Loading ...

Play interactive tourEdit tour

Analysis Report Receipt.exe

Overview

General Information

Sample Name:Receipt.exe
Analysis ID:320376
MD5:bb6f9ffd7714ccbadf5d6d37efc73c1a
SHA1:167f22c4e387dd05b4dd0bd3e172f4f805572b07
SHA256:bd8cfbef2d3351bf256ed71484202f8351fe4705d32a23f8afa0b7e86b5aa250
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Receipt.exe (PID: 6444 cmdline: 'C:\Users\user\Desktop\Receipt.exe' MD5: BB6F9FFD7714CCBADF5D6D37EFC73C1A)
    • schtasks.exe (PID: 6580 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FJyjsoEc' /XML 'C:\Users\user\AppData\Local\Temp\tmp90A5.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 6628 cmdline: {path} MD5: 71369277D09DA0830C8C59F9E22BB23A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.503407116.0000000004587000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000004.00000002.503407116.0000000004587000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x33e5:$a: NanoCore
    • 0x343e:$a: NanoCore
    • 0x347b:$a: NanoCore
    • 0x34f4:$a: NanoCore
    • 0x16b9f:$a: NanoCore
    • 0x16bb4:$a: NanoCore
    • 0x16be9:$a: NanoCore
    • 0x2f663:$a: NanoCore
    • 0x2f678:$a: NanoCore
    • 0x2f6ad:$a: NanoCore
    • 0x3447:$b: ClientPlugin
    • 0x3484:$b: ClientPlugin
    • 0x3d82:$b: ClientPlugin
    • 0x3d8f:$b: ClientPlugin
    • 0x1695b:$b: ClientPlugin
    • 0x16976:$b: ClientPlugin
    • 0x169a6:$b: ClientPlugin
    • 0x16bbd:$b: ClientPlugin
    • 0x16bf2:$b: ClientPlugin
    • 0x2f41f:$b: ClientPlugin
    • 0x2f43a:$b: ClientPlugin
    00000004.00000002.504460720.00000000057D0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    00000004.00000002.504460720.00000000057D0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    00000004.00000002.497486301.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 16 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    4.2.RegSvcs.exe.57d0000.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    4.2.RegSvcs.exe.57d0000.3.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    4.2.RegSvcs.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    4.2.RegSvcs.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xff05:$x1: NanoCore Client.exe
    • 0x1018d:$x2: NanoCore.ClientPluginHost
    • 0x117c6:$s1: PluginCommand
    • 0x117ba:$s2: FileCommand
    • 0x1266b:$s3: PipeExists
    • 0x18422:$s4: PipeCreated
    • 0x101b7:$s5: IClientLoggingHost
    4.2.RegSvcs.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 7 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 6628, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FJyjsoEc' /XML 'C:\Users\user\AppData\Local\Temp\tmp90A5.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FJyjsoEc' /XML 'C:\Users\user\AppData\Local\Temp\tmp90A5.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Receipt.exe' , ParentImage: C:\Users\user\Desktop\Receipt.exe, ParentProcessId: 6444, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FJyjsoEc' /XML 'C:\Users\user\AppData\Local\Temp\tmp90A5.tmp', ProcessId: 6580

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000004.00000002.503407116.0000000004587000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.497486301.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.258930784.0000000004238000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.504863829.0000000005D00000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Receipt.exe PID: 6444, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6628, type: MEMORY
      Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.RegSvcs.exe.5d00000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.RegSvcs.exe.5d00000.4.raw.unpack, type: UNPACKEDPE
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\FJyjsoEc.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: Receipt.exeJoe Sandbox ML: detected
      Source: 4.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: C:\Users\user\Desktop\Receipt.exeCode function: 4x nop then jmp 02EDCCD0h0_2_02EDBF77
      Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: Receipt.exe, 00000000.00000003.236159958.000000000552E000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: Receipt.exe, 00000000.00000003.241744334.00000000054FE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: Receipt.exe, 00000000.00000003.240253238.0000000005529000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers-
      Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: Receipt.exe, 00000000.00000003.241301369.00000000054FC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
      Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: Receipt.exe, 00000000.00000003.241301369.00000000054FC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlo
      Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: Receipt.exe, 00000000.00000003.240676562.0000000005529000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlw
      Source: Receipt.exe, 00000000.00000003.239390099.0000000005529000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/q
      Source: Receipt.exe, 00000000.00000003.239390099.0000000005529000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/w
      Source: Receipt.exe, 00000000.00000003.240184375.0000000005529000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers2
      Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: Receipt.exe, 00000000.00000003.241402308.0000000005529000.00000004.00000001.sdmp, Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: Receipt.exe, 00000000.00000003.240719140.0000000005529000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersQ
      Source: Receipt.exe, 00000000.00000003.241420432.0000000005529000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersX
      Source: Receipt.exe, 00000000.00000003.240782075.00000000054FF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
      Source: Receipt.exe, 00000000.00000003.240782075.00000000054FF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFM
      Source: Receipt.exe, 00000000.00000003.240782075.00000000054FF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comai
      Source: Receipt.exe, 00000000.00000003.241744334.00000000054FE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
      Source: Receipt.exe, 00000000.00000003.241744334.00000000054FE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsd
      Source: Receipt.exe, 00000000.00000003.240782075.00000000054FF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomd
      Source: Receipt.exe, 00000000.00000003.240782075.00000000054FF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
      Source: Receipt.exe, 00000000.00000003.241301369.00000000054FC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessedT
      Source: Receipt.exe, 00000000.00000003.241558097.00000000054FF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessedp
      Source: Receipt.exe, 00000000.00000003.240782075.00000000054FF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrita
      Source: Receipt.exe, 00000000.00000003.255007346.00000000054FA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comionM
      Source: Receipt.exe, 00000000.00000003.241744334.00000000054FE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comituF
      Source: Receipt.exe, 00000000.00000003.240782075.00000000054FF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.commmt
      Source: Receipt.exe, 00000000.00000003.255007346.00000000054FA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
      Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: Receipt.exe, 00000000.00000003.235863625.0000000005529000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/Ex
      Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: Receipt.exe, 00000000.00000003.235663476.0000000005529000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn:
      Source: Receipt.exe, 00000000.00000003.244241263.0000000005529000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
      Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: Receipt.exe, 00000000.00000003.244662704.0000000005529000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/s
      Source: Receipt.exe, 00000000.00000003.244592597.0000000005529000.00000004.00000001.sdmp, Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: Receipt.exe, 00000000.00000003.244468863.0000000005507000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm&
      Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: Receipt.exe, 00000000.00000003.237318949.00000000054FC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: Receipt.exe, 00000000.00000003.237048281.00000000054FD000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/?
      Source: Receipt.exe, 00000000.00000003.237048281.00000000054FD000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/F
      Source: Receipt.exe, 00000000.00000003.237213962.00000000054F3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/T
      Source: Receipt.exe, 00000000.00000003.237048281.00000000054FD000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
      Source: Receipt.exe, 00000000.00000003.237318949.00000000054FC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
      Source: Receipt.exe, 00000000.00000003.237048281.00000000054FD000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a
      Source: Receipt.exe, 00000000.00000003.237318949.00000000054FC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/b
      Source: Receipt.exe, 00000000.00000003.237213962.00000000054F3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/i
      Source: Receipt.exe, 00000000.00000003.237213962.00000000054F3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
      Source: Receipt.exe, 00000000.00000003.237213962.00000000054F3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/F
      Source: Receipt.exe, 00000000.00000003.237318949.00000000054FC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/i
      Source: Receipt.exe, 00000000.00000003.237318949.00000000054FC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/p
      Source: Receipt.exe, 00000000.00000003.237048281.00000000054FD000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/l-g
      Source: Receipt.exe, 00000000.00000003.237048281.00000000054FD000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ms
      Source: Receipt.exe, 00000000.00000003.237213962.00000000054F3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/p
      Source: Receipt.exe, 00000000.00000003.237048281.00000000054FD000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/tion
      Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: Receipt.exe, 00000000.00000003.235912791.0000000005529000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comatio
      Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: Receipt.exe, 00000000.00000003.241744334.00000000054FE000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
      Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: Receipt.exe, 00000000.00000003.241744334.00000000054FE000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deFT
      Source: Receipt.exe, 00000000.00000003.241744334.00000000054FE000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dev
      Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: Receipt.exe, 00000000.00000002.255762822.0000000001340000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: RegSvcs.exe, 00000004.00000002.503407116.0000000004587000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000004.00000002.503407116.0000000004587000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.497486301.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.258930784.0000000004238000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.504863829.0000000005D00000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Receipt.exe PID: 6444, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6628, type: MEMORY
      Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.RegSvcs.exe.5d00000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.RegSvcs.exe.5d00000.4.raw.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000004.00000002.503407116.0000000004587000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000002.504460720.00000000057D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000002.497486301.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000002.497486301.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.258930784.0000000004238000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.258930784.0000000004238000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000002.504863829.0000000005D00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: Receipt.exe PID: 6444, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: Receipt.exe PID: 6444, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: RegSvcs.exe PID: 6628, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: RegSvcs.exe PID: 6628, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.RegSvcs.exe.57d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.RegSvcs.exe.5d00000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.RegSvcs.exe.5d00000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_057D1A7A NtQuerySystemInformation,0_2_057D1A7A
      Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_057D1A49 NtQuerySystemInformation,0_2_057D1A49
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_031E116A NtQuerySystemInformation,4_2_031E116A
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_031E112F NtQuerySystemInformation,4_2_031E112F
      Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_02ED20370_2_02ED2037
      Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_02ED33CC0_2_02ED33CC
      Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_02EDBF770_2_02EDBF77
      Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_02EDA9590_2_02EDA959
      Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_02EDADC00_2_02EDADC0
      Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_02EDA96D0_2_02EDA96D
      Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_02ED010D0_2_02ED010D
      Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_02ED01100_2_02ED0110
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_031723A04_2_031723A0
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_03172FA84_2_03172FA8
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_0317AD384_2_0317AD38
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_031784684_2_03178468
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_031790684_2_03179068
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_031799104_2_03179910
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_0317912F4_2_0317912F
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_0317306F4_2_0317306F
      Source: Receipt.exeBinary or memory string: OriginalFilename vs Receipt.exe
      Source: Receipt.exe, 00000000.00000002.262760402.0000000006DE0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs Receipt.exe
      Source: Receipt.exe, 00000000.00000002.258930784.0000000004238000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameI5.exeF vs Receipt.exe
      Source: Receipt.exe, 00000000.00000002.255762822.0000000001340000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs Receipt.exe
      Source: Receipt.exe, 00000000.00000002.261817510.0000000006C10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Receipt.exe
      Source: Receipt.exe, 00000000.00000002.263979443.00000000087F0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Receipt.exe
      Source: Receipt.exe, 00000000.00000002.264217230.00000000088F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Receipt.exe
      Source: Receipt.exe, 00000000.00000002.264217230.00000000088F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Receipt.exe
      Source: Receipt.exe, 00000000.00000002.260595337.00000000057E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMARCUS.dll4 vs Receipt.exe
      Source: Receipt.exeBinary or memory string: OriginalFilenameI5.exeF vs Receipt.exe
      Source: 00000004.00000002.503407116.0000000004587000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000002.504460720.00000000057D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000002.504460720.00000000057D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000004.00000002.497486301.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000002.497486301.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.258930784.0000000004238000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.258930784.0000000004238000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000002.504863829.0000000005D00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000002.504863829.0000000005D00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: Process Memory Space: Receipt.exe PID: 6444, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: Receipt.exe PID: 6444, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: RegSvcs.exe PID: 6628, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: RegSvcs.exe PID: 6628, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.2.RegSvcs.exe.57d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.RegSvcs.exe.57d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.2.RegSvcs.exe.5d00000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.RegSvcs.exe.5d00000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.RegSvcs.exe.5d00000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.RegSvcs.exe.5d00000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: Receipt.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: FJyjsoEc.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: classification engineClassification label: mal100.troj.evad.winEXE@6/4@0/1
      Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_057D18FE AdjustTokenPrivileges,0_2_057D18FE
      Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_057D18C7 AdjustTokenPrivileges,0_2_057D18C7
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_031E0F2A AdjustTokenPrivileges,4_2_031E0F2A
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_031E0EF3 AdjustTokenPrivileges,4_2_031E0EF3
      Source: C:\Users\user\Desktop\Receipt.exeFile created: C:\Users\user\AppData\Roaming\FJyjsoEc.exeJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6588:120:WilError_01
      Source: C:\Users\user\Desktop\Receipt.exeMutant created: \Sessions\1\BaseNamedObjects\eoKRhcehSnEh
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{4da8ce56-eacf-4373-8fb7-f39e5894de0d}
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
      Source: C:\Users\user\Desktop\Receipt.exeFile created: C:\Users\user\AppData\Local\Temp\tmp90A5.tmpJump to behavior
      Source: Receipt.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Receipt.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeFile read: C:\Users\user\Desktop\Receipt.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Receipt.exe 'C:\Users\user\Desktop\Receipt.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FJyjsoEc' /XML 'C:\Users\user\AppData\Local\Temp\tmp90A5.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
      Source: C:\Users\user\Desktop\Receipt.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FJyjsoEc' /XML 'C:\Users\user\AppData\Local\Temp\tmp90A5.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}Jump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
      Source: Receipt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: C:\Users\user\Desktop\Receipt.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
      Source: Receipt.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: C:\Windows\dll\System.pdbER source: RegSvcs.exe, 00000004.00000002.499749870.00000000031F5000.00000004.00000040.sdmp
      Source: Binary string: indows\System.pdbpdbtem.pdbca source: RegSvcs.exe, 00000004.00000002.499749870.00000000031F5000.00000004.00000040.sdmp
      Source: Binary string: .pdby source: RegSvcs.exe, 00000004.00000002.505087785.00000000061DC000.00000004.00000001.sdmp
      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb\al source: RegSvcs.exe, 00000004.00000002.499749870.00000000031F5000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\System.pdb\U source: RegSvcs.exe, 00000004.00000002.499749870.00000000031F5000.00000004.00000040.sdmp
      Source: Binary string: oC:\Windows\System.pdb source: RegSvcs.exe, 00000004.00000002.505087785.00000000061DC000.00000004.00000001.sdmp
      Source: Binary string: System.pdb\ source: RegSvcs.exe, 00000004.00000002.499749870.00000000031F5000.00000004.00000040.sdmp
      Source: Binary string: mscorrc.pdb source: Receipt.exe, 00000000.00000002.261817510.0000000006C10000.00000002.00000001.sdmp, RegSvcs.exe, 00000004.00000002.504349348.0000000005760000.00000002.00000001.sdmp
      Source: Binary string: C:\Windows\symbols\dll\System.pdbOA source: RegSvcs.exe, 00000004.00000002.499749870.00000000031F5000.00000004.00000040.sdmp

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_01122894 push cs; ret 0_2_011229AA
      Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_01122D65 push es; ret 0_2_01122D66
      Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_02EDCE31 pushad ; iretd 0_2_02EDCE34
      Source: initial sampleStatic PE information: section name: .text entropy: 7.75501817542
      Source: initial sampleStatic PE information: section name: .text entropy: 7.75501817542
      Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: C:\Users\user\Desktop\Receipt.exeFile created: C:\Users\user\AppData\Roaming\FJyjsoEc.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FJyjsoEc' /XML 'C:\Users\user\AppData\Local\Temp\tmp90A5.tmp'

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Yara detected AntiVM_3Show sources
      Source: Yara matchFile source: 00000000.00000002.256996521.00000000032AA000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Receipt.exe PID: 6444, type: MEMORY
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
      Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
      Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAMEX1(R)O
      Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLX1(RTH
      Source: C:\Users\user\Desktop\Receipt.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: threadDelayed 710Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: threadDelayed 565Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: foregroundWindowGot 824Jump to behavior
      Source: C:\Users\user\Desktop\Receipt.exe TID: 6448Thread sleep time: -41500s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exe TID: 6464Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_031E0BB6 GetSystemInfo,4_2_031E0BB6
      Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmpBinary or memory string: vmwareX1(rEn
      Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmpBinary or memory string: VMware
      Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmpBinary or memory string: VMware|9(r
      Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmpBinary or memory string: QEMUX1(r$o
      Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmpBinary or memory string: (r#"SOFTWARE\VMware, Inc.\VMware ToolsX1(r
      Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmpBinary or memory string: VMWAREX1(r7i
      Source: RegSvcs.exe, 00000004.00000002.505280845.0000000006330000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIX1(r
      Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmpBinary or memory string: VMWARE
      Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmpBinary or memory string: VMWARE|9(r
      Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: RegSvcs.exe, 00000004.00000002.505280845.0000000006330000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: RegSvcs.exe, 00000004.00000002.505280845.0000000006330000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmpBinary or memory string: VMware
      Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmpBinary or memory string: VMware |9(r
      Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
      Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
      Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
      Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmpBinary or memory string: (r&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\X1(rRo
      Source: RegSvcs.exe, 00000004.00000002.505280845.0000000006330000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\Receipt.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Allocates memory in foreign processesShow sources
      Source: C:\Users\user\Desktop\Receipt.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\Desktop\Receipt.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
      Writes to foreign memory regionsShow sources
      Source: C:\Users\user\Desktop\Receipt.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000Jump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000Jump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000Jump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000Jump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: F38008Jump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FJyjsoEc' /XML 'C:\Users\user\AppData\Local\Temp\tmp90A5.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}Jump to behavior
      Source: RegSvcs.exe, 00000004.00000002.503267436.00000000037CE000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: RegSvcs.exe, 00000004.00000002.499346397.0000000001AF0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: RegSvcs.exe, 00000004.00000002.499346397.0000000001AF0000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: RegSvcs.exe, 00000004.00000002.499346397.0000000001AF0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
      Source: RegSvcs.exe, 00000004.00000002.501317775.00000000035CF000.00000004.00000001.sdmpBinary or memory string: Program Managerp
      Source: RegSvcs.exe, 00000004.00000002.498952299.0000000001493000.00000004.00000020.sdmpBinary or memory string: Program Managerknown.
      Source: RegSvcs.exe, 00000004.00000002.499346397.0000000001AF0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
      Source: RegSvcs.exe, 00000004.00000002.499346397.0000000001AF0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Receipt.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior