Loading ...

Play interactive tourEdit tour

Analysis Report Receipt.exe

Overview

General Information

Sample Name:Receipt.exe
Analysis ID:288115
MD5:b637c3b199f38672138ee252608e56af
SHA1:4a0dc61c4b96d2459bf950251faa990f012c74e6
SHA256:31de2b0e1dff55d6f2b577c5dfa193b261e77df67141f034ec39ade4b17bfd4e
Tags:exe

Most interesting Screenshot:

Detection

NanoCore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Receipt.exe (PID: 7148 cmdline: 'C:\Users\user\Desktop\Receipt.exe' MD5: B637C3B199F38672138EE252608E56AF)
    • MSBuild.exe (PID: 1036 cmdline: {path} MD5: 88BBB7610152B48C2B3879473B17857E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.646812170.0000000005FF0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf7ad:$x1: NanoCore.ClientPluginHost
  • 0xf7da:$x2: IClientNetworkHost
00000001.00000002.646812170.0000000005FF0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xf7ad:$x2: NanoCore.ClientPluginHost
  • 0x10888:$s4: PipeCreated
  • 0xf7c7:$s5: IClientLoggingHost
00000001.00000002.646812170.0000000005FF0000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000001.00000002.645842082.00000000047B9000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000001.00000002.645842082.00000000047B9000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x113b5:$a: NanoCore
      • 0x1140e:$a: NanoCore
      • 0x1144b:$a: NanoCore
      • 0x114c4:$a: NanoCore
      • 0x24b6f:$a: NanoCore
      • 0x24b84:$a: NanoCore
      • 0x24bb9:$a: NanoCore
      • 0x3d63b:$a: NanoCore
      • 0x3d650:$a: NanoCore
      • 0x3d685:$a: NanoCore
      • 0x11417:$b: ClientPlugin
      • 0x11454:$b: ClientPlugin
      • 0x11d52:$b: ClientPlugin
      • 0x11d5f:$b: ClientPlugin
      • 0x2492b:$b: ClientPlugin
      • 0x24946:$b: ClientPlugin
      • 0x24976:$b: ClientPlugin
      • 0x24b8d:$b: ClientPlugin
      • 0x24bc2:$b: ClientPlugin
      • 0x3d3f7:$b: ClientPlugin
      • 0x3d412:$b: ClientPlugin
      Click to see the 9 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.MSBuild.exe.5c30000.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      1.2.MSBuild.exe.5c30000.3.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      1.2.MSBuild.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      1.2.MSBuild.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      1.2.MSBuild.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 7 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, ProcessId: 1036, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus / Scanner detection for submitted sampleShow sources
        Source: Receipt.exeAvira: detected
        Multi AV Scanner detection for submitted fileShow sources
        Source: Receipt.exeVirustotal: Detection: 26%Perma Link
        Source: Receipt.exeReversingLabs: Detection: 58%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000001.00000002.646812170.0000000005FF0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.645842082.00000000047B9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.401693681.0000000003A70000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.641328448.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.MSBuild.exe.5ff0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.MSBuild.exe.5ff0000.4.unpack, type: UNPACKEDPE
        Machine Learning detection for sampleShow sources
        Source: Receipt.exeJoe Sandbox ML: detected
        Source: 1.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: global trafficTCP traffic: 192.168.2.3:49734 -> 194.5.97.36:3410
        Source: unknownDNS traffic detected: queries for: u852121.nvpn.to
        Source: Receipt.exe, 00000000.00000002.405658778.0000000005FD2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: Receipt.exe, 00000000.00000002.405658778.0000000005FD2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: Receipt.exe, 00000000.00000003.378310343.0000000004DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
        Source: Receipt.exe, 00000000.00000003.378310343.0000000004DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comiptsiv
        Source: Receipt.exe, 00000000.00000002.405658778.0000000005FD2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: Receipt.exe, 00000000.00000003.378310343.0000000004DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
        Source: Receipt.exe, 00000000.00000003.378310343.0000000004DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.D
        Source: Receipt.exe, 00000000.00000003.384210460.0000000004DBE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: Receipt.exe, 00000000.00000002.405658778.0000000005FD2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: Receipt.exe, 00000000.00000002.405658778.0000000005FD2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: Receipt.exe, 00000000.00000002.405658778.0000000005FD2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: Receipt.exe, 00000000.00000002.405658778.0000000005FD2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: Receipt.exe, 00000000.00000002.405658778.0000000005FD2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: Receipt.exe, 00000000.00000002.405658778.0000000005FD2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: Receipt.exe, 00000000.00000002.405658778.0000000005FD2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: Receipt.exe, 00000000.00000003.384210460.0000000004DBE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comldc
        Source: Receipt.exe, 00000000.00000003.384210460.0000000004DBE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
        Source: Receipt.exe, 00000000.00000002.405658778.0000000005FD2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: Receipt.exe, 00000000.00000003.377705406.0000000000B5D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: Receipt.exe, 00000000.00000003.377865063.0000000004DBB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
        Source: Receipt.exe, 00000000.00000002.405658778.0000000005FD2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: Receipt.exe, 00000000.00000002.405658778.0000000005FD2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: Receipt.exe, 00000000.00000003.377705406.0000000000B5D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn5
        Source: Receipt.exe, 00000000.00000002.405658778.0000000005FD2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: Receipt.exe, 00000000.00000002.405658778.0000000005FD2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: Receipt.exe, 00000000.00000002.405658778.0000000005FD2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: Receipt.exe, 00000000.00000003.379219899.0000000004DB8000.00000004.00000001.sdmp, Receipt.exe, 00000000.00000003.379365440.0000000004DB8000.00000004.00000001.sdmp, Receipt.exe, 00000000.00000003.379496771.0000000004DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: Receipt.exe, 00000000.00000003.379365440.0000000004DB8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/.
        Source: Receipt.exe, 00000000.00000003.379365440.0000000004DB8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
        Source: Receipt.exe, 00000000.00000003.379219899.0000000004DB8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/3
        Source: Receipt.exe, 00000000.00000003.379365440.0000000004DB8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/8
        Source: Receipt.exe, 00000000.00000003.379365440.0000000004DB8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/E
        Source: Receipt.exe, 00000000.00000003.379219899.0000000004DB8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/It
        Source: Receipt.exe, 00000000.00000003.379365440.0000000004DB8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-
        Source: Receipt.exe, 00000000.00000003.379496771.0000000004DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
        Source: Receipt.exe, 00000000.00000003.379219899.0000000004DB8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/_
        Source: Receipt.exe, 00000000.00000003.379365440.0000000004DB8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/c
        Source: Receipt.exe, 00000000.00000003.379496771.0000000004DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
        Source: Receipt.exe, 00000000.00000003.379365440.0000000004DB8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/3
        Source: Receipt.exe, 00000000.00000003.379496771.0000000004DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/E
        Source: Receipt.exe, 00000000.00000003.379496771.0000000004DBD000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/W
        Source: Receipt.exe, 00000000.00000003.383282567.0000000004DCB000.00000004.00000001.sdmp, Receipt.exe, 00000000.00000003.377116994.0000000004DCB000.00000004.00000001.sdmp, Receipt.exe, 00000000.00000003.375968762.0000000004DCB000.00000004.00000001.sdmp, Receipt.exe, 00000000.00000003.375956947.0000000004DCB000.00000004.00000001.sdmp, Receipt.exe, 00000000.00000002.405658778.0000000005FD2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: Receipt.exe, 00000000.00000002.405658778.0000000005FD2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: Receipt.exe, 00000000.00000002.405658778.0000000005FD2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: Receipt.exe, 00000000.00000002.405658778.0000000005FD2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: Receipt.exe, 00000000.00000002.405658778.0000000005FD2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: Receipt.exe, 00000000.00000002.405658778.0000000005FD2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: Receipt.exe, 00000000.00000003.378242783.0000000004DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: Receipt.exe, 00000000.00000003.378242783.0000000004DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
        Source: Receipt.exe, 00000000.00000003.378242783.0000000004DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.D
        Source: Receipt.exe, 00000000.00000003.378242783.0000000004DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnt5

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000001.00000002.646812170.0000000005FF0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.645842082.00000000047B9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.401693681.0000000003A70000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.641328448.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.MSBuild.exe.5ff0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.MSBuild.exe.5ff0000.4.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000001.00000002.646812170.0000000005FF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.645842082.00000000047B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.646700263.0000000005C30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.401693681.0000000003A70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.401693681.0000000003A70000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.641328448.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.641328448.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.MSBuild.exe.5c30000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.MSBuild.exe.5ff0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.MSBuild.exe.5ff0000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_05F7199E NtQuerySystemInformation,0_2_05F7199E
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_05F71963 NtQuerySystemInformation,0_2_05F71963
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 1_2_059F1642 NtQuerySystemInformation,1_2_059F1642
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 1_2_059F1607 NtQuerySystemInformation,1_2_059F1607
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_04B27EFC0_2_04B27EFC
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_04B2C2C80_2_04B2C2C8
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_04B278200_2_04B27820
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_04B2AA790_2_04B2AA79
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_04B2A3880_2_04B2A388
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_04B2E5F00_2_04B2E5F0
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_04B2B3C80_2_04B2B3C8
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_04B287690_2_04B28769
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_04B2C2A50_2_04B2C2A5
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_04B2A2810_2_04B2A281
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_04B2AEFC0_2_04B2AEFC
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_04B2DCD20_2_04B2DCD2
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_04B298330_2_04B29833
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_04B2E0080_2_04B2E008
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_04B2E4500_2_04B2E450
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_04B2E4420_2_04B2E442
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_04B2DFF80_2_04B2DFF8
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_04B2E1E00_2_04B2E1E0
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_04B2E1E80_2_04B2E1E8
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_068366580_2_06836658
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_06833B500_2_06833B50
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_068364290_2_06836429
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_068325480_2_06832548
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_068361520_2_06836152
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_0683664E0_2_0683664E
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_06834E680_2_06834E68
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_06834E780_2_06834E78
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_068343C00_2_068343C0
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_068327F00_2_068327F0
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_06833B050_2_06833B05
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_06834B5A0_2_06834B5A
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_06834B680_2_06834B68
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_0683437C0_2_0683437C
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_068350C00_2_068350C0
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_068350D00_2_068350D0
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_0683002B0_2_0683002B
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_0683242D0_2_0683242D
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_068300700_2_06830070
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_068335800_2_06833580
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_06832DC00_2_06832DC0
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_06832D780_2_06832D78
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_04B201600_2_04B20160
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_04B201500_2_04B20150
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 1_2_058CACC81_2_058CACC8
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 1_2_058C38501_2_058C3850
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 1_2_058C84681_2_058C8468
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 1_2_058C90681_2_058C9068
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 1_2_058C2FA81_2_058C2FA8
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 1_2_058C23A01_2_058C23A0
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 1_2_058C912F1_2_058C912F
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 1_2_058C306F1_2_058C306F
        Source: Receipt.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Receipt.exe, 00000000.00000002.409524544.0000000006620000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs Receipt.exe
        Source: Receipt.exe, 00000000.00000002.396447498.0000000000352000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLDs.exel& vs Receipt.exe
        Source: Receipt.exe, 00000000.00000002.405498363.0000000005FA0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameHutaba.dll, vs Receipt.exe
        Source: Receipt.exe, 00000000.00000002.430706185.000000000B160000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Receipt.exe
        Source: 00000001.00000002.646812170.0000000005FF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.646812170.0000000005FF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000001.00000002.645842082.00000000047B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.646700263.0000000005C30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.646700263.0000000005C30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000000.00000002.401693681.0000000003A70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.401693681.0000000003A70000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.641328448.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.641328448.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.MSBuild.exe.5c30000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.MSBuild.exe.5c30000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.MSBuild.exe.5ff0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.MSBuild.exe.5ff0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.MSBuild.exe.5ff0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.MSBuild.exe.5ff0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: Receipt.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: 1.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 1.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 1.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: classification engineClassification label: mal100.troj.evad.winEXE@3/2@23/1
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_05F71496 AdjustTokenPrivileges,0_2_05F71496
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_05F7145F AdjustTokenPrivileges,0_2_05F7145F
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 1_2_059F1402 AdjustTokenPrivileges,1_2_059F1402
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 1_2_059F13CB AdjustTokenPrivileges,1_2_059F13CB
        Source: C:\Users\user\Desktop\Receipt.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Receipt.exe.logJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{9868442a-9d4e-4c6d-b1ff-3e55d6e4fb6e}
        Source: C:\Users\user\Desktop\Receipt.exeMutant created: \Sessions\1\BaseNamedObjects\NJHbaYhyynzmaNJnjTBhDcmpyBT
        Source: Receipt.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Receipt.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: Receipt.exeVirustotal: Detection: 26%
        Source: Receipt.exeReversingLabs: Detection: 58%
        Source: unknownProcess created: C:\Users\user\Desktop\Receipt.exe 'C:\Users\user\Desktop\Receipt.exe'
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe {path}
        Source: C:\Users\user\Desktop\Receipt.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe {path}Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
        Source: Receipt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: C:\Users\user\Desktop\Receipt.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
        Source: Receipt.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: mscorrc.pdb source: Receipt.exe, 00000000.00000002.430706185.000000000B160000.00000002.00000001.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains method to dynamically call methods (often used by packers)Show sources
        Source: Receipt.exe, Resource_Analyst/Movies.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
        Source: 0.0.Receipt.exe.2a0000.0.unpack, Resource_Analyst/Movies.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
        Source: 0.2.Receipt.exe.2a0000.0.unpack, Resource_Analyst/Movies.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
        .NET source code contains potential unpackerShow sources
        Source: Receipt.exe, Resource_Analyst/Movies.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.0.Receipt.exe.2a0000.0.unpack, Resource_Analyst/Movies.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.2.Receipt.exe.2a0000.0.unpack, Resource_Analyst/Movies.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 1.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 1.2.MSBuild.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_04B2BDB9 push edi; iretd 0_2_04B2BDBA
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_04B2BDAF push edi; iretd 0_2_04B2BDB0
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_06835D33 push esp; retf 0_2_06835D37
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 1_2_01599D30 pushad ; retf 1_2_01599D31
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 1_2_01599D2C push eax; retf 1_2_01599D2D
        Source: initial sampleStatic PE information: section name: .text entropy: 7.40919243474
        Source: 1.2.MSBuild.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 1.2.MSBuild.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM_3Show sources
        Source: Yara matchFile source: Process Memory Space: Receipt.exe PID: 7148, type: MEMORY
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: Receipt.exe, 00000000.00000002.397831207.0000000002961000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
        Source: Receipt.exe, 00000000.00000002.397831207.0000000002961000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: C:\Users\user\Desktop\Receipt.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindow / User API: threadDelayed 974Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindow / User API: foregroundWindowGot 807Jump to behavior
        Source: C:\Users\user\Desktop\Receipt.exe TID: 7152Thread sleep time: -41500s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exe TID: 7152Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exe TID: 6192Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 4420Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 4420Thread sleep count: 175 > 30Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 4420Thread sleep count: 974 > 30Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 3988Thread sleep count: 158 > 30Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 4872Thread sleep time: -180000s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 1_2_059F112A GetSystemInfo,1_2_059F112A
        Source: Receipt.exe, 00000000.00000002.415105374.0000000007582000.00000002.00000001.sdmpBinary or memory string: =Qemuy}
        Source: Receipt.exe, 00000000.00000002.397831207.0000000002961000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: Receipt.exe, 00000000.00000002.397831207.0000000002961000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: Receipt.exe, 00000000.00000002.397831207.0000000002961000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
        Source: Receipt.exe, 00000000.00000002.397831207.0000000002961000.00000004.00000001.sdmpBinary or memory string: VMWARE
        Source: Receipt.exe, 00000000.00000002.397831207.0000000002961000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: Receipt.exe, 00000000.00000002.397831207.0000000002961000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
        Source: Receipt.exe, 00000000.00000002.397831207.0000000002961000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
        Source: Receipt.exe, 00000000.00000002.397831207.0000000002961000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
        Source: C:\Users\user\Desktop\Receipt.exeProcess information queried: ProcessInformationJump to behavior

        Anti Debugging:

        barindex
        Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
        Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_00B4A172 CheckRemoteDebuggerPresent,0_2_00B4A172
        Source: C:\Users\user\Desktop\Receipt.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Allocates memory in foreign processesShow sources
        Source: C:\Users\user\Desktop\Receipt.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\Receipt.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
        Writes to foreign memory regionsShow sources
        Source: C:\Users\user\Desktop\Receipt.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000Jump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 402000Jump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 420000Jump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 422000Jump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 109A008Jump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation