Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Copyofreceipt.scr

Overview

General Information

Sample Name:Copyofreceipt.scr (renamed file extension from scr to exe)
Analysis ID:356658
MD5:6f9340718bf2defbdb4b438d80857fb3
SHA1:ddfe78ec1db2fbec98ee87235938223360bae49d
SHA256:26b8405b53da2fa69471859793721f24e5c407bb4d2af8537e21e244c4363f55
Tags:AgentTeslascr
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Copyofreceipt.exe (PID: 6436 cmdline: 'C:\Users\user\Desktop\Copyofreceipt.exe' MD5: 6F9340718BF2DEFBDB4B438D80857FB3)
    • schtasks.exe (PID: 6568 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ZnTVKjXRZvpJV' /XML 'C:\Users\user\AppData\Local\Temp\tmpEC38.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Copyofreceipt.exe (PID: 6612 cmdline: C:\Users\user\Desktop\Copyofreceipt.exe MD5: 6F9340718BF2DEFBDB4B438D80857FB3)
    • Copyofreceipt.exe (PID: 6620 cmdline: C:\Users\user\Desktop\Copyofreceipt.exe MD5: 6F9340718BF2DEFBDB4B438D80857FB3)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "3ZVFxxx2W", "URL: ": "https://0SOrICva3tdSq4g.net", "To: ": "zenovia@ccglass.co.za", "ByHost: ": "mail.ccglass.co.za:587", "Password: ": "BKDXwAbUo", "From: ": "zenovia@ccglass.co.za"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.217766303.00000000029AD000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.218072836.0000000003979000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000005.00000002.463450155.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.217719267.0000000002971000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          00000005.00000002.468914912.00000000030F1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.Copyofreceipt.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.Copyofreceipt.exe.2999eac.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                0.2.Copyofreceipt.exe.3c3c800.5.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.Copyofreceipt.exe.3c3c800.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.Copyofreceipt.exe.3aded30.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 2 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Scheduled temp file as task from temp locationShow sources
                      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ZnTVKjXRZvpJV' /XML 'C:\Users\user\AppData\Local\Temp\tmpEC38.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ZnTVKjXRZvpJV' /XML 'C:\Users\user\AppData\Local\Temp\tmpEC38.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Copyofreceipt.exe' , ParentImage: C:\Users\user\Desktop\Copyofreceipt.exe, ParentProcessId: 6436, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ZnTVKjXRZvpJV' /XML 'C:\Users\user\AppData\Local\Temp\tmpEC38.tmp', ProcessId: 6568

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus / Scanner detection for submitted sampleShow sources
                      Source: Copyofreceipt.exeAvira: detected
                      Antivirus detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\ZnTVKjXRZvpJV.exeAvira: detection malicious, Label: HEUR/AGEN.1138558
                      Found malware configurationShow sources
                      Source: Copyofreceipt.exe.6620.5.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "3ZVFxxx2W", "URL: ": "https://0SOrICva3tdSq4g.net", "To: ": "zenovia@ccglass.co.za", "ByHost: ": "mail.ccglass.co.za:587", "Password: ": "BKDXwAbUo", "From: ": "zenovia@ccglass.co.za"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\ZnTVKjXRZvpJV.exeReversingLabs: Detection: 10%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Copyofreceipt.exeReversingLabs: Detection: 10%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\ZnTVKjXRZvpJV.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: Copyofreceipt.exeJoe Sandbox ML: detected
                      Source: 5.2.Copyofreceipt.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: Copyofreceipt.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: Copyofreceipt.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49740 -> 102.130.118.207:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49741 -> 102.130.118.207:587
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorURLs: https://0SOrICva3tdSq4g.net
                      Source: global trafficTCP traffic: 192.168.2.3:49740 -> 102.130.118.207:587
                      Source: global trafficTCP traffic: 192.168.2.3:49740 -> 102.130.118.207:587
                      Source: unknownDNS traffic detected: queries for: mail.ccglass.co.za
                      Source: Copyofreceipt.exe, 00000005.00000002.468914912.00000000030F1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: Copyofreceipt.exe, 00000005.00000002.468914912.00000000030F1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Copyofreceipt.exe, 00000005.00000002.470932330.00000000033A6000.00000004.00000001.sdmpString found in binary or memory: http://ccglass.co.za
                      Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: Copyofreceipt.exe, 00000005.00000002.470932330.00000000033A6000.00000004.00000001.sdmpString found in binary or memory: http://mail.ccglass.co.za
                      Source: Copyofreceipt.exe, 00000000.00000002.217766303.00000000029AD000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: Copyofreceipt.exe, 00000005.00000002.468914912.00000000030F1000.00000004.00000001.sdmpString found in binary or memory: http://zJtUrL.com
                      Source: Copyofreceipt.exe, 00000005.00000002.468914912.00000000030F1000.00000004.00000001.sdmpString found in binary or memory: https://0SOrICva3tdSq4g.net
                      Source: Copyofreceipt.exe, 00000000.00000002.217766303.00000000029AD000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                      Source: Copyofreceipt.exe, 00000000.00000002.218072836.0000000003979000.00000004.00000001.sdmp, Copyofreceipt.exe, 00000005.00000002.463450155.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: Copyofreceipt.exe, 00000005.00000002.468914912.00000000030F1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 5.2.Copyofreceipt.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bA127015Au002dD413u002d43E5u002dBE45u002dE3525638B3FDu007d/u0034417B756u002d20ACu002d480Bu002d9C23u002dF4A6397749FA.csLarge array initialization: .cctor: array initializer size 11933
                      .NET source code contains very large stringsShow sources
                      Source: Copyofreceipt.exe, frmlogin.csLong String: Length: 13656
                      Source: ZnTVKjXRZvpJV.exe.0.dr, frmlogin.csLong String: Length: 13656
                      Source: 0.0.Copyofreceipt.exe.650000.0.unpack, frmlogin.csLong String: Length: 13656
                      Source: 0.2.Copyofreceipt.exe.650000.0.unpack, frmlogin.csLong String: Length: 13656
                      Source: 4.0.Copyofreceipt.exe.350000.0.unpack, frmlogin.csLong String: Length: 13656
                      Source: 4.2.Copyofreceipt.exe.350000.0.unpack, frmlogin.csLong String: Length: 13656
                      Source: 5.2.Copyofreceipt.exe.d50000.1.unpack, frmlogin.csLong String: Length: 13656
                      Source: 5.0.Copyofreceipt.exe.d50000.0.unpack, frmlogin.csLong String: Length: 13656
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 0_2_00659526
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 0_2_0106C0D4
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 0_2_0106E5A0
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 0_2_04F247F8
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 0_2_04F247F2
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 0_2_0714C1B0
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 0_2_07140040
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 0_2_07142E58
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 0_2_07142E68
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 0_2_07140D80
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 0_2_07142C18
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 0_2_07142C07
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 0_2_0714D273
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 0_2_0714617A
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 4_2_00359526
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 5_2_00D59526
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 5_2_01222D50
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 5_2_0122DF60
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 5_2_01222768
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 5_2_01221FE0
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 5_2_0122BAA8
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 5_2_014520E0
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 5_2_01457EB8
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 5_2_014595F8
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 5_2_0145EA28
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 5_2_014596A8
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 5_2_01540040
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 5_2_01549418
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 5_2_01545CDC
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 5_2_0154C340
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 5_2_01541780
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 5_2_01544C10
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 5_2_01540006
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 5_2_0154F27A
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 5_2_017446A0
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 5_2_01745372
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 5_2_017435C4
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 5_2_017445B0
                      Source: Copyofreceipt.exe, 00000000.00000000.197376752.00000000006D2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePEFileKinds.exe4 vs Copyofreceipt.exe
                      Source: Copyofreceipt.exe, 00000000.00000002.222618081.0000000006ED0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Copyofreceipt.exe
                      Source: Copyofreceipt.exe, 00000000.00000002.223262000.0000000007A90000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Copyofreceipt.exe
                      Source: Copyofreceipt.exe, 00000000.00000002.223262000.0000000007A90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Copyofreceipt.exe
                      Source: Copyofreceipt.exe, 00000000.00000002.217766303.00000000029AD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncState.dllF vs Copyofreceipt.exe
                      Source: Copyofreceipt.exe, 00000000.00000002.218072836.0000000003979000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLegacyPathHandling.dllN vs Copyofreceipt.exe
                      Source: Copyofreceipt.exe, 00000000.00000002.218072836.0000000003979000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTXcrTtQyrOyUCSetTraHqGQSCLsAHRDhA.exe4 vs Copyofreceipt.exe
                      Source: Copyofreceipt.exe, 00000000.00000002.223124965.00000000079A0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Copyofreceipt.exe
                      Source: Copyofreceipt.exe, 00000004.00000000.215163381.00000000003D2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePEFileKinds.exe4 vs Copyofreceipt.exe
                      Source: Copyofreceipt.exe, 00000005.00000002.464492892.0000000001168000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Copyofreceipt.exe
                      Source: Copyofreceipt.exe, 00000005.00000002.464792709.0000000001230000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs Copyofreceipt.exe
                      Source: Copyofreceipt.exe, 00000005.00000002.463450155.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameTXcrTtQyrOyUCSetTraHqGQSCLsAHRDhA.exe4 vs Copyofreceipt.exe
                      Source: Copyofreceipt.exe, 00000005.00000002.464365715.0000000000DD2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePEFileKinds.exe4 vs Copyofreceipt.exe
                      Source: Copyofreceipt.exe, 00000005.00000002.467174113.0000000001460000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Copyofreceipt.exe
                      Source: Copyofreceipt.exeBinary or memory string: OriginalFilenamePEFileKinds.exe4 vs Copyofreceipt.exe
                      Source: Copyofreceipt.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Copyofreceipt.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: ZnTVKjXRZvpJV.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 5.2.Copyofreceipt.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.2.Copyofreceipt.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: Copyofreceipt.exe, frmlogin.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: ZnTVKjXRZvpJV.exe.0.dr, frmlogin.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 0.0.Copyofreceipt.exe.650000.0.unpack, frmlogin.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 0.2.Copyofreceipt.exe.650000.0.unpack, frmlogin.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 4.0.Copyofreceipt.exe.350000.0.unpack, frmlogin.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 4.2.Copyofreceipt.exe.350000.0.unpack, frmlogin.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 5.2.Copyofreceipt.exe.d50000.1.unpack, frmlogin.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 5.0.Copyofreceipt.exe.d50000.0.unpack, frmlogin.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/5@4/1
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeFile created: C:\Users\user\AppData\Roaming\ZnTVKjXRZvpJV.exeJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6576:120:WilError_01
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeFile created: C:\Users\user\AppData\Local\Temp\tmpEC38.tmpJump to behavior
                      Source: Copyofreceipt.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Copyofreceipt.exe, 00000000.00000002.217766303.00000000029AD000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                      Source: Copyofreceipt.exe, 00000000.00000002.217766303.00000000029AD000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                      Source: Copyofreceipt.exeReversingLabs: Detection: 10%
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeFile read: C:\Users\user\Desktop\Copyofreceipt.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Copyofreceipt.exe 'C:\Users\user\Desktop\Copyofreceipt.exe'
                      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ZnTVKjXRZvpJV' /XML 'C:\Users\user\AppData\Local\Temp\tmpEC38.tmp'
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\Desktop\Copyofreceipt.exe C:\Users\user\Desktop\Copyofreceipt.exe
                      Source: unknownProcess created: C:\Users\user\Desktop\Copyofreceipt.exe C:\Users\user\Desktop\Copyofreceipt.exe
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ZnTVKjXRZvpJV' /XML 'C:\Users\user\AppData\Local\Temp\tmpEC38.tmp'
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess created: C:\Users\user\Desktop\Copyofreceipt.exe C:\Users\user\Desktop\Copyofreceipt.exe
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess created: C:\Users\user\Desktop\Copyofreceipt.exe C:\Users\user\Desktop\Copyofreceipt.exe
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Copyofreceipt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Copyofreceipt.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: Copyofreceipt.exe, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: ZnTVKjXRZvpJV.exe.0.dr, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.Copyofreceipt.exe.650000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.Copyofreceipt.exe.650000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.Copyofreceipt.exe.350000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.2.Copyofreceipt.exe.350000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.2.Copyofreceipt.exe.d50000.1.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.0.Copyofreceipt.exe.d50000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 0_2_0714CF4A push ebx; retf
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 0_2_0714CF82 push ebx; retf
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 0_2_0714784B push esi; ret
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 5_2_01227A37 push edi; retn 0000h
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 5_2_0145D3C0 pushad ; retn 011Dh
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 5_2_0145D938 pushad ; ret
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.50002099302
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.50002099302
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeFile created: C:\Users\user\AppData\Roaming\ZnTVKjXRZvpJV.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ZnTVKjXRZvpJV' /XML 'C:\Users\user\AppData\Local\Temp\tmpEC38.tmp'
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM_3Show sources
                      Source: Yara matchFile source: 00000000.00000002.217766303.00000000029AD000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.217719267.0000000002971000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Copyofreceipt.exe PID: 6436, type: MEMORY
                      Source: Yara matchFile source: 0.2.Copyofreceipt.exe.2999eac.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Copyofreceipt.exe.29d317c.2.raw.unpack, type: UNPACKEDPE
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: Copyofreceipt.exe, 00000000.00000002.217766303.00000000029AD000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: Copyofreceipt.exe, 00000000.00000002.217766303.00000000029AD000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeWindow / User API: threadDelayed 3398
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeWindow / User API: threadDelayed 6457
                      Source: C:\Users\user\Desktop\Copyofreceipt.exe TID: 6440Thread sleep time: -101937s >= -30000s
                      Source: C:\Users\user\Desktop\Copyofreceipt.exe TID: 6460Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\Copyofreceipt.exe TID: 6960Thread sleep time: -17524406870024063s >= -30000s
                      Source: C:\Users\user\Desktop\Copyofreceipt.exe TID: 6964Thread sleep count: 3398 > 30
                      Source: C:\Users\user\Desktop\Copyofreceipt.exe TID: 6964Thread sleep count: 6457 > 30
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: Copyofreceipt.exe, 00000000.00000002.217766303.00000000029AD000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Copyofreceipt.exe, 00000000.00000002.217766303.00000000029AD000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: Copyofreceipt.exe, 00000000.00000002.217766303.00000000029AD000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: Copyofreceipt.exe, 00000000.00000002.217766303.00000000029AD000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeCode function: 5_2_01451840 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeMemory written: C:\Users\user\Desktop\Copyofreceipt.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ZnTVKjXRZvpJV' /XML 'C:\Users\user\AppData\Local\Temp\tmpEC38.tmp'
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess created: C:\Users\user\Desktop\Copyofreceipt.exe C:\Users\user\Desktop\Copyofreceipt.exe
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeProcess created: C:\Users\user\Desktop\Copyofreceipt.exe C:\Users\user\Desktop\Copyofreceipt.exe
                      Source: Copyofreceipt.exe, 00000005.00000002.467940149.0000000001B70000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: Copyofreceipt.exe, 00000005.00000002.467940149.0000000001B70000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: Copyofreceipt.exe, 00000005.00000002.467940149.0000000001B70000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: Copyofreceipt.exe, 00000005.00000002.467940149.0000000001B70000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Users\user\Desktop\Copyofreceipt.exe VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Users\user\Desktop\Copyofreceipt.exe VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000000.00000002.218072836.0000000003979000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.463450155.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.468914912.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Copyofreceipt.exe PID: 6620, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Copyofreceipt.exe PID: 6436, type: MEMORY
                      Source: Yara matchFile source: 5.2.Copyofreceipt.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Copyofreceipt.exe.3c3c800.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Copyofreceipt.exe.3c3c800.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Copyofreceipt.exe.3aded30.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Copyofreceipt.exe.3b3c750.4.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: C:\Users\user\Desktop\Copyofreceipt.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Yara matchFile source: 00000005.00000002.468914912.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Copyofreceipt.exe PID: 6620, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000000.00000002.218072836.0000000003979000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.463450155.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.468914912.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Copyofreceipt.exe PID: 6620, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Copyofreceipt.exe PID: 6436, type: MEMORY
                      Source: Yara matchFile source: 5.2.Copyofreceipt.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Copyofreceipt.exe.3c3c800.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Copyofreceipt.exe.3c3c800.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Copyofreceipt.exe.3aded30.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Copyofreceipt.exe.3b3c750.4.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection112Disable or Modify Tools1OS Credential Dumping2File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Deobfuscate/Decode Files or Information1Credentials in Registry1System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information31Security Account ManagerQuery Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing13NTDSSecurity Software Discovery321Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol111SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsVirtualization/Sandbox Evasion14SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion14Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 356658 Sample: Copyofreceipt.scr Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 33 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->33 35 Found malware configuration 2->35 37 Antivirus detection for dropped file 2->37 39 14 other signatures 2->39 7 Copyofreceipt.exe 7 2->7         started        process3 file4 21 C:\Users\user\AppData\...\ZnTVKjXRZvpJV.exe, PE32 7->21 dropped 23 C:\...\ZnTVKjXRZvpJV.exe:Zone.Identifier, ASCII 7->23 dropped 25 C:\Users\user\AppData\Local\...\tmpEC38.tmp, XML 7->25 dropped 27 C:\Users\user\...\Copyofreceipt.exe.log, ASCII 7->27 dropped 41 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->41 43 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->43 45 Injects a PE file into a foreign processes 7->45 11 Copyofreceipt.exe 6 7->11         started        15 schtasks.exe 1 7->15         started        17 Copyofreceipt.exe 7->17         started        signatures5 process6 dnsIp7 29 ccglass.co.za 102.130.118.207, 49740, 49741, 587 xneeloZA South Africa 11->29 31 mail.ccglass.co.za 11->31 47 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->47 49 Tries to steal Mail credentials (via file access) 11->49 51 Tries to harvest and steal ftp login credentials 11->51 53 Tries to harvest and steal browser information (history, passwords, etc) 11->53 19 conhost.exe 15->19         started        signatures8 process9

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Copyofreceipt.exe14%MetadefenderBrowse
                      Copyofreceipt.exe11%ReversingLabsWin32.Trojan.Generic
                      Copyofreceipt.exe100%AviraHEUR/AGEN.1138558
                      Copyofreceipt.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\ZnTVKjXRZvpJV.exe100%AviraHEUR/AGEN.1138558
                      C:\Users\user\AppData\Roaming\ZnTVKjXRZvpJV.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\ZnTVKjXRZvpJV.exe14%MetadefenderBrowse
                      C:\Users\user\AppData\Roaming\ZnTVKjXRZvpJV.exe11%ReversingLabsWin32.Trojan.Generic

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      4.0.Copyofreceipt.exe.350000.0.unpack100%AviraHEUR/AGEN.1138558Download File
                      0.0.Copyofreceipt.exe.650000.0.unpack100%AviraHEUR/AGEN.1138558Download File
                      4.2.Copyofreceipt.exe.350000.0.unpack100%AviraHEUR/AGEN.1138558Download File
                      5.2.Copyofreceipt.exe.d50000.1.unpack100%AviraHEUR/AGEN.1138558Download File
                      5.0.Copyofreceipt.exe.d50000.0.unpack100%AviraHEUR/AGEN.1138558Download File
                      5.2.Copyofreceipt.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      0.2.Copyofreceipt.exe.650000.0.unpack100%AviraHEUR/AGEN.1138558Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://zJtUrL.com0%Avira URL Cloudsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      https://0SOrICva3tdSq4g.net0%Avira URL Cloudsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      ccglass.co.za
                      		102.130.118.207
                      		truefalse
                        		high
                        mail.ccglass.co.za
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://0SOrICva3tdSq4g.nettrue
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://mail.ccglass.co.zaCopyofreceipt.exe, 00000005.00000002.470932330.00000000033A6000.00000004.00000001.sdmpfalse
                            		high
                            http://127.0.0.1:HTTP/1.1Copyofreceipt.exe, 00000005.00000002.468914912.00000000030F1000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		low
                            http://www.apache.org/licenses/LICENSE-2.0Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.comCopyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpfalse
                                		high
                                http://www.fontbureau.com/designersGCopyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpfalse
                                  		high
                                  http://DynDns.comDynDNSCopyofreceipt.exe, 00000005.00000002.468914912.00000000030F1000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/?Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/bTheCopyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haCopyofreceipt.exe, 00000005.00000002.468914912.00000000030F1000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers?Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.tiro.comCopyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designersCopyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.goodfont.co.krCopyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://zJtUrL.comCopyofreceipt.exe, 00000005.00000002.468914912.00000000030F1000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssCopyofreceipt.exe, 00000000.00000002.217766303.00000000029AD000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.carterandcone.comlCopyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sajatypeworks.comCopyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.typography.netDCopyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/cabarga.htmlNCopyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cn/cTheCopyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.galapagosdesign.com/staff/dennis.htmCopyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://fontfabrik.comCopyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.founder.com.cn/cnCopyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/frere-jones.htmlCopyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.jiyu-kobo.co.jp/Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.galapagosdesign.com/DPleaseCopyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers8Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.fonts.comCopyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.sandoll.co.krCopyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://ccglass.co.zaCopyofreceipt.exe, 00000005.00000002.470932330.00000000033A6000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.urwpp.deDPleaseCopyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.zhongyicts.com.cnCopyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCopyofreceipt.exe, 00000000.00000002.217766303.00000000029AD000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.sakkal.comCopyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipCopyofreceipt.exe, 00000000.00000002.218072836.0000000003979000.00000004.00000001.sdmp, Copyofreceipt.exe, 00000005.00000002.463450155.0000000000402000.00000040.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown

                                                      Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      102.130.118.207
                                                      		unknownSouth Africa
                                                      		37153xneeloZAfalse

                                                      General Information

                                                      Joe Sandbox Version:31.0.0 Emerald
                                                      Analysis ID:356658
                                                      Start date:23.02.2021
                                                      Start time:14:23:13
                                                      Joe Sandbox Product:CloudBasic
                                                      Overall analysis duration:0h 8m 44s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:light
                                                      Sample file name:Copyofreceipt.scr (renamed file extension from scr to exe)
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                      Number of analysed new started processes analysed:27
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • HDC enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Detection:MAL
                                                      Classification:mal100.troj.spyw.evad.winEXE@8/5@4/1
                                                      EGA Information:Failed
                                                      HDC Information:
                                                      • Successful, ratio: 2.9% (good quality ratio 0%)
                                                      • Quality average: 0%
                                                      • Quality standard deviation: 0%
                                                      HCA Information:
                                                      • Successful, ratio: 100%
                                                      • Number of executed functions: 0
                                                      • Number of non-executed functions: 0
                                                      Cookbook Comments:
                                                      • Adjust boot time
                                                      • Enable AMSI
                                                      Warnings:
                                                      Show All
                                                      • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                                      • Excluded IPs from analysis (whitelisted): 13.64.90.137, 104.43.193.48, 104.43.139.144, 104.42.151.234, 51.104.144.132, 184.30.20.56, 20.54.26.129, 2.20.142.209, 2.20.142.210, 92.122.213.247, 92.122.213.194, 52.147.198.201
                                                      • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, skypedataprdcolwus17.cloudapp.net, arc.msn.com.nsatc.net, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus16.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus16.cloudapp.net, au-bg-shim.trafficmanager.net
                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • VT rate limit hit for: /opt/package/joesandbox/database/analysis/356658/sample/Copyofreceipt.exe

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      14:24:03API Interceptor768x Sleep call for process: Copyofreceipt.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      No context

                                                      Domains

                                                      No context

                                                      ASN

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      xneeloZAqIViYQyb0a.exeGet hashmaliciousBrowse
                                                      • 196.22.132.140
                                                      aJ5e4OJb0Q.exeGet hashmaliciousBrowse
                                                      • 102.130.119.215
                                                      roboforex4multisetup.exeGet hashmaliciousBrowse
                                                      • 156.38.206.18
                                                      fortrade4setup.exeGet hashmaliciousBrowse
                                                      • 156.38.206.18
                                                      Bank details.exeGet hashmaliciousBrowse
                                                      • 129.232.138.144
                                                      iUUJykFNh2.docGet hashmaliciousBrowse
                                                      • 156.38.221.244
                                                      iUUJykFNh2.docGet hashmaliciousBrowse
                                                      • 156.38.221.244
                                                      iUUJykFNh2.docGet hashmaliciousBrowse
                                                      • 156.38.221.244
                                                      Copy__VLWEHK9R.docGet hashmaliciousBrowse
                                                      • 156.38.221.244
                                                      Copy_HJ1TCUG.docGet hashmaliciousBrowse
                                                      • 156.38.221.244
                                                      Copy_HJ1TCUG.docGet hashmaliciousBrowse
                                                      • 156.38.221.244
                                                      Copy_HJ1TCUG.docGet hashmaliciousBrowse
                                                      • 156.38.221.244
                                                      Copy_HJ1TCUG.docGet hashmaliciousBrowse
                                                      • 156.38.221.244
                                                      Scan BUYX.docGet hashmaliciousBrowse
                                                      • 156.38.221.244
                                                      Scan BUYX.docGet hashmaliciousBrowse
                                                      • 156.38.221.244
                                                      1 Total New Invoices-Monday December 14 2020.xlsmGet hashmaliciousBrowse
                                                      • 129.232.220.74
                                                      eYXiYB6U8N.docGet hashmaliciousBrowse
                                                      • 156.38.221.244
                                                      dT361Rrrys.docGet hashmaliciousBrowse
                                                      • 156.38.221.244
                                                      dT361Rrrys.docGet hashmaliciousBrowse
                                                      • 156.38.221.244
                                                      eYXiYB6U8N.docGet hashmaliciousBrowse
                                                      • 156.38.221.244

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Copyofreceipt.exe.log
                                                      Process:C:\Users\user\Desktop\Copyofreceipt.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:modified
                                                      Size (bytes):1216
                                                      Entropy (8bit):5.355304211458859
                                                      Encrypted:false
                                                      SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                      MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                      SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                      SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                      SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                      Malicious:true
                                                      Reputation:moderate, very likely benign file
                                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                      C:\Users\user\AppData\Local\Temp\tmpEC38.tmp
                                                      Process:C:\Users\user\Desktop\Copyofreceipt.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1646
                                                      Entropy (8bit):5.210550125242434
                                                      Encrypted:false
                                                      SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB6tn:cbh47TlNQ//rydbz9I3YODOLNdq3a
                                                      MD5:74E5178641256500F0E9F4BA27DA611F
                                                      SHA1:B593E71E67185FB3D8D193D54DB4B420607F8ED0
                                                      SHA-256:BF10430D5E9B5395B43B8D368C7E6D65E7EBA962F70DB8EFA14C8A7D95C4DE07
                                                      SHA-512:B8FBC809F5FF30590BDDEC3CC49D71EC7F26FA15400CD0609F9A46BC0E10C7778D046790669F87C1645C5C86B941A433E7E58629F3212B61D16906CF18B7AAF0
                                                      Malicious:true
                                                      Reputation:low
                                                      Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                      C:\Users\user\AppData\Roaming\ZnTVKjXRZvpJV.exe
                                                      Process:C:\Users\user\Desktop\Copyofreceipt.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):519168
                                                      Entropy (8bit):7.487602713055043
                                                      Encrypted:false
                                                      SSDEEP:12288:NLY7TvkxZKBvCEVUGcRjH162O4KmWcZKU:NLY0KBvRUVRjygn
                                                      MD5:6F9340718BF2DEFBDB4B438D80857FB3
                                                      SHA1:DDFE78EC1DB2FBEC98EE87235938223360BAE49D
                                                      SHA-256:26B8405B53DA2FA69471859793721F24E5C407BB4D2AF8537E21E244C4363F55
                                                      SHA-512:D971042A10A141CB876D2AE3A69EBC7B9CFB740238B83FC59424344B15C2D9BAA09C624A925878C6A5E9E9DE8F36CEF34D49A6AA65B5A729D4AA56DA4A112B82
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: Metadefender, Detection: 14%, Browse
                                                      • Antivirus: ReversingLabs, Detection: 11%
                                                      Reputation:low
                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....3`..............P.................. ... ....@.. .......................`............@.................................T...O.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......8Y...T..............@R............................................( ...*&..(!....*.s"........s#........s$........s%........s&........*...0...........~....o'....+..*.0...........~....o(....+..*.0...........~....o)....+..*.0...........~....o*....+..*.0...........~....o+....+..*.0..<........~.....(,.....,!r...p.....(-...o....s/............~.....+..*.0...........~.....+..*".......*.0..&........(....r)..p~....o0...(1.....t$....+..*Vs....(2...t.........*..(3...*.0..........
                                                      C:\Users\user\AppData\Roaming\ZnTVKjXRZvpJV.exe:Zone.Identifier
                                                      Process:C:\Users\user\Desktop\Copyofreceipt.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):26
                                                      Entropy (8bit):3.95006375643621
                                                      Encrypted:false
                                                      SSDEEP:3:ggPYV:rPYV
                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                      Malicious:true
                                                      Reputation:high, very likely benign file
                                                      Preview: [ZoneTransfer]....ZoneId=0
                                                      C:\Users\user\AppData\Roaming\nnze0rrb.c0s\Chrome\Default\Cookies
                                                      Process:C:\Users\user\Desktop\Copyofreceipt.exe
                                                      File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                      Category:dropped
                                                      Size (bytes):20480
                                                      Entropy (8bit):0.6970840431455908
                                                      Encrypted:false
                                                      SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
                                                      MD5:00681D89EDDB6AD25E6F4BD2E66C61C6
                                                      SHA1:14B2FBFB460816155190377BBC66AB5D2A15F7AB
                                                      SHA-256:8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
                                                      SHA-512:159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):7.487602713055043
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                      • Windows Screen Saver (13104/52) 0.07%
                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                      File name:Copyofreceipt.exe
                                                      File size:519168
                                                      MD5:6f9340718bf2defbdb4b438d80857fb3
                                                      SHA1:ddfe78ec1db2fbec98ee87235938223360bae49d
                                                      SHA256:26b8405b53da2fa69471859793721f24e5c407bb4d2af8537e21e244c4363f55
                                                      SHA512:d971042a10a141cb876d2ae3a69ebc7b9cfb740238b83fc59424344b15c2d9baa09c624a925878c6a5e9e9de8f36cef34d49a6aa65b5a729d4aa56da4a112b82
                                                      SSDEEP:12288:NLY7TvkxZKBvCEVUGcRjH162O4KmWcZKU:NLY0KBvRUVRjygn
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....3`..............P.................. ... ....@.. .......................`............@................................

                                                      File Icon

                                                      Icon Hash:00828e8e8686b000

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x4800a6
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                      Time Stamp:0x6033EEFF [Mon Feb 22 17:50:55 2021 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:v4.0.30319
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp dword ptr [00402000h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x800540x4f.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x820000x5d8.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x840000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x20000x7e0ac0x7e200False0.7782941805data7.50002099302IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                      .rsrc0x820000x5d80x600False0.430338541667data4.15623906597IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0x840000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountry
                                                      RT_VERSION0x820900x348data
                                                      RT_MANIFEST0x823e80x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                      Imports

                                                      DLLImport
                                                      mscoree.dll_CorExeMain

                                                      Version Infos

                                                      DescriptionData
                                                      Translation0x0000 0x04b0
                                                      LegalCopyrightCopyright Microsoft 2014
                                                      Assembly Version1.0.0.0
                                                      InternalNamePEFileKinds.exe
                                                      FileVersion1.0.0.0
                                                      CompanyNameMicrosoft
                                                      LegalTrademarks
                                                      Comments
                                                      ProductNameWinClient
                                                      ProductVersion1.0.0.0
                                                      FileDescriptionWinClient
                                                      OriginalFilenamePEFileKinds.exe

                                                      Network Behavior

                                                      Snort IDS Alerts

                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                      02/23/21-14:25:51.269518TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49740587192.168.2.3102.130.118.207
                                                      02/23/21-14:25:56.000105TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49741587192.168.2.3102.130.118.207

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Feb 23, 2021 14:25:47.920284986 CET49740587192.168.2.3102.130.118.207
                                                      Feb 23, 2021 14:25:48.148248911 CET58749740102.130.118.207192.168.2.3
                                                      Feb 23, 2021 14:25:48.148458958 CET49740587192.168.2.3102.130.118.207
                                                      Feb 23, 2021 14:25:49.477054119 CET58749740102.130.118.207192.168.2.3
                                                      Feb 23, 2021 14:25:49.477432966 CET49740587192.168.2.3102.130.118.207
                                                      Feb 23, 2021 14:25:49.707827091 CET58749740102.130.118.207192.168.2.3
                                                      Feb 23, 2021 14:25:49.710621119 CET49740587192.168.2.3102.130.118.207
                                                      Feb 23, 2021 14:25:49.940865993 CET58749740102.130.118.207192.168.2.3
                                                      Feb 23, 2021 14:25:49.942033052 CET49740587192.168.2.3102.130.118.207
                                                      Feb 23, 2021 14:25:50.211505890 CET58749740102.130.118.207192.168.2.3
                                                      Feb 23, 2021 14:25:50.563543081 CET58749740102.130.118.207192.168.2.3
                                                      Feb 23, 2021 14:25:50.564824104 CET49740587192.168.2.3102.130.118.207
                                                      Feb 23, 2021 14:25:50.800438881 CET58749740102.130.118.207192.168.2.3
                                                      Feb 23, 2021 14:25:50.801060915 CET49740587192.168.2.3102.130.118.207
                                                      Feb 23, 2021 14:25:51.031137943 CET58749740102.130.118.207192.168.2.3
                                                      Feb 23, 2021 14:25:51.031786919 CET49740587192.168.2.3102.130.118.207
                                                      Feb 23, 2021 14:25:51.264789104 CET58749740102.130.118.207192.168.2.3
                                                      Feb 23, 2021 14:25:51.265007973 CET58749740102.130.118.207192.168.2.3
                                                      Feb 23, 2021 14:25:51.269517899 CET49740587192.168.2.3102.130.118.207
                                                      Feb 23, 2021 14:25:51.270486116 CET49740587192.168.2.3102.130.118.207
                                                      Feb 23, 2021 14:25:51.270754099 CET49740587192.168.2.3102.130.118.207
                                                      Feb 23, 2021 14:25:51.271147013 CET49740587192.168.2.3102.130.118.207
                                                      Feb 23, 2021 14:25:51.503815889 CET58749740102.130.118.207192.168.2.3
                                                      Feb 23, 2021 14:25:51.503869057 CET58749740102.130.118.207192.168.2.3
                                                      Feb 23, 2021 14:25:51.566407919 CET58749740102.130.118.207192.168.2.3
                                                      Feb 23, 2021 14:25:51.613913059 CET49740587192.168.2.3102.130.118.207
                                                      Feb 23, 2021 14:25:52.692764044 CET49740587192.168.2.3102.130.118.207
                                                      Feb 23, 2021 14:25:52.924814939 CET58749740102.130.118.207192.168.2.3
                                                      Feb 23, 2021 14:25:52.924942970 CET49740587192.168.2.3102.130.118.207
                                                      Feb 23, 2021 14:25:52.926065922 CET49740587192.168.2.3102.130.118.207
                                                      Feb 23, 2021 14:25:53.157072067 CET58749740102.130.118.207192.168.2.3
                                                      Feb 23, 2021 14:25:53.214193106 CET49741587192.168.2.3102.130.118.207
                                                      Feb 23, 2021 14:25:53.440908909 CET58749741102.130.118.207192.168.2.3
                                                      Feb 23, 2021 14:25:53.442802906 CET49741587192.168.2.3102.130.118.207
                                                      Feb 23, 2021 14:25:54.212846041 CET58749741102.130.118.207192.168.2.3
                                                      Feb 23, 2021 14:25:54.213403940 CET49741587192.168.2.3102.130.118.207
                                                      Feb 23, 2021 14:25:54.440181971 CET58749741102.130.118.207192.168.2.3
                                                      Feb 23, 2021 14:25:54.440823078 CET49741587192.168.2.3102.130.118.207
                                                      Feb 23, 2021 14:25:54.682852983 CET58749741102.130.118.207192.168.2.3
                                                      Feb 23, 2021 14:25:54.683886051 CET49741587192.168.2.3102.130.118.207
                                                      Feb 23, 2021 14:25:54.945940018 CET58749741102.130.118.207192.168.2.3
                                                      Feb 23, 2021 14:25:54.946572065 CET49741587192.168.2.3102.130.118.207
                                                      Feb 23, 2021 14:25:55.203639030 CET58749741102.130.118.207192.168.2.3
                                                      Feb 23, 2021 14:25:55.203978062 CET49741587192.168.2.3102.130.118.207
                                                      Feb 23, 2021 14:25:55.593511105 CET58749741102.130.118.207192.168.2.3
                                                      Feb 23, 2021 14:25:55.653441906 CET58749741102.130.118.207192.168.2.3
                                                      Feb 23, 2021 14:25:55.653920889 CET49741587192.168.2.3102.130.118.207
                                                      Feb 23, 2021 14:25:55.996579885 CET58749741102.130.118.207192.168.2.3
                                                      Feb 23, 2021 14:25:55.997186899 CET58749741102.130.118.207192.168.2.3
                                                      Feb 23, 2021 14:25:55.999504089 CET49741587192.168.2.3102.130.118.207
                                                      Feb 23, 2021 14:25:56.000104904 CET49741587192.168.2.3102.130.118.207
                                                      Feb 23, 2021 14:25:56.000286102 CET49741587192.168.2.3102.130.118.207
                                                      Feb 23, 2021 14:25:56.000529051 CET49741587192.168.2.3102.130.118.207
                                                      Feb 23, 2021 14:25:56.000926018 CET49741587192.168.2.3102.130.118.207
                                                      Feb 23, 2021 14:25:56.001089096 CET49741587192.168.2.3102.130.118.207
                                                      Feb 23, 2021 14:25:56.001279116 CET49741587192.168.2.3102.130.118.207
                                                      Feb 23, 2021 14:25:56.001478910 CET49741587192.168.2.3102.130.118.207
                                                      Feb 23, 2021 14:25:56.345427036 CET58749741102.130.118.207192.168.2.3
                                                      Feb 23, 2021 14:25:56.346282959 CET58749741102.130.118.207192.168.2.3
                                                      Feb 23, 2021 14:25:56.346780062 CET58749741102.130.118.207192.168.2.3
                                                      Feb 23, 2021 14:25:56.347376108 CET58749741102.130.118.207192.168.2.3
                                                      Feb 23, 2021 14:25:56.389697075 CET58749741102.130.118.207192.168.2.3
                                                      Feb 23, 2021 14:25:57.340683937 CET58749741102.130.118.207192.168.2.3
                                                      Feb 23, 2021 14:25:57.396975040 CET49741587192.168.2.3102.130.118.207

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Feb 23, 2021 14:24:06.293469906 CET4919953192.168.2.38.8.8.8
                                                      Feb 23, 2021 14:24:06.353530884 CET53491998.8.8.8192.168.2.3
                                                      Feb 23, 2021 14:24:07.905133009 CET5062053192.168.2.38.8.8.8
                                                      Feb 23, 2021 14:24:07.953888893 CET53506208.8.8.8192.168.2.3
                                                      Feb 23, 2021 14:24:08.865890980 CET6493853192.168.2.38.8.8.8
                                                      Feb 23, 2021 14:24:08.917666912 CET53649388.8.8.8192.168.2.3
                                                      Feb 23, 2021 14:24:09.805881023 CET6015253192.168.2.38.8.8.8
                                                      Feb 23, 2021 14:24:09.858961105 CET53601528.8.8.8192.168.2.3
                                                      Feb 23, 2021 14:24:10.826489925 CET5754453192.168.2.38.8.8.8
                                                      Feb 23, 2021 14:24:10.876769066 CET53575448.8.8.8192.168.2.3
                                                      Feb 23, 2021 14:24:11.773478985 CET5598453192.168.2.38.8.8.8
                                                      Feb 23, 2021 14:24:11.826736927 CET53559848.8.8.8192.168.2.3
                                                      Feb 23, 2021 14:24:13.191037893 CET6418553192.168.2.38.8.8.8
                                                      Feb 23, 2021 14:24:13.239675999 CET53641858.8.8.8192.168.2.3
                                                      Feb 23, 2021 14:24:15.075582027 CET6511053192.168.2.38.8.8.8
                                                      Feb 23, 2021 14:24:15.127912998 CET53651108.8.8.8192.168.2.3
                                                      Feb 23, 2021 14:24:16.280759096 CET5836153192.168.2.38.8.8.8
                                                      Feb 23, 2021 14:24:16.329624891 CET53583618.8.8.8192.168.2.3
                                                      Feb 23, 2021 14:24:17.238226891 CET6349253192.168.2.38.8.8.8
                                                      Feb 23, 2021 14:24:17.297549963 CET53634928.8.8.8192.168.2.3
                                                      Feb 23, 2021 14:24:23.219616890 CET6083153192.168.2.38.8.8.8
                                                      Feb 23, 2021 14:24:23.284632921 CET53608318.8.8.8192.168.2.3
                                                      Feb 23, 2021 14:24:24.249520063 CET6010053192.168.2.38.8.8.8
                                                      Feb 23, 2021 14:24:24.298491001 CET53601008.8.8.8192.168.2.3
                                                      Feb 23, 2021 14:24:24.907696009 CET5319553192.168.2.38.8.8.8
                                                      Feb 23, 2021 14:24:24.958107948 CET53531958.8.8.8192.168.2.3
                                                      Feb 23, 2021 14:24:29.836438894 CET5014153192.168.2.38.8.8.8
                                                      Feb 23, 2021 14:24:29.898005962 CET53501418.8.8.8192.168.2.3
                                                      Feb 23, 2021 14:24:40.570148945 CET5302353192.168.2.38.8.8.8
                                                      Feb 23, 2021 14:24:40.618855000 CET53530238.8.8.8192.168.2.3
                                                      Feb 23, 2021 14:24:42.166326046 CET4956353192.168.2.38.8.8.8
                                                      Feb 23, 2021 14:24:42.226610899 CET53495638.8.8.8192.168.2.3
                                                      Feb 23, 2021 14:24:43.522676945 CET5135253192.168.2.38.8.8.8
                                                      Feb 23, 2021 14:24:43.574994087 CET53513528.8.8.8192.168.2.3
                                                      Feb 23, 2021 14:24:44.397749901 CET5934953192.168.2.38.8.8.8
                                                      Feb 23, 2021 14:24:44.472640991 CET53593498.8.8.8192.168.2.3
                                                      Feb 23, 2021 14:24:46.855901957 CET5708453192.168.2.38.8.8.8
                                                      Feb 23, 2021 14:24:46.904716015 CET53570848.8.8.8192.168.2.3
                                                      Feb 23, 2021 14:24:47.163440943 CET5882353192.168.2.38.8.8.8
                                                      Feb 23, 2021 14:24:47.228372097 CET53588238.8.8.8192.168.2.3
                                                      Feb 23, 2021 14:24:47.901654005 CET5756853192.168.2.38.8.8.8
                                                      Feb 23, 2021 14:24:47.950432062 CET53575688.8.8.8192.168.2.3
                                                      Feb 23, 2021 14:24:49.088057995 CET5054053192.168.2.38.8.8.8
                                                      Feb 23, 2021 14:24:49.137070894 CET53505408.8.8.8192.168.2.3
                                                      Feb 23, 2021 14:25:01.407572985 CET5436653192.168.2.38.8.8.8
                                                      Feb 23, 2021 14:25:01.456485033 CET53543668.8.8.8192.168.2.3
                                                      Feb 23, 2021 14:25:07.370172977 CET5303453192.168.2.38.8.8.8
                                                      Feb 23, 2021 14:25:07.431126118 CET53530348.8.8.8192.168.2.3
                                                      Feb 23, 2021 14:25:12.358786106 CET5776253192.168.2.38.8.8.8
                                                      Feb 23, 2021 14:25:12.412118912 CET53577628.8.8.8192.168.2.3
                                                      Feb 23, 2021 14:25:36.036636114 CET5543553192.168.2.38.8.8.8
                                                      Feb 23, 2021 14:25:36.085448980 CET53554358.8.8.8192.168.2.3
                                                      Feb 23, 2021 14:25:38.032072067 CET5071353192.168.2.38.8.8.8
                                                      Feb 23, 2021 14:25:38.103945017 CET53507138.8.8.8192.168.2.3
                                                      Feb 23, 2021 14:25:47.658164978 CET5613253192.168.2.38.8.8.8
                                                      Feb 23, 2021 14:25:47.726969957 CET53561328.8.8.8192.168.2.3
                                                      Feb 23, 2021 14:25:47.741564989 CET5898753192.168.2.38.8.8.8
                                                      Feb 23, 2021 14:25:47.805444956 CET53589878.8.8.8192.168.2.3
                                                      Feb 23, 2021 14:25:52.978311062 CET5657953192.168.2.38.8.8.8
                                                      Feb 23, 2021 14:25:53.050185919 CET53565798.8.8.8192.168.2.3
                                                      Feb 23, 2021 14:25:53.095804930 CET6063353192.168.2.38.8.8.8
                                                      Feb 23, 2021 14:25:53.211267948 CET53606338.8.8.8192.168.2.3

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                      Feb 23, 2021 14:25:47.658164978 CET192.168.2.38.8.8.80x1aeeStandard query (0)mail.ccglass.co.zaA (IP address)IN (0x0001)
                                                      Feb 23, 2021 14:25:47.741564989 CET192.168.2.38.8.8.80x4a49Standard query (0)mail.ccglass.co.zaA (IP address)IN (0x0001)
                                                      Feb 23, 2021 14:25:52.978311062 CET192.168.2.38.8.8.80x8a79Standard query (0)mail.ccglass.co.zaA (IP address)IN (0x0001)
                                                      Feb 23, 2021 14:25:53.095804930 CET192.168.2.38.8.8.80xb063Standard query (0)mail.ccglass.co.zaA (IP address)IN (0x0001)

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                      Feb 23, 2021 14:25:47.726969957 CET8.8.8.8192.168.2.30x1aeeNo error (0)mail.ccglass.co.zaccglass.co.zaCNAME (Canonical name)IN (0x0001)
                                                      Feb 23, 2021 14:25:47.726969957 CET8.8.8.8192.168.2.30x1aeeNo error (0)ccglass.co.za102.130.118.207A (IP address)IN (0x0001)
                                                      Feb 23, 2021 14:25:47.805444956 CET8.8.8.8192.168.2.30x4a49No error (0)mail.ccglass.co.zaccglass.co.zaCNAME (Canonical name)IN (0x0001)
                                                      Feb 23, 2021 14:25:47.805444956 CET8.8.8.8192.168.2.30x4a49No error (0)ccglass.co.za102.130.118.207A (IP address)IN (0x0001)
                                                      Feb 23, 2021 14:25:53.050185919 CET8.8.8.8192.168.2.30x8a79No error (0)mail.ccglass.co.zaccglass.co.zaCNAME (Canonical name)IN (0x0001)
                                                      Feb 23, 2021 14:25:53.050185919 CET8.8.8.8192.168.2.30x8a79No error (0)ccglass.co.za102.130.118.207A (IP address)IN (0x0001)
                                                      Feb 23, 2021 14:25:53.211267948 CET8.8.8.8192.168.2.30xb063No error (0)mail.ccglass.co.zaccglass.co.zaCNAME (Canonical name)IN (0x0001)
                                                      Feb 23, 2021 14:25:53.211267948 CET8.8.8.8192.168.2.30xb063No error (0)ccglass.co.za102.130.118.207A (IP address)IN (0x0001)

                                                      SMTP Packets

                                                      TimestampSource PortDest PortSource IPDest IPCommands
                                                      Feb 23, 2021 14:25:49.477054119 CET58749740102.130.118.207192.168.2.3220-cp25-za1.host-ww.net ESMTP Exim 4.93 #2 Tue, 23 Feb 2021 15:25:48 +0200
                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                      220 and/or bulk e-mail.
                                                      Feb 23, 2021 14:25:49.477432966 CET49740587192.168.2.3102.130.118.207EHLO 609290
                                                      Feb 23, 2021 14:25:49.707827091 CET58749740102.130.118.207192.168.2.3250-cp25-za1.host-ww.net Hello 609290 [84.17.52.38]
                                                      250-SIZE 52428800
                                                      250-8BITMIME
                                                      250-PIPELINING
                                                      250-AUTH PLAIN LOGIN
                                                      250-STARTTLS
                                                      250 HELP
                                                      Feb 23, 2021 14:25:49.710621119 CET49740587192.168.2.3102.130.118.207AUTH login emVub3ZpYUBjY2dsYXNzLmNvLnph
                                                      Feb 23, 2021 14:25:49.940865993 CET58749740102.130.118.207192.168.2.3334 UGFzc3dvcmQ6
                                                      Feb 23, 2021 14:25:50.563543081 CET58749740102.130.118.207192.168.2.3235 Authentication succeeded
                                                      Feb 23, 2021 14:25:50.564824104 CET49740587192.168.2.3102.130.118.207MAIL FROM:<zenovia@ccglass.co.za>
                                                      Feb 23, 2021 14:25:50.800438881 CET58749740102.130.118.207192.168.2.3250 OK
                                                      Feb 23, 2021 14:25:50.801060915 CET49740587192.168.2.3102.130.118.207RCPT TO:<zenovia@ccglass.co.za>
                                                      Feb 23, 2021 14:25:51.031137943 CET58749740102.130.118.207192.168.2.3250 Accepted
                                                      Feb 23, 2021 14:25:51.031786919 CET49740587192.168.2.3102.130.118.207DATA
                                                      Feb 23, 2021 14:25:51.265007973 CET58749740102.130.118.207192.168.2.3354 Enter message, ending with "." on a line by itself
                                                      Feb 23, 2021 14:25:51.271147013 CET49740587192.168.2.3102.130.118.207.
                                                      Feb 23, 2021 14:25:51.566407919 CET58749740102.130.118.207192.168.2.3250 OK id=1lEXhG-00Fa50-EY
                                                      Feb 23, 2021 14:25:52.692764044 CET49740587192.168.2.3102.130.118.207QUIT
                                                      Feb 23, 2021 14:25:52.924814939 CET58749740102.130.118.207192.168.2.3221 cp25-za1.host-ww.net closing connection
                                                      Feb 23, 2021 14:25:54.212846041 CET58749741102.130.118.207192.168.2.3220-cp25-za1.host-ww.net ESMTP Exim 4.93 #2 Tue, 23 Feb 2021 15:25:53 +0200
                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                      220 and/or bulk e-mail.
                                                      Feb 23, 2021 14:25:54.213403940 CET49741587192.168.2.3102.130.118.207EHLO 609290
                                                      Feb 23, 2021 14:25:54.440181971 CET58749741102.130.118.207192.168.2.3250-cp25-za1.host-ww.net Hello 609290 [84.17.52.38]
                                                      250-SIZE 52428800
                                                      250-8BITMIME
                                                      250-PIPELINING
                                                      250-AUTH PLAIN LOGIN
                                                      250-STARTTLS
                                                      250 HELP
                                                      Feb 23, 2021 14:25:54.440823078 CET49741587192.168.2.3102.130.118.207AUTH login emVub3ZpYUBjY2dsYXNzLmNvLnph
                                                      Feb 23, 2021 14:25:54.682852983 CET58749741102.130.118.207192.168.2.3334 UGFzc3dvcmQ6
                                                      Feb 23, 2021 14:25:54.945940018 CET58749741102.130.118.207192.168.2.3235 Authentication succeeded
                                                      Feb 23, 2021 14:25:54.946572065 CET49741587192.168.2.3102.130.118.207MAIL FROM:<zenovia@ccglass.co.za>
                                                      Feb 23, 2021 14:25:55.203639030 CET58749741102.130.118.207192.168.2.3250 OK
                                                      Feb 23, 2021 14:25:55.203978062 CET49741587192.168.2.3102.130.118.207RCPT TO:<zenovia@ccglass.co.za>
                                                      Feb 23, 2021 14:25:55.653441906 CET58749741102.130.118.207192.168.2.3250 Accepted
                                                      Feb 23, 2021 14:25:55.653920889 CET49741587192.168.2.3102.130.118.207DATA
                                                      Feb 23, 2021 14:25:55.997186899 CET58749741102.130.118.207192.168.2.3354 Enter message, ending with "." on a line by itself
                                                      Feb 23, 2021 14:25:56.001478910 CET49741587192.168.2.3102.130.118.207.
                                                      Feb 23, 2021 14:25:57.340683937 CET58749741102.130.118.207192.168.2.3250 OK id=1lEXhL-00Fa6F-5t

                                                      Code Manipulations

                                                      Statistics

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      Analysis Process: Copyofreceipt.exe PID: 6436 Parent PID: 5652

                                                      General

                                                      Start time:14:23:57
                                                      Start date:23/02/2021
                                                      Path:C:\Users\user\Desktop\Copyofreceipt.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Users\user\Desktop\Copyofreceipt.exe'
                                                      Imagebase:0x650000
                                                      File size:519168 bytes
                                                      MD5 hash:6F9340718BF2DEFBDB4B438D80857FB3
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.217766303.00000000029AD000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.218072836.0000000003979000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.217719267.0000000002971000.00000004.00000001.sdmp, Author: Joe Security
                                                      Reputation:low

                                                      Analysis Process: schtasks.exe PID: 6568 Parent PID: 6436

                                                      General

                                                      Start time:14:24:05
                                                      Start date:23/02/2021
                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ZnTVKjXRZvpJV' /XML 'C:\Users\user\AppData\Local\Temp\tmpEC38.tmp'
                                                      Imagebase:0xe00000
                                                      File size:185856 bytes
                                                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Analysis Process: conhost.exe PID: 6576 Parent PID: 6568

                                                      General

                                                      Start time:14:24:05
                                                      Start date:23/02/2021
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff6b2800000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Analysis Process: Copyofreceipt.exe PID: 6612 Parent PID: 6436

                                                      General

                                                      Start time:14:24:06
                                                      Start date:23/02/2021
                                                      Path:C:\Users\user\Desktop\Copyofreceipt.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Users\user\Desktop\Copyofreceipt.exe
                                                      Imagebase:0x350000
                                                      File size:519168 bytes
                                                      MD5 hash:6F9340718BF2DEFBDB4B438D80857FB3
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low

                                                      Analysis Process: Copyofreceipt.exe PID: 6620 Parent PID: 6436

                                                      General

                                                      Start time:14:24:06
                                                      Start date:23/02/2021
                                                      Path:C:\Users\user\Desktop\Copyofreceipt.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Users\user\Desktop\Copyofreceipt.exe
                                                      Imagebase:0xd50000
                                                      File size:519168 bytes
                                                      MD5 hash:6F9340718BF2DEFBDB4B438D80857FB3
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.463450155.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.468914912.00000000030F1000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.468914912.00000000030F1000.00000004.00000001.sdmp, Author: Joe Security
                                                      Reputation:low

                                                      Disassembly

                                                      Code Analysis

                                                      Reset < >