Loading ...

Play interactive tourEdit tour

Analysis Report Receipt#502.exe

Overview

General Information

Sample Name:Receipt#502.exe
Analysis ID:323033
MD5:e2e26573196fd444c8845d29e73a6b00
SHA1:8a2fc9e82c11d234e74846451b12c73d69dea955
SHA256:40fe69be55041a8607bf2596d0fa649ab26f6d6bd6973fb955f14f4e8a066b6c
Tags:exeNanoCorenVpnRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Receipt#502.exe (PID: 4636 cmdline: 'C:\Users\user\Desktop\Receipt#502.exe' MD5: E2E26573196FD444C8845D29E73A6B00)
    • schtasks.exe (PID: 1384 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NeKPJNb' /XML 'C:\Users\user\AppData\Local\Temp\tmpD3E9.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 5476 cmdline: {path} MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • RegSvcs.exe (PID: 5480 cmdline: {path} MD5: 71369277D09DA0830C8C59F9E22BB23A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000003.261720988.0000000004293000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
  • 0x211a:$a: NanoCore
  • 0x213f:$a: NanoCore
  • 0x2198:$a: NanoCore
  • 0x12335:$a: NanoCore
  • 0x1235b:$a: NanoCore
  • 0x123b7:$a: NanoCore
  • 0x1f20c:$a: NanoCore
  • 0x1f265:$a: NanoCore
  • 0x1f298:$a: NanoCore
  • 0x1f4c4:$a: NanoCore
  • 0x1f540:$a: NanoCore
  • 0x1fb59:$a: NanoCore
  • 0x1fca2:$a: NanoCore
  • 0x20176:$a: NanoCore
  • 0x2045d:$a: NanoCore
  • 0x20474:$a: NanoCore
  • 0x237fd:$a: NanoCore
  • 0x24bb7:$a: NanoCore
  • 0x24c01:$a: NanoCore
  • 0x2585b:$a: NanoCore
  • 0x2ae40:$a: NanoCore
00000000.00000002.254057757.0000000003CD8000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x13056d:$x1: NanoCore.ClientPluginHost
  • 0x1305aa:$x2: IClientNetworkHost
  • 0x1340dd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.254057757.0000000003CD8000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.254057757.0000000003CD8000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x1302d5:$a: NanoCore
    • 0x1302e5:$a: NanoCore
    • 0x130519:$a: NanoCore
    • 0x13052d:$a: NanoCore
    • 0x13056d:$a: NanoCore
    • 0x130334:$b: ClientPlugin
    • 0x130536:$b: ClientPlugin
    • 0x130576:$b: ClientPlugin
    • 0x13045b:$c: ProjectData
    • 0x130e62:$d: DESCrypto
    • 0x13882e:$e: KeepAlive
    • 0x13681c:$g: LogClientMessage
    • 0x132a17:$i: get_Connected
    • 0x131198:$j: #=q
    • 0x1311c8:$j: #=q
    • 0x1311e4:$j: #=q
    • 0x131214:$j: #=q
    • 0x131230:$j: #=q
    • 0x13124c:$j: #=q
    • 0x13127c:$j: #=q
    • 0x131298:$j: #=q
    00000000.00000002.254741913.0000000003EC2000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1e881d:$x1: NanoCore.ClientPluginHost
    • 0x1e885a:$x2: IClientNetworkHost
    • 0x1ec38d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 8 entries

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 5480, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
    Sigma detected: Scheduled temp file as task from temp locationShow sources
    Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NeKPJNb' /XML 'C:\Users\user\AppData\Local\Temp\tmpD3E9.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NeKPJNb' /XML 'C:\Users\user\AppData\Local\Temp\tmpD3E9.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Receipt#502.exe' , ParentImage: C:\Users\user\Desktop\Receipt#502.exe, ParentProcessId: 4636, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NeKPJNb' /XML 'C:\Users\user\AppData\Local\Temp\tmpD3E9.tmp', ProcessId: 1384

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Roaming\NeKPJNb.exeReversingLabs: Detection: 20%
    Multi AV Scanner detection for submitted fileShow sources
    Source: Receipt#502.exeReversingLabs: Detection: 20%
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000000.00000002.254057757.0000000003CD8000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.254741913.0000000003EC2000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: Receipt#502.exe PID: 4636, type: MEMORY
    Source: C:\Users\user\Desktop\Receipt#502.exeCode function: 4x nop then jmp 0287C3FAh0_2_0287B69F

    Networking:

    barindex
    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49709 -> 185.244.30.221:2078
    Uses dynamic DNS servicesShow sources
    Source: unknownDNS query: name: without.duckdns.org
    Source: global trafficTCP traffic: 192.168.2.5:49709 -> 185.244.30.221:2078
    Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
    Source: unknownDNS traffic detected: queries for: without.duckdns.org
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
    Source: RegSvcs.exe, 00000005.00000003.261720988.0000000004293000.00000004.00000001.sdmpString found in binary or memory: http://google.com
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: Receipt#502.exe, 00000000.00000003.238406656.0000000004F72000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
    Source: Receipt#502.exe, 00000000.00000003.238533764.0000000004F74000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coma-e
    Source: Receipt#502.exe, 00000000.00000003.238614597.0000000004F74000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comd
    Source: Receipt#502.exe, 00000000.00000003.238614597.0000000004F74000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comes
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
    Source: Receipt#502.exe, 00000000.00000003.238533764.0000000004F74000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-uGu
    Source: Receipt#502.exe, 00000000.00000003.238422196.0000000004F79000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-uh
    Source: Receipt#502.exe, 00000000.00000003.238273524.0000000004F86000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
    Source: Receipt#502.exe, 00000000.00000003.238533764.0000000004F74000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coms
    Source: Receipt#502.exe, 00000000.00000003.238614597.0000000004F74000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comtrWv
    Source: Receipt#502.exe, 00000000.00000003.238533764.0000000004F74000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comu
    Source: Receipt#502.exe, 00000000.00000003.240885938.0000000004F72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
    Source: Receipt#502.exe, 00000000.00000003.241659047.0000000004FA5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers$=
    Source: Receipt#502.exe, 00000000.00000003.240941777.0000000004FA5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers-
    Source: Receipt#502.exe, 00000000.00000003.240647661.0000000004FA5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
    Source: Receipt#502.exe, 00000000.00000003.240614990.0000000004FA5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersd
    Source: Receipt#502.exe, 00000000.00000003.241659047.0000000004FA5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersers
    Source: Receipt#502.exe, 00000000.00000003.241049835.0000000004FA5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersf=
    Source: Receipt#502.exe, 00000000.00000003.241857098.0000000004FA5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersn
    Source: Receipt#502.exe, 00000000.00000003.241857098.0000000004FA5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersx=
    Source: Receipt#502.exe, 00000000.00000003.241721705.0000000004F72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
    Source: Receipt#502.exe, 00000000.00000003.251857385.0000000004F70000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
    Source: Receipt#502.exe, 00000000.00000003.251857385.0000000004F70000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comasv
    Source: Receipt#502.exe, 00000000.00000003.241721705.0000000004F72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
    Source: Receipt#502.exe, 00000000.00000003.241721705.0000000004F72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
    Source: Receipt#502.exe, 00000000.00000003.240885938.0000000004F72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comldF
    Source: Receipt#502.exe, 00000000.00000003.251857385.0000000004F70000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
    Source: Receipt#502.exe, 00000000.00000003.241721705.0000000004F72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsiv
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
    Source: Receipt#502.exe, 00000000.00000003.237720086.0000000004F80000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnIT
    Source: Receipt#502.exe, 00000000.00000003.237743636.000000000114B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd
    Source: Receipt#502.exe, 00000000.00000003.237720086.0000000004F80000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cntteI
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
    Source: Receipt#502.exe, 00000000.00000003.239054630.0000000004F75000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
    Source: Receipt#502.exe, 00000000.00000003.239418396.0000000004F7C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/?
    Source: Receipt#502.exe, 00000000.00000003.239054630.0000000004F75000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/H
    Source: Receipt#502.exe, 00000000.00000003.239418396.0000000004F7C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/S
    Source: Receipt#502.exe, 00000000.00000003.239418396.0000000004F7C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
    Source: Receipt#502.exe, 00000000.00000003.239054630.0000000004F75000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Z
    Source: Receipt#502.exe, 00000000.00000003.239418396.0000000004F7C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/h
    Source: Receipt#502.exe, 00000000.00000003.239054630.0000000004F75000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
    Source: Receipt#502.exe, 00000000.00000003.239418396.0000000004F7C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/O
    Source: Receipt#502.exe, 00000000.00000003.239418396.0000000004F7C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Z
    Source: Receipt#502.exe, 00000000.00000003.239054630.0000000004F75000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/r
    Source: Receipt#502.exe, 00000000.00000003.239054630.0000000004F75000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/w
    Source: Receipt#502.exe, 00000000.00000003.242763996.0000000004FA5000.00000004.00000001.sdmp, Receipt#502.exe, 00000000.00000003.242740004.0000000004FA5000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
    Source: Receipt#502.exe, 00000000.00000003.243733741.0000000004FA9000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.m
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
    Source: Receipt#502.exe, 00000000.00000003.238223808.0000000004F83000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.

    E-Banking Fraud:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000000.00000002.254057757.0000000003CD8000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.254741913.0000000003EC2000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: Receipt#502.exe PID: 4636, type: MEMORY

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 00000005.00000003.261720988.0000000004293000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.254057757.0000000003CD8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.254057757.0000000003CD8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.254741913.0000000003EC2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.254741913.0000000003EC2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: Receipt#502.exe PID: 4636, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: Receipt#502.exe PID: 4636, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: RegSvcs.exe PID: 5480, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: C:\Users\user\Desktop\Receipt#502.exeCode function: 0_2_07F51C52 NtQuerySystemInformation,0_2_07F51C52
    Source: C:\Users\user\Desktop\Receipt#502.exeCode function: 0_2_07F51C18 NtQuerySystemInformation,0_2_07F51C18
    Source: C:\Users\user\Desktop\Receipt#502.exeCode function: 0_2_0287B69F0_2_0287B69F
    Source: C:\Users\user\Desktop\Receipt#502.exeCode function: 0_2_02872AEC0_2_02872AEC
    Source: C:\Users\user\Desktop\Receipt#502.exeCode function: 0_2_0287A03D0_2_0287A03D
    Source: C:\Users\user\Desktop\Receipt#502.exeCode function: 0_2_028717390_2_02871739
    Source: C:\Users\user\Desktop\Receipt#502.exeCode function: 0_2_0287A4D90_2_0287A4D9
    Source: C:\Users\user\Desktop\Receipt#502.exeCode function: 0_2_0287A0510_2_0287A051
    Source: Receipt#502.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: NeKPJNb.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: Receipt#502.exeBinary or memory string: OriginalFilename vs Receipt#502.exe
    Source: Receipt#502.exe, 00000000.00000002.251961319.0000000000562000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWd.exe2 vs Receipt#502.exe
    Source: Receipt#502.exe, 00000000.00000002.258409433.0000000007F20000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMARCUS.dll4 vs Receipt#502.exe
    Source: Receipt#502.exe, 00000000.00000002.254741913.0000000003EC2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs Receipt#502.exe
    Source: Receipt#502.exe, 00000000.00000002.258056962.0000000006BF0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Receipt#502.exe
    Source: Receipt#502.exe, 00000000.00000002.258056962.0000000006BF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Receipt#502.exe
    Source: Receipt#502.exe, 00000000.00000002.258250701.0000000007EC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Receipt#502.exe
    Source: Receipt#502.exe, 00000000.00000002.257944997.0000000006B90000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Receipt#502.exe
    Source: Receipt#502.exeBinary or memory string: OriginalFilenameWd.exe2 vs Receipt#502.exe
    Source: 00000005.00000003.261720988.0000000004293000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000002.254057757.0000000003CD8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.254057757.0000000003CD8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000002.254741913.0000000003EC2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.254741913.0000000003EC2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: Receipt#502.exe PID: 4636, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: Receipt#502.exe PID: 4636, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: RegSvcs.exe PID: 5480, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Receipt#502.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: NeKPJNb.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: classification engineClassification label: mal100.troj.evad.winEXE@8/8@2/2
    Source: C:\Users\user\Desktop\Receipt#502.exeCode function: 0_2_07F51782 AdjustTokenPrivileges,0_2_07F51782
    Source: C:\Users\user\Desktop\Receipt#502.exeCode function: 0_2_07F5174B AdjustTokenPrivileges,0_2_07F5174B
    Source: C:\Users\user\Desktop\Receipt#502.exeFile created: C:\Users\user\AppData\Roaming\NeKPJNb.exeJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{17fd7e7e-3990-4c53-9987-94767303fd64}
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
    Source: C:\Users\user\Desktop\Receipt#502.exeMutant created: \Sessions\1\BaseNamedObjects\hiXqVUTdIiJejPpdAJEytXszilO
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1140:120:WilError_01
    Source: C:\Users\user\Desktop\Receipt#502.exeFile created: C:\Users\user\AppData\Local\Temp\tmpD3E9.tmpJump to behavior
    Source: Receipt#502.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Receipt#502.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: Receipt#502.exeReversingLabs: Detection: 20%
    Source: C:\Users\user\Desktop\Receipt#502.exeFile read: C:\Users\user\Desktop\Receipt#502.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\Receipt#502.exe 'C:\Users\user\Desktop\Receipt#502.exe'
    Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NeKPJNb' /XML 'C:\Users\user\AppData\Local\Temp\tmpD3E9.tmp'
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NeKPJNb' /XML 'C:\Users\user\AppData\Local\Temp\tmpD3E9.tmp'Jump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}Jump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}Jump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
    Source: Receipt#502.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: C:\Users\user\Desktop\Receipt#502.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
    Source: Receipt#502.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000005.00000003.261720988.0000000004293000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegSvcs.exe, 00000005.00000003.261720988.0000000004293000.00000004.00000001.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegSvcs.exe, 00000005.00000003.261720988.0000000004293000.00000004.00000001.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000005.00000003.261720988.0000000004293000.00000004.00000001.sdmp
    Source: Binary string: mscorrc.pdb source: Receipt#502.exe, 00000000.00000002.258250701.0000000007EC0000.00000002.00000001.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegSvcs.exe, 00000005.00000003.261720988.0000000004293000.00000004.00000001.sdmp

    Data Obfuscation:

    barindex
    .NET source code contains potential unpackerShow sources
    Source: Receipt#502.exe, SimpleTextEditor/LoginForm.cs.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: NeKPJNb.exe.0.dr, SimpleTextEditor/LoginForm.cs.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 0.0.Receipt#502.exe.560000.0.unpack, SimpleTextEditor/LoginForm.cs.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 0.2.Receipt#502.exe.560000.0.unpack, SimpleTextEditor/LoginForm.cs.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: C:\Users\user\Desktop\Receipt#502.exeCode function: 0_2_005689D0 push ss; iretd 0_2_00568CDA
    Source: C:\Users\user\Desktop\Receipt#502.exeCode function: 0_2_00568119 push 00000000h; iretd 0_2_0056829A
    Source: C:\Users\user\Desktop\Receipt#502.exeCode function: 0_2_00DE2894 push cs; ret 0_2_00DE29AA
    Source: C:\Users\user\Desktop\Receipt#502.exeCode function: 0_2_00DE2E0D push es; ret 0_2_00DE2E0E
    Source: C:\Users\user\Desktop\Receipt#502.exeCode function: 0_2_00DE29AC push cs; ret 0_2_00DE29AA
    Source: C:\Users\user\Desktop\Receipt#502.exeCode function: 0_2_00DE2864 push cs; ret 0_2_00DE29AA
    Source: initial sampleStatic PE information: section name: .text entropy: 7.75101312154
    Source: initial sampleStatic PE information: section name: .text entropy: 7.75101312154
    Source: C:\Users\user\Desktop\Receipt#502.exeFile created: C:\Users\user\AppData\Roaming\NeKPJNb.exeJump to dropped file

    Boot Survival:

    barindex
    Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
    Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NeKPJNb' /XML 'C:\Users\user\AppData\Local\Temp\tmpD3E9.tmp'

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | deleteJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Yara detected AntiVM_3Show sources
    Source: Yara matchFile source: 00000000.00000002.253473397.0000000002D49000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: Receipt#502.exe PID: 4636, type: MEMORY
    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
    Source: Receipt#502.exe, 00000000.00000002.253382062.0000000002CD1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLX1(R
    Source: Receipt#502.exe, 00000000.00000002.253957388.000000000304A000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
    Source: Receipt#502.exe, 00000000.00000002.253957388.000000000304A000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
    Source: Receipt#502.exe, 00000000.00000002.253382062.0000000002CD1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAMEX1(RF]
    Source: C:\Users\user\Desktop\Receipt#502.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: threadDelayed 814Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: foregroundWindowGot 707Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: foregroundWindowGot 698Jump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exe TID: 4632Thread sleep time: -41500s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exe TID: 456Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: Receipt#502.exe, 00000000.00000002.253957388.000000000304A000.00000004.00000001.sdmpBinary or memory string: VMware
    Source: Receipt#502.exe, 00000000.00000002.253957388.000000000304A000.00000004.00000001.sdmpBinary or memory string: VMware|9(r
    Source: Receipt#502.exe, 00000000.00000002.253382062.0000000002CD1000.00000004.00000001.sdmpBinary or memory string: VMWAREX1(rl[
    Source: Receipt#502.exe, 00000000.00000002.253382062.0000000002CD1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIX1(r
    Source: Receipt#502.exe, 00000000.00000002.253382062.0000000002CD1000.00000004.00000001.sdmpBinary or memory string: vmwareX1(r
    Source: Receipt#502.exe, 00000000.00000002.253957388.000000000304A000.00000004.00000001.sdmpBinary or memory string: VMWARE
    Source: RegSvcs.exe, 00000005.00000003.304322811.0000000000F9F000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
    Source: Receipt#502.exe, 00000000.00000002.253382062.0000000002CD1000.00000004.00000001.sdmpBinary or memory string: QEMUX1(r}]
    Source: Receipt#502.exe, 00000000.00000002.253957388.000000000304A000.00000004.00000001.sdmpBinary or memory string: VMWARE|9(r
    Source: Receipt#502.exe, 00000000.00000002.253382062.0000000002CD1000.00000004.00000001.sdmpBinary or memory string: (r#"SOFTWARE\VMware, Inc.\VMware ToolsX1(rI[
    Source: Receipt#502.exe, 00000000.00000002.253957388.000000000304A000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
    Source: Receipt#502.exe, 00000000.00000002.253957388.000000000304A000.00000004.00000001.sdmpBinary or memory string: VMware
    Source: Receipt#502.exe, 00000000.00000002.253957388.000000000304A000.00000004.00000001.sdmpBinary or memory string: VMware |9(r
    Source: Receipt#502.exe, 00000000.00000002.253957388.000000000304A000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
    Source: Receipt#502.exe, 00000000.00000002.253957388.000000000304A000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
    Source: Receipt#502.exe, 00000000.00000002.253382062.0000000002CD1000.00000004.00000001.sdmpBinary or memory string: (r&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\X1(r
    Source: Receipt#502.exe, 00000000.00000002.253957388.000000000304A000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeMemory allocated: page read and write | page guardJump to behavior

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Allocates memory in foreign processesShow sources
    Source: C:\Users\user\Desktop\Receipt#502.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
    Injects a PE file into a foreign processesShow sources
    Source: C:\Users\user\Desktop\Receipt#502.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
    Writes to foreign memory regionsShow sources
    Source: C:\Users\user\Desktop\Receipt#502.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000Jump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000Jump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000Jump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000Jump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: B00008Jump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NeKPJNb' /XML 'C:\Users\user\AppData\Local\Temp\tmpD3E9.tmp'Jump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}Jump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}Jump to behavior
    Source: RegSvcs.exe, 00000005.00000003.304322811.0000000000F9F000.00000004.00000001.sdmpBinary or memory string: Program Manager.NET\Framework\v2.0.50727\
    Source: RegSvcs.exe, 00000005.00000003.354584389.0000000000F8A000.00000004.00000001.sdmpBinary or memory string: Program Manager
    Source: RegSvcs.exe, 00000005.00000003.354143378.0000000000F9F000.00000004.00000001.sdmpBinary or memory string: Program ManagerCC
    Source: RegSvcs.exe, 00000005.00000003.304322811.0000000000F9F000.00000004.00000001.sdmpBinary or memory string: Program ManagerX
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation