2020.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...xX.Z..............0.............^.... ........@.. ....................... ............`.....................................O.......8...............h>........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P.....0.."........(......-.r...p.rI..p(....s....z....0..........(....~P.....o........(....n(.....(..........%...(....~(.....(..........%...%...(.....(.....(..........%...%...%...(....V.(......}Q.....}R.....{Q.....{R......0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.571163294446179
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	RFQ.exe
File size:	1045504
MD5:	6733e06c6be5ca14ffc33763202f53c8
SHA1:	9412d3147b30a873b94e2d0f495eafdea1479ee1
SHA256:	72f30e8884110e06b133ecabfdbf523aef8cc5533273aa3e12afee785a5a45bc
SHA512:	95e4b792853d583acb7c2bcc1af974ccbd20ead31a917208f7bf070e71c15d226ef1a0d61c7e18d8679c33e07a9e9739edd858f450b00b13c2433758aaaab143
SSDEEP:	24576:fMjaXzO4jx8swe2M14J8bLMN86APmFsnIBaOhYvO4LPjlDy4XBc+:fMjaXzO4l8swe2k4J8bLMN86APmFNBWO
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H.X................................. ... ....@.. .......................`............`................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x5001de
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x588848B6 [Wed Jan 25 06:41:58 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x100184	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x102000	0xcdf	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x104000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xfe1e4	0xfe200	False	0.608103018938	data	6.57523758898	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x102000	0xcdf	0xe00	False	0.378348214286	data	4.77533741669	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x104000	0xc	0x200	False	0.044921875	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x1020a0	0x39c	data
RT_MANIFEST	0x10243c	0x8a3	XML 1.0 document, UTF-8 Unicode (with BOM) text

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2005 3H<7C?IA<6FJJE:;5HGJ
Assembly Version	1.0.0.0
InternalName	again.exe
FileVersion	5.8.10.13
CompanyName	3H<7C?IA<6FJJE:;5HGJ
Comments	@EA=>IGI=9H:3@A2AA3
ProductName	EH@8<G955B73@B88=;GA@@2D
ProductVersion	5.8.10.13
FileDescription	EH@8<G955B73@B88=;GA@@2D
OriginalFilename	again.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
02/25/21-12:18:37.423575	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49756	1985	192.168.2.6	185.244.30.161

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 25, 2021 12:16:22.727293015 CET	62044	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:22.787478924 CET	53	62044	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:24.581695080 CET	63791	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:25.595849991 CET	63791	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:25.658751965 CET	53	63791	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:26.008734941 CET	64267	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:26.069957972 CET	53	64267	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:27.122786999 CET	49448	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:27.174323082 CET	53	49448	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:28.655915976 CET	60342	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:28.706482887 CET	53	60342	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:29.786921978 CET	61346	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:29.835741997 CET	53	61346	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:31.028070927 CET	51774	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:31.089288950 CET	53	51774	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:31.176573038 CET	56023	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:31.234807968 CET	53	56023	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:31.465831041 CET	58384	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:31.514385939 CET	53	58384	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:31.522681952 CET	60261	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:31.571381092 CET	53	60261	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:32.461899996 CET	56061	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:32.513628960 CET	53	56061	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:33.671749115 CET	58336	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:33.720500946 CET	53	58336	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:34.625479937 CET	53781	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:34.675333023 CET	53	53781	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:35.717607021 CET	54064	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:35.766388893 CET	53	54064	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:36.702701092 CET	52811	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:36.752760887 CET	53	52811	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:37.699152946 CET	55299	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:37.750910044 CET	53	55299	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:38.874150038 CET	63745	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:38.924274921 CET	53	63745	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:39.996886969 CET	50055	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:40.054152012 CET	53	50055	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:43.821738958 CET	61374	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:43.920892000 CET	53	61374	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:45.225033045 CET	50339	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:45.275497913 CET	53	50339	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:46.519507885 CET	63307	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:46.568161011 CET	53	63307	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:58.320008993 CET	49694	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:58.368999958 CET	53	49694	8.8.8.8	192.168.2.6
Feb 25, 2021 12:17:17.857564926 CET	54982	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:17:17.909198046 CET	53	54982	8.8.8.8	192.168.2.6
Feb 25, 2021 12:17:19.028069973 CET	50010	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:17:19.076870918 CET	53	50010	8.8.8.8	192.168.2.6
Feb 25, 2021 12:17:21.776122093 CET	63718	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:17:21.836282969 CET	53	63718	8.8.8.8	192.168.2.6
Feb 25, 2021 12:17:22.491647959 CET	62116	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:17:22.548764944 CET	53	62116	8.8.8.8	192.168.2.6
Feb 25, 2021 12:17:23.113923073 CET	63816	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:17:23.170830965 CET	53	63816	8.8.8.8	192.168.2.6
Feb 25, 2021 12:17:23.596215963 CET	55014	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:17:23.648888111 CET	53	55014	8.8.8.8	192.168.2.6
Feb 25, 2021 12:17:24.043178082 CET	62208	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:17:24.115250111 CET	57574	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:17:24.121511936 CET	53	62208	8.8.8.8	192.168.2.6
Feb 25, 2021 12:17:24.179927111 CET	53	57574	8.8.8.8	192.168.2.6
Feb 25, 2021 12:17:24.800698042 CET	51818	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:17:24.857887983 CET	53	51818	8.8.8.8	192.168.2.6
Feb 25, 2021 12:17:25.413422108 CET	56628	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:17:25.465018034 CET	53	56628	8.8.8.8	192.168.2.6
Feb 25, 2021 12:17:26.684542894 CET	60778	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:17:26.737323999 CET	53	60778	8.8.8.8	192.168.2.6
Feb 25, 2021 12:17:28.095009089 CET	53799	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:17:28.152288914 CET	53	53799	8.8.8.8	192.168.2.6
Feb 25, 2021 12:17:28.723160982 CET	54683	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:17:28.784219027 CET	53	54683	8.8.8.8	192.168.2.6
Feb 25, 2021 12:17:29.805085897 CET	59329	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:17:29.863773108 CET	53	59329	8.8.8.8	192.168.2.6
Feb 25, 2021 12:17:38.610966921 CET	64021	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:17:38.661577940 CET	53	64021	8.8.8.8	192.168.2.6
Feb 25, 2021 12:17:39.065171957 CET	56129	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:17:39.116597891 CET	53	56129	8.8.8.8	192.168.2.6
Feb 25, 2021 12:17:39.137428045 CET	58177	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:17:39.186067104 CET	53	58177	8.8.8.8	192.168.2.6
Feb 25, 2021 12:17:58.726459026 CET	50700	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:17:58.779820919 CET	53	50700	8.8.8.8	192.168.2.6
Feb 25, 2021 12:18:00.975207090 CET	54069	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:18:01.036456108 CET	53	54069	8.8.8.8	192.168.2.6
Feb 25, 2021 12:18:01.730922937 CET	61178	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:18:01.782592058 CET	53	61178	8.8.8.8	192.168.2.6
Feb 25, 2021 12:18:19.645900011 CET	57017	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:18:19.695908070 CET	53	57017	8.8.8.8	192.168.2.6

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: RFQ.exe PID: 6876 Parent PID: 5912

General

Start time:	12:16:30
Start date:	25/02/2021
Path:	C:\Users\user\Desktop\RFQ.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\RFQ.exe'
Imagebase:	0x9f0000
File size:	1045504 bytes
MD5 hash:	6733E06C6BE5CA14FFC33763202F53C8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 6032 Parent PID: 6876

General

Start time:	12:16:40
Start date:	25/02/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'audiomac' /t REG_SZ /d 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 1428 Parent PID: 6032

General

Start time:	12:16:41
Start date:	25/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: reg.exe PID: 6188 Parent PID: 6032

General

Start time:	12:16:41
Start date:	25/02/2021
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'audiomac' /t REG_SZ /d 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'
Imagebase:	0xaf0000
File size:	59392 bytes
MD5 hash:	CEE2A7E57DF2A159A065A34913A055C2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: enrnus.exe PID: 2288 Parent PID: 6876

General

Start time:	12:17:36
Start date:	25/02/2021
Path:	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe
Wow64 process (32bit):	true
Commandline:	'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'
Imagebase:	0x7c0000
File size:	1045504 bytes
MD5 hash:	6733E06C6BE5CA14FFC33763202F53C8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 15%, ReversingLabs
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: RFQ.exe PID: 6876 Parent PID: 5912 RFQ.exeCOMMON

Executed Functions

Function 068985E8, Relevance: 7.8, Strings: 6, Instructions: 308COMMON

Download Yara Rule

Strings

}At, xrefs: 068986A2
r., xrefs: 068989EB
_=G, xrefs: 068987D1
}At, xrefs: 068986A9
_=G, xrefs: 068987CA
H+!, xrefs: 06898640

Memory Dump Source

Source File: 00000000.00000002.479681309.0000000006890000.00000040.00000001.sdmp, Offset: 06890000, based on PE: false

Similarity

API ID:
String ID: H+!$_=G$_=G$r.$}At$}At
API String ID: 0-1606139953
Opcode ID: a0b7fe3e8fb6e341ddc59fe33ef66b05a8529fd96d60cfdd2e8e199fcca50343
Instruction ID: e28b347bb86285c3cf9da2f318ae7d8d1253df011b0c93e9c1ec44c5e5115d60
Opcode Fuzzy Hash: a0b7fe3e8fb6e341ddc59fe33ef66b05a8529fd96d60cfdd2e8e199fcca50343
Instruction Fuzzy Hash: 4AD14AB0E1420ADFDB88CFA5C4859AEFBB2FF89300B149959D515EB214C7349A42CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 068985BF, Relevance: 6.6, Strings: 5, Instructions: 312COMMON

Download Yara Rule

Strings

}At, xrefs: 068986A2
r., xrefs: 068989EB
_=G, xrefs: 068987D1
}At, xrefs: 068986A9
H+!, xrefs: 06898640

Memory Dump Source

Source File: 00000000.00000002.479681309.0000000006890000.00000040.00000001.sdmp, Offset: 06890000, based on PE: false

Similarity

API ID:
String ID: H+!$_=G$r.$}At$}At
API String ID: 0-1071684018
Opcode ID: 33f7af4af59142b186a17479e5ff61a3714da244743a0063ed1963851cb51773
Instruction ID: 3c10ddbef67559e8abbd56cada2e7994758c4481d1ee21dccbe4d77554267519
Opcode Fuzzy Hash: 33f7af4af59142b186a17479e5ff61a3714da244743a0063ed1963851cb51773
Instruction Fuzzy Hash: 19D14AB0E1420ADFDB48CFA5C4858AEFBB2FF89300B14895AD515EB214D7349A42CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 09532408, Relevance: 2.6, Strings: 2, Instructions: 120COMMON

Download Yara Rule

Strings

s@T, xrefs: 09532521
s@T, xrefs: 0953244D

Memory Dump Source

Source File: 00000000.00000002.480331712.0000000009530000.00000040.00000001.sdmp, Offset: 09530000, based on PE: false

Similarity

API ID:
String ID: s@T$s@T
API String ID: 0-144321513
Opcode ID: 2a4db91b08c54df622a60955cd5dbf787251996ab423698e6c46d8296e98e39d
Instruction ID: 33d09d2804eb74240700e2ec2c692be2fb329c34981d8e062f07b86e38b6daea
Opcode Fuzzy Hash: 2a4db91b08c54df622a60955cd5dbf787251996ab423698e6c46d8296e98e39d
Instruction Fuzzy Hash: 944123B0E05608CBCB04CFAAD55469DBBB2FB8C310F64942AD515F7254E7349A028F29

Uniqueness

Uniqueness Score: -1.00%

Function 0689492F, Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

<, xrefs: 06894A5A

Memory Dump Source

Source File: 00000000.00000002.479681309.0000000006890000.00000040.00000001.sdmp, Offset: 06890000, based on PE: false

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: bc94443301afbb3b479ca39192de0f03fcf2215fa00841dcd41e9290f3907b32
Instruction ID: b1eb73e272896f03c7e0b7d8e56359c2e62259c7bc7e2227a451f8a5cd927a90
Opcode Fuzzy Hash: bc94443301afbb3b479ca39192de0f03fcf2215fa00841dcd41e9290f3907b32
Instruction Fuzzy Hash: BD519375E00618CFDB58DFAAC9446DDBBF2AFC9304F14C0AAD509AB264EB305A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06894410, Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.479681309.0000000006890000.00000040.00000001.sdmp, Offset: 06890000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dc0e0fc7b3fd9c2d083b3d84cae094be63864b16fe828155880fe4cf3926491
Instruction ID: 6201b409391f040193d5455722316f24e5169199537423d8a680fad2a95c8896
Opcode Fuzzy Hash: 4dc0e0fc7b3fd9c2d083b3d84cae094be63864b16fe828155880fe4cf3926491
Instruction Fuzzy Hash: FC81A874B041188FDF59AF749C5517EB6A7AFC8208F09892DE606E7388DF3498029BA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D0C8F0, Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.474187774.0000000002D00000.00000040.00000001.sdmp, Offset: 02D00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07aa2c81840475ef937c3387885d075f9ee9e8bc0c4d85251345ccacebcd04d3
Instruction ID: b5cc5c419f594d5125ca0d02ca4085e790aa322e79b36f4ce73ea9f39c6f6bc0
Opcode Fuzzy Hash: 07aa2c81840475ef937c3387885d075f9ee9e8bc0c4d85251345ccacebcd04d3
Instruction Fuzzy Hash: 3481EB347185185BD705B738E8A5B2F329B9B85708F228A1AF146DB3E8DF74EC018B75

Uniqueness

Uniqueness Score: -1.00%

Function 0953EF88, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.480331712.0000000009530000.00000040.00000001.sdmp, Offset: 09530000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03bdf939e48c3483af43e07058c443621a63b90e9c8480eebcc2b605edbb3217
Instruction ID: 9f77bf92246bde864a795b5f63494a5aebef22e81fcb375539dc04999286ddeb
Opcode Fuzzy Hash: 03bdf939e48c3483af43e07058c443621a63b90e9c8480eebcc2b605edbb3217
Instruction Fuzzy Hash: E2B1F174E02219CFCB54DFA5D5806AEBBB2FB89300F60996AD40AE7354DB709E46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06896421, Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.479681309.0000000006890000.00000040.00000001.sdmp, Offset: 06890000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58dd4051dcccc0af8c490309ec80f12ff3ccc612c32a13c596748234f1b01cfa
Instruction ID: 4a140582a0dcb3584c85580378f6cc9b1d6b4221613218d700cb8da086444ef2
Opcode Fuzzy Hash: 58dd4051dcccc0af8c490309ec80f12ff3ccc612c32a13c596748234f1b01cfa
Instruction Fuzzy Hash: CFA10170E112098FDB48CFA9D984AEEFBF2FF89304F24852AD515AB254E7309941CF64

Uniqueness

Uniqueness Score: -1.00%

Function 09531BC1, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.480331712.0000000009530000.00000040.00000001.sdmp, Offset: 09530000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 507eaff241d85bb6dedc2cfad3e6bdfb9cd5a7742bd5256062b481bcc840177e
Instruction ID: 2e7887d8000a3b10c24de8c9b5810749b2636569f3c447d5f40620eb8e1442d0
Opcode Fuzzy Hash: 507eaff241d85bb6dedc2cfad3e6bdfb9cd5a7742bd5256062b481bcc840177e
Instruction Fuzzy Hash: A2918E74D08744ABDB58CF76C89169EBFFAFF99300F08C4AAD448AA216E7704545CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0689647D, Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.479681309.0000000006890000.00000040.00000001.sdmp, Offset: 06890000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a232f98f6c3796b6fbb885d4171c2d8f2c4ec35e8fcd29089ac4360f586b01bf
Instruction ID: 9f902555db962ce88dc477bd6fd75feb75dd97ee6e1222ba44e56e16eb2d23f2
Opcode Fuzzy Hash: a232f98f6c3796b6fbb885d4171c2d8f2c4ec35e8fcd29089ac4360f586b01bf
Instruction Fuzzy Hash: 4D912370E042499FDB48CFE9D9459EEFBB2EF89300F24842AD515AB264E7309945CF60

Uniqueness

Uniqueness Score: -1.00%

Function 068964A8, Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.479681309.0000000006890000.00000040.00000001.sdmp, Offset: 06890000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb05de4807956b987a3ec4f40852132fa56429f4ade87c973a98bb478cae49b8
Instruction ID: ded0396f6ae39097907bbbd25c788faf3bf23331e7b63368085f1c03b19f3d4f
Opcode Fuzzy Hash: cb05de4807956b987a3ec4f40852132fa56429f4ade87c973a98bb478cae49b8
Instruction Fuzzy Hash: 05810270E10209CFDB48CFE9DA45AAEFBB2AF89300F14942AD519BB354E7309945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0689EE98, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.479681309.0000000006890000.00000040.00000001.sdmp, Offset: 06890000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93ec08f94cbe6ce753af62a193312e374760ee3c83abffd462709c4997a3d9e1
Instruction ID: 38f7fa533377327bdc4c4620c351f690a7932822da6e6f3ee9554ed19db91b00
Opcode Fuzzy Hash: 93ec08f94cbe6ce753af62a193312e374760ee3c83abffd462709c4997a3d9e1
Instruction Fuzzy Hash: A5612374D01229CFDF48CFA4D9496AEBBB2FF49305F14882AD112EB250DB785A41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06896D08, Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.479681309.0000000006890000.00000040.00000001.sdmp, Offset: 06890000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fcec3cf188e8d856d8fe9c56ae72d062ec3eba060c4f0612cb5edd65f56c8d3
Instruction ID: 9d3e66a9f4d08d5f5dd2436e4f64a15cad04912a63515a0ecc7296ae1db70cae
Opcode Fuzzy Hash: 5fcec3cf188e8d856d8fe9c56ae72d062ec3eba060c4f0612cb5edd65f56c8d3
Instruction Fuzzy Hash: 27512A70E052099FEF48CFA6C4416AEFBF2AF89304F28D42AD415E7254E7358A41CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0953B980, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.480331712.0000000009530000.00000040.00000001.sdmp, Offset: 09530000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01fb384bb4cc7c118f0f1c7f6364fb08da2aaed90387c36eecc7d12960926482
Instruction ID: 30221b7b4f7250c8c040caa3ede3eafcb94a7a34534b45fa525eae0feebd16fd
Opcode Fuzzy Hash: 01fb384bb4cc7c118f0f1c7f6364fb08da2aaed90387c36eecc7d12960926482
Instruction Fuzzy Hash: F74113B5E05219DFCB08CFA6D8445EEBBB2FF89350B04D86AD415A7324EB349A01CF60

Uniqueness

Uniqueness Score: -1.00%

Function 09537DD8, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.480331712.0000000009530000.00000040.00000001.sdmp, Offset: 09530000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c47343f7557280016854d0c8bcd1ac3d7363eb99d513faeaed74ca79eb47f5dd
Instruction ID: 7ecf56e51c45a866df0dfe19cf387aad05c730d1ab88f72b165b6503bbad29aa
Opcode Fuzzy Hash: c47343f7557280016854d0c8bcd1ac3d7363eb99d513faeaed74ca79eb47f5dd
Instruction Fuzzy Hash: 8541A9B4D04248DFCB10CFAAC594ADEBBF0BB09304F60942AE519BB350DB74A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 09536CCC, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.480331712.0000000009530000.00000040.00000001.sdmp, Offset: 09530000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38999c46d39c5664566e2c4519316b079344d0b54ec2bd7ab3ca938268dbabad
Instruction ID: 4ad59caa1f4b83947e81c17c8aa5e2b616953f5e3f45114bd632c502f62c87eb
Opcode Fuzzy Hash: 38999c46d39c5664566e2c4519316b079344d0b54ec2bd7ab3ca938268dbabad
Instruction Fuzzy Hash: B641B8B4D052489FCB20CFAAC584B9EFBF0BB09314F60902AE515BB250DB74A949CF64

Uniqueness

Uniqueness Score: -1.00%

Function 06897767, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.479681309.0000000006890000.00000040.00000001.sdmp, Offset: 06890000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbc52532a013b81890f691fbf2637004be6fc4b1f01861eb3ad75a4eac9ad2ee
Instruction ID: 0fca713c9f5fa61bb836c268b0c58af81ebb76542a283b4b531e00d3a32a0d11
Opcode Fuzzy Hash: fbc52532a013b81890f691fbf2637004be6fc4b1f01861eb3ad75a4eac9ad2ee
Instruction Fuzzy Hash: 9121F4B1E006189BEB18CFABD8402DEFBF7AFC8310F14C16AD509A6218DB340A45CE90

Uniqueness

Uniqueness Score: -1.00%

Function 095376B8, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.480331712.0000000009530000.00000040.00000001.sdmp, Offset: 09530000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
Instruction ID: 42bb12b416ee9cc6042f7aeb8d791925e1627efe7753f54bc1211cadb50c78f6
Opcode Fuzzy Hash: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
Instruction Fuzzy Hash: C1F03FB5D0520C9B8F04DFAAD5418EEFBF2AB59310F10A16AE815B3310E73599518FA8

Uniqueness

Uniqueness Score: -1.00%

Function 0689578D, Relevance: 1.6, APIs: 1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.479681309.0000000006890000.00000040.00000001.sdmp, Offset: 06890000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54843a4362daa3aadd76c21f0a520824fc5e9215dc1dccbace7d3868eb037dd1
Instruction ID: 9ffa975527b1228beda61d943489dd7f3f772212113a26cf51951b986914aaf8
Opcode Fuzzy Hash: 54843a4362daa3aadd76c21f0a520824fc5e9215dc1dccbace7d3868eb037dd1
Instruction Fuzzy Hash: 3C41DFB4D0425A9FCB11CFA9D884ADEFBF4BF19310F24942AE894B7210D3349985CF61

Uniqueness

Uniqueness Score: -1.00%

Function 06895817, Relevance: 1.6, APIs: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 068958BF

Memory Dump Source

Source File: 00000000.00000002.479681309.0000000006890000.00000040.00000001.sdmp, Offset: 06890000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d74e6225d8e2bc8f88c81f1397a1d6291344b782cfa73b12bcb1f87c0665cc01
Instruction ID: 603864559a6b4042b09b336df9a756ae53377fcff41350c3462682b90e3d6179
Opcode Fuzzy Hash: d74e6225d8e2bc8f88c81f1397a1d6291344b782cfa73b12bcb1f87c0665cc01
Instruction Fuzzy Hash: 213199B9D042589FCF10CFA9E884ADEFBB4BB19320F24942AE814B7310D774A945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0689D4F0, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 0689D597

Memory Dump Source

Source File: 00000000.00000002.479681309.0000000006890000.00000040.00000001.sdmp, Offset: 06890000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 6eb5e69f9ffa69a7a3ec826be47cc152a75920809ba5ff86d93af425747f6277
Instruction ID: 739ea17e86169ddbd4d9cb3432f99bf77e59ed144789ba67a432732aef500313
Opcode Fuzzy Hash: 6eb5e69f9ffa69a7a3ec826be47cc152a75920809ba5ff86d93af425747f6277
Instruction Fuzzy Hash: 6F3198B9D042589FCF10CFAAD884ADEFBB0BB09314F14902AE814B7310D774A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 06895818, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 068958BF

Memory Dump Source

Source File: 00000000.00000002.479681309.0000000006890000.00000040.00000001.sdmp, Offset: 06890000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 6795ae4ccacf4f26a17707463167405e3d352fc73e4eb68d17fb513793c7939d
Instruction ID: 350287736b6ccbccf99faad6d934d8c848352cf693eebb8f998bca107778a5b5
Opcode Fuzzy Hash: 6795ae4ccacf4f26a17707463167405e3d352fc73e4eb68d17fb513793c7939d
Instruction Fuzzy Hash: 293197B9D042589FCF10CFA9E884ADEFBB0BB19320F24942AE814B7310D774A945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 09530A68, Relevance: 1.6, APIs: 1, Instructions: 83fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?), ref: 09530B01

Memory Dump Source

Source File: 00000000.00000002.480331712.0000000009530000.00000040.00000001.sdmp, Offset: 09530000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 4f4afa5ccde1b28b1650df350bdc4ad27cab24960c60f90c80d89ec7828a1db4
Instruction ID: f42e4d270c474bde8fcb452b80b8ef6cda365ea82d2150f6589a2839491d6f0d
Opcode Fuzzy Hash: 4f4afa5ccde1b28b1650df350bdc4ad27cab24960c60f90c80d89ec7828a1db4
Instruction Fuzzy Hash: 7B31AAB4D052589FCB10CFAAD884AEEFBF5BB49314F14846AE404B7350D774AA45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 02D0E788, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 02D0E802

Memory Dump Source

Source File: 00000000.00000002.474187774.0000000002D00000.00000040.00000001.sdmp, Offset: 02D00000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 8151776e7db865c97d311ed3c48b6a5bd9bf3fc3146ab82f1983677bc0d68229
Instruction ID: d72bd77360161b8abefce5cc06564f31c92a710473737fa7052b4f7037aa472c
Opcode Fuzzy Hash: 8151776e7db865c97d311ed3c48b6a5bd9bf3fc3146ab82f1983677bc0d68229
Instruction Fuzzy Hash: FF1147B4A003488FDB60DFA9C54979EBFF8FB88314F10886AE405A7780D739A944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02D0EA38, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 02D0EAAD

Memory Dump Source

Source File: 00000000.00000002.474187774.0000000002D00000.00000040.00000001.sdmp, Offset: 02D00000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: be1bf1a0e956b9bb09f3ba14e3ea732cc8c2fe9604afe771b3914b14619e28ae
Instruction ID: 7f3458e352a38fdc7d339f0c09b5375f2afd64c6553023f2aa76fa601960f0e4
Opcode Fuzzy Hash: be1bf1a0e956b9bb09f3ba14e3ea732cc8c2fe9604afe771b3914b14619e28ae
Instruction Fuzzy Hash: E8114C749043448EDB20DF9AD59579EBBF8FB48328F10481AE415E7780C779A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 012AD4A0, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.473933951.00000000012AD000.00000040.00000001.sdmp, Offset: 012AD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2414d7ff46c28ebb61ba1de43f49da87026a14d1a202358b12e664b593ac14b8
Instruction ID: 221e96d0070f5503531615f02e15e9d2448f158d1b62eb90282375891ea37d9d
Opcode Fuzzy Hash: 2414d7ff46c28ebb61ba1de43f49da87026a14d1a202358b12e664b593ac14b8
Instruction Fuzzy Hash: 32216AB1514208DFDB15DF94E8C0B27BF65FB88328F608569EA450B606C336D855CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 012AD49B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.473933951.00000000012AD000.00000040.00000001.sdmp, Offset: 012AD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3b157afdbb6b8f97dc596e66e634dfcbcf822356cd4e727a4141288e46826d7
Instruction ID: c0e7a977a103026b557ce11651fa2b0f24995feef51cfcca92df98a9a4493c6f
Opcode Fuzzy Hash: f3b157afdbb6b8f97dc596e66e634dfcbcf822356cd4e727a4141288e46826d7
Instruction Fuzzy Hash: 7E11B1B6804284CFDB12CF58D5C4B16BF72FB84324F2486A9D9450B617C336D45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 012AD819, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.473933951.00000000012AD000.00000040.00000001.sdmp, Offset: 012AD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ed8117252cc8e3d69833e6532f1002d67df5f32958b342468359057d6197438
Instruction ID: 03282487c4b77897a13cd1ef4428315f5309e4881c5d1b431945c9c37393213f
Opcode Fuzzy Hash: 1ed8117252cc8e3d69833e6532f1002d67df5f32958b342468359057d6197438
Instruction Fuzzy Hash: 8E01F7B1418348DFE7205B6ACC84766BBA8DF41378F58845AEF0C5BA46C3799845C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 012AD818, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.473933951.00000000012AD000.00000040.00000001.sdmp, Offset: 012AD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 580453ed54efaa0646597d9203703c7b1b624f8972ced95e94b6eafdcbef5263
Instruction ID: adeb9a505f08e0c9c1b993c67fec2ccf67b4ae737bc035aa02e5e7ffad2dc914
Opcode Fuzzy Hash: 580453ed54efaa0646597d9203703c7b1b624f8972ced95e94b6eafdcbef5263
Instruction Fuzzy Hash: 3CF0F671404354AFE7218F0ADCC4B62FFA8EF41374F28C05AEE084B686C3799844CAB0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 06899500, Relevance: 2.7, Strings: 2, Instructions: 190COMMON

Download Yara Rule

Strings

73-, xrefs: 068995BB
73-, xrefs: 0689959D

Memory Dump Source

Source File: 00000000.00000002.479681309.0000000006890000.00000040.00000001.sdmp, Offset: 06890000, based on PE: false

Similarity

API ID:
String ID: 73-$73-
API String ID: 0-2774623459
Opcode ID: f99bb31cf150e1658e23001802abddd13b54733ff5fd57b24d2405f37b9a4bec
Instruction ID: 49db840a6de5491bdcd43d4624f0b6df059edc69db2de677f9680ffe4447f2e0
Opcode Fuzzy Hash: f99bb31cf150e1658e23001802abddd13b54733ff5fd57b24d2405f37b9a4bec
Instruction Fuzzy Hash: 5881F374A152199FCF44CFA9C58199EFBF2FF89210F18956AE419EB211D334AA01CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06899510, Relevance: 2.7, Strings: 2, Instructions: 190COMMON

Download Yara Rule

Strings

73-, xrefs: 068995BB
73-, xrefs: 0689959D

Memory Dump Source

Source File: 00000000.00000002.479681309.0000000006890000.00000040.00000001.sdmp, Offset: 06890000, based on PE: false

Similarity

API ID:
String ID: 73-$73-
API String ID: 0-2774623459
Opcode ID: f9cea1449ec9cd666b55ccbd2b37845dd88e970f665a887fd385552e6969d16b
Instruction ID: 3391fbd64960d2f5eb205d1dfcf905dfddabf67e3e3fdba6f7e340ba0e6f27f2
Opcode Fuzzy Hash: f9cea1449ec9cd666b55ccbd2b37845dd88e970f665a887fd385552e6969d16b
Instruction Fuzzy Hash: 2F81F274A15219CFCF44CF99C58199EBBF2FF88210F189559E419EB321D330AA02CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0689A0C8, Relevance: 2.7, Strings: 2, Instructions: 166COMMON

Download Yara Rule

Strings

KebJ, xrefs: 0689A1A4
KebJ, xrefs: 0689A19D

Memory Dump Source

Source File: 00000000.00000002.479681309.0000000006890000.00000040.00000001.sdmp, Offset: 06890000, based on PE: false

Similarity

API ID:
String ID: KebJ$KebJ
API String ID: 0-1738911221
Opcode ID: e61905947902415bbba6a722295a9a77c5298dfd8956faf93cf4d52f99e9ef1e
Instruction ID: a2f0cf39d644f7263dd012d965e2c60311575a764008176d6aa84c7ea7d4e18d
Opcode Fuzzy Hash: e61905947902415bbba6a722295a9a77c5298dfd8956faf93cf4d52f99e9ef1e
Instruction Fuzzy Hash: 8371E378E00209DFDF48CF9AD5819AEFBB1BF89314F18851AD416A7314D334A982CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0689A0BA, Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

KebJ, xrefs: 0689A1A4

Memory Dump Source

Source File: 00000000.00000002.479681309.0000000006890000.00000040.00000001.sdmp, Offset: 06890000, based on PE: false

Similarity

API ID:
String ID: KebJ
API String ID: 0-3801065536
Opcode ID: 3d0f824a4a55fa47af788bc4d73d1c1395b1b5a45b16b4e185ccb97e975567d5
Instruction ID: 4ec604a024d30573693f48c90c41531aa10eb57b6615cdb8b67e13b5d77af52e
Opcode Fuzzy Hash: 3d0f824a4a55fa47af788bc4d73d1c1395b1b5a45b16b4e185ccb97e975567d5
Instruction Fuzzy Hash: 2261F474E0524ADFCF48CFA9C4818AEFBB1BF89214F188556D415E7315D334A982CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0689A758, Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

i'l, xrefs: 0689A89A

Memory Dump Source

Source File: 00000000.00000002.479681309.0000000006890000.00000040.00000001.sdmp, Offset: 06890000, based on PE: false

Similarity

API ID:
String ID: i'l
API String ID: 0-3894128197
Opcode ID: 844771ca730d555dae600ea783cb58b1fa7451e53d92f32a065ef8f2a9faaa29
Instruction ID: 779387469037fe3371c12b16d3d1f58eb62ce4790e0143b30a8879dded23bc8a
Opcode Fuzzy Hash: 844771ca730d555dae600ea783cb58b1fa7451e53d92f32a065ef8f2a9faaa29
Instruction Fuzzy Hash: BE511A70E0520AAFDF48CFA9D4825AEFBF2BB98300F14C46AD555E7254E7349A41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0689A768, Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

i'l, xrefs: 0689A89A

Memory Dump Source

Source File: 00000000.00000002.479681309.0000000006890000.00000040.00000001.sdmp, Offset: 06890000, based on PE: false

Similarity

API ID:
String ID: i'l
API String ID: 0-3894128197
Opcode ID: e153cbc4f1eab5eb2737d7cc4b54090055f0c3a716d7f30369e84885d0ea4dd9
Instruction ID: 8257356494febd8742af1a7d64e7806f14573dc999073b0edfa74a94c131c148
Opcode Fuzzy Hash: e153cbc4f1eab5eb2737d7cc4b54090055f0c3a716d7f30369e84885d0ea4dd9
Instruction Fuzzy Hash: 8E41E9B0E0520ADFDF48CF9AD5815AEFBB2BB98300F14D46AC415E7254D7349641CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0689A992, Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.479681309.0000000006890000.00000040.00000001.sdmp, Offset: 06890000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac32c97748609e8b3ccccc99f0977ce74f6deff4b87779ec8bbba63a8249ca0a
Instruction ID: d41ac56826c90d116236363edba472bb8a8fb9554d239002844e5680f5ad6b52
Opcode Fuzzy Hash: ac32c97748609e8b3ccccc99f0977ce74f6deff4b87779ec8bbba63a8249ca0a
Instruction Fuzzy Hash: 33811274E052098FCF48CFA9C9415EEFBF2FB89214F28952AD419F7214D3319A42CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 06897208, Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.479681309.0000000006890000.00000040.00000001.sdmp, Offset: 06890000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 123b5287a6679cae1fdba5573f6cde72d7fe8609f5805b6679f821c032a41d21
Instruction ID: 56757acc47b1ad26b8b2e4315fcb8d7dd37d30a1f10f46892626eefcf9f9710c
Opcode Fuzzy Hash: 123b5287a6679cae1fdba5573f6cde72d7fe8609f5805b6679f821c032a41d21
Instruction Fuzzy Hash: 60611474E25209DFCB44CFA9D481AEEFBB2FB88310F148126E516AB315D3349A41CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0689A9A0, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.479681309.0000000006890000.00000040.00000001.sdmp, Offset: 06890000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0f7534eb00e8a98a79058c1c8d7215d5899e1f546983a5f06124f7dd150ad44
Instruction ID: 18b130e473468a9ea2dbbc462fcab83c308d511dd9a33308e612bb07a3841670
Opcode Fuzzy Hash: d0f7534eb00e8a98a79058c1c8d7215d5899e1f546983a5f06124f7dd150ad44
Instruction Fuzzy Hash: 6071E374E0520D8FDF48CFA9C5815DEFBF2FB89214F28952AD419F7214D331AA428B64

Uniqueness

Uniqueness Score: -1.00%

Function 0953A9D2, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.480331712.0000000009530000.00000040.00000001.sdmp, Offset: 09530000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb5aecd96fcbd5665960eb76d207550d3f9b83de2057e95b39de05422458335
Instruction ID: 674ec3be9eb441323050302ee8fc27824050d563147e573ee18357b783eb2f11
Opcode Fuzzy Hash: 5bb5aecd96fcbd5665960eb76d207550d3f9b83de2057e95b39de05422458335
Instruction Fuzzy Hash: EB613970E15219CFCB48CFE6D95459DBBB2FF89340F24D92AD14AF7258D33899028B18

Uniqueness

Uniqueness Score: -1.00%

Function 0689ADF0, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.479681309.0000000006890000.00000040.00000001.sdmp, Offset: 06890000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec483d3f03f6a111e762c1eb31be8b54fe58de0eed60b277eb002e9c926a8c13
Instruction ID: f007844a83de10d96ddfc8cb0d3132f59650ab6972f3a12528c10a45e77ab105
Opcode Fuzzy Hash: ec483d3f03f6a111e762c1eb31be8b54fe58de0eed60b277eb002e9c926a8c13
Instruction Fuzzy Hash: 1A519C71E156188BDB58DF6B994539EFBF3AFC8201F14C1BA850CA6224DB340A468E51

Uniqueness

Uniqueness Score: -1.00%

Function 0689AC18, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.479681309.0000000006890000.00000040.00000001.sdmp, Offset: 06890000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702a0185186df8c034538aa04c83f1811d3ee3bfb7016a26d3a4070b0d39d9cf
Instruction ID: 29143beb976233fd664ccd624ecfc400a25f9ee5ec34972d9b26b89d8f02d3ea
Opcode Fuzzy Hash: 702a0185186df8c034538aa04c83f1811d3ee3bfb7016a26d3a4070b0d39d9cf
Instruction Fuzzy Hash: AB41B2B4E0521A9FDF48CFA9C9415EEFBB2BB89304F24D569C405BB214E7349A41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0689AC17, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.479681309.0000000006890000.00000040.00000001.sdmp, Offset: 06890000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f64d9c265fcf6fefc63df816d8ac2b2b0450c0502ecd5c7557c6fed2b43cefc3
Instruction ID: 0e4c9044cdc0fe736b8992b161dd7593eeab2fdcb78843aaee1af729735d4f77
Opcode Fuzzy Hash: f64d9c265fcf6fefc63df816d8ac2b2b0450c0502ecd5c7557c6fed2b43cefc3
Instruction Fuzzy Hash: 6741B3B4E052199FDF48CFA9C9415EEFBB2BF89304F24D56AC405BB214E7349A41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0689E690, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.479681309.0000000006890000.00000040.00000001.sdmp, Offset: 06890000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8896b5114a7346d6b9c79d21a3c6760000df14bfedbd887c184ec6120365f3d
Instruction ID: ce92ced5118557ad5dae5b3460c1b9ce00b39dc9d0017d9479c8e0c7aee781bb
Opcode Fuzzy Hash: b8896b5114a7346d6b9c79d21a3c6760000df14bfedbd887c184ec6120365f3d
Instruction Fuzzy Hash: 7F412970E116199FDB58CF6AD845A9EFBF2FF88204F1480AAD909A7315DB309A41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0689D8F8, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.479681309.0000000006890000.00000040.00000001.sdmp, Offset: 06890000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffa7f7cd85438a9bd85e8626b0d0d1178e39a2d8c29eb4daf63a48db54b71cc1
Instruction ID: 10b859b66f706c75d44b6cae7630c4e0fa8d5eb7d184e6a09f609ba89fa8223c
Opcode Fuzzy Hash: ffa7f7cd85438a9bd85e8626b0d0d1178e39a2d8c29eb4daf63a48db54b71cc1
Instruction Fuzzy Hash: 70315B70E156199BDF58CFA6D8816AEFBF2BFC9200F14C06AE609B7244DB304A018F65

Uniqueness

Uniqueness Score: -1.00%

Function 06895927, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.479681309.0000000006890000.00000040.00000001.sdmp, Offset: 06890000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6759e4ed955e2e81803f4e62f9e60ff7f8252825d3a7ffb47dfd94efe74cf348
Instruction ID: 147db2c89b333b88a4610b6622394b98dffa187c280656564dd1e11af9b03ad4
Opcode Fuzzy Hash: 6759e4ed955e2e81803f4e62f9e60ff7f8252825d3a7ffb47dfd94efe74cf348
Instruction Fuzzy Hash: 8C11D071E016189BEB5CCFABD8406DEFBF7AFC9200F04C17AD518A6254EB3055568F61

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: enrnus.exe PID: 2288 Parent PID: 6876 enrnus.exeCOMMON

Executed Functions

Function 052857A5, Relevance: 1.6, APIs: 1, Instructions: 131memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 052858BF

Memory Dump Source

Source File: 00000014.00000002.602250585.0000000005280000.00000040.00000001.sdmp, Offset: 05280000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f2d51354de95e36444adfe06c3c06e32d21caf89fe90fedff64541254747808b
Instruction ID: 8f70226c1f083aaf03dd6ec09004b274400b05715d37ed9279d9106413c4080b
Opcode Fuzzy Hash: f2d51354de95e36444adfe06c3c06e32d21caf89fe90fedff64541254747808b
Instruction Fuzzy Hash: 7D413B74D162889FCF01CFE5E844AEEFFB1BF1A314F14905AE444A7292D7345944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 05285779, Relevance: 1.6, APIs: 1, Instructions: 124memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 052858BF

Memory Dump Source

Source File: 00000014.00000002.602250585.0000000005280000.00000040.00000001.sdmp, Offset: 05280000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 12bcd2b8e15336bdc4c69e279401307b10155b8b03573c0f63f1ad47297c9bd5
Instruction ID: 45f406cce55349282790b997790ff4352d43bdde46ad52045a2ff3a5c80a6c94
Opcode Fuzzy Hash: 12bcd2b8e15336bdc4c69e279401307b10155b8b03573c0f63f1ad47297c9bd5
Instruction Fuzzy Hash: 43414B75D16288AFCF01CFE5E884ADEFFB5AF0A314F18905AE444B7252D734A944CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0528D4F0, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 0528D597

Memory Dump Source

Source File: 00000014.00000002.602250585.0000000005280000.00000040.00000001.sdmp, Offset: 05280000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ac4043ece603e1a8678fe4c3beb7a2c5eb67fbf7ca28721be010d5e2d50c4aaf
Instruction ID: c7e01e4e50d7d57bac1352c6f5690e396b39d4b02b5dab58b89cdc1b13f7c7ad
Opcode Fuzzy Hash: ac4043ece603e1a8678fe4c3beb7a2c5eb67fbf7ca28721be010d5e2d50c4aaf
Instruction Fuzzy Hash: A93199B9D052589FCF10CFA9D484AEEFBB0BF09314F14942AE814B7250D774A949CF64

Uniqueness

Uniqueness Score: -1.00%

Function 05285818, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 052858BF

Memory Dump Source

Source File: 00000014.00000002.602250585.0000000005280000.00000040.00000001.sdmp, Offset: 05280000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: abc51524fd3f67d766d3a1d9cd5f1f979d4baa7e7fdb33da37a5e1438a12722a
Instruction ID: 8c70b9ad376ec7175922b70de0138a8b70f5dc6c3a1cbac44103887c2e114527
Opcode Fuzzy Hash: abc51524fd3f67d766d3a1d9cd5f1f979d4baa7e7fdb33da37a5e1438a12722a
Instruction Fuzzy Hash: 1C3199B9D052589FCF10CFA9D484AEEFBB0BF19310F24942AE814B7210D774A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 09300A60, Relevance: 1.6, APIs: 1, Instructions: 88fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?), ref: 09300B01

Memory Dump Source

Source File: 00000014.00000002.602971221.0000000009300000.00000040.00000001.sdmp, Offset: 09300000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 9790b12319c62104a968adc0b67af040f6988a89f52f3a581e555304ad5189c4
Instruction ID: ed0e33fa5358a18bfd7a0de9104583ef81e63d8d39e5b0acf251a955da690b25
Opcode Fuzzy Hash: 9790b12319c62104a968adc0b67af040f6988a89f52f3a581e555304ad5189c4
Instruction Fuzzy Hash: 3931DAB8D052589FCB10CFA9D884AEEFBF5BF49314F14806AE404B7250D734AA85CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 09300A68, Relevance: 1.6, APIs: 1, Instructions: 83fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?), ref: 09300B01

Memory Dump Source

Source File: 00000014.00000002.602971221.0000000009300000.00000040.00000001.sdmp, Offset: 09300000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: bc7ade0e07d5223c638b048f78e6878e5f72e75d8fa5bf18887ee7075dde08ab
Instruction ID: a1e2218a9f0d1726be142c9aa6bb042f526743a46b2b5c91eab86e74ad942228
Opcode Fuzzy Hash: bc7ade0e07d5223c638b048f78e6878e5f72e75d8fa5bf18887ee7075dde08ab
Instruction Fuzzy Hash: D131C9B4D052189FCB10CFAAD884AEEFBF4BB49314F14806AE408B7350D734AA45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0126E788, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0126E802

Memory Dump Source

Source File: 00000014.00000002.593494909.0000000001260000.00000040.00000001.sdmp, Offset: 01260000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: f3bd48c83ab4507c108286f0b2f0e60316a90b054b3f4d097c43cde22aa7c64f
Instruction ID: 06e55aafba086647fd0ae85017fd3b3d8d56011e87f180fded4e1aabf247f555
Opcode Fuzzy Hash: f3bd48c83ab4507c108286f0b2f0e60316a90b054b3f4d097c43cde22aa7c64f
Instruction Fuzzy Hash: E61167B49102498FEF60DFA9D5487DEBBF8FB48324F10842AE405A7681D739A584CFA5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report RFQ.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage