Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report receipt.exe

Overview

General Information

Sample Name:receipt.exe
Analysis ID:357256
MD5:a4a4bc6e3283ecc66cd4a4dc864acd9a
SHA1:2114e1c9fbbc3ffa9921338e09deff202aba01bf
SHA256:962debf4655a7917256ad3234217b1927a2c88afd4631ed8258121c5b9e2dfee
Tags:exeNanoCoreRATUSPS
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has nameless sections
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • receipt.exe (PID: 7032 cmdline: 'C:\Users\user\Desktop\receipt.exe' MD5: A4A4BC6E3283ECC66CD4A4DC864ACD9A)
    • schtasks.exe (PID: 5728 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CjkDta' /XML 'C:\Users\user\AppData\Local\Temp\tmp15FF.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 6664 cmdline: {path} MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • RegSvcs.exe (PID: 6632 cmdline: {path} MD5: 71369277D09DA0830C8C59F9E22BB23A)
  • dhcpmon.exe (PID: 6296 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.698303043.0000000003F26000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x9d885:$x1: NanoCore.ClientPluginHost
  • 0x9d8c2:$x2: IClientNetworkHost
  • 0xa13f5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.698303043.0000000003F26000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.698303043.0000000003F26000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x9d5ed:$a: NanoCore
    • 0x9d5fd:$a: NanoCore
    • 0x9d831:$a: NanoCore
    • 0x9d845:$a: NanoCore
    • 0x9d885:$a: NanoCore
    • 0x9d64c:$b: ClientPlugin
    • 0x9d84e:$b: ClientPlugin
    • 0x9d88e:$b: ClientPlugin
    • 0x9d773:$c: ProjectData
    • 0x9e17a:$d: DESCrypto
    • 0xa5b46:$e: KeepAlive
    • 0xa3b34:$g: LogClientMessage
    • 0x9fd2f:$i: get_Connected
    • 0x9e4b0:$j: #=q
    • 0x9e4e0:$j: #=q
    • 0x9e4fc:$j: #=q
    • 0x9e52c:$j: #=q
    • 0x9e548:$j: #=q
    • 0x9e564:$j: #=q
    • 0x9e594:$j: #=q
    • 0x9e5b0:$j: #=q
    00000000.00000002.695413546.0000000003A98000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1fe0ad:$x1: NanoCore.ClientPluginHost
    • 0x1fe0ea:$x2: IClientNetworkHost
    • 0x201c1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000002.695413546.0000000003A98000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 4 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.receipt.exe.3c85f20.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe38d:$x1: NanoCore.ClientPluginHost
      • 0xe3ca:$x2: IClientNetworkHost
      • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      0.2.receipt.exe.3c85f20.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe105:$x1: NanoCore Client.exe
      • 0xe38d:$x2: NanoCore.ClientPluginHost
      • 0xf9c6:$s1: PluginCommand
      • 0xf9ba:$s2: FileCommand
      • 0x1086b:$s3: PipeExists
      • 0x16622:$s4: PipeCreated
      • 0xe3b7:$s5: IClientLoggingHost
      0.2.receipt.exe.3c85f20.2.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        0.2.receipt.exe.3c85f20.2.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xe0f5:$a: NanoCore
        • 0xe105:$a: NanoCore
        • 0xe339:$a: NanoCore
        • 0xe34d:$a: NanoCore
        • 0xe38d:$a: NanoCore
        • 0xe154:$b: ClientPlugin
        • 0xe356:$b: ClientPlugin
        • 0xe396:$b: ClientPlugin
        • 0xe27b:$c: ProjectData
        • 0xec82:$d: DESCrypto
        • 0x1664e:$e: KeepAlive
        • 0x1463c:$g: LogClientMessage
        • 0x10837:$i: get_Connected
        • 0xefb8:$j: #=q
        • 0xefe8:$j: #=q
        • 0xf004:$j: #=q
        • 0xf034:$j: #=q
        • 0xf050:$j: #=q
        • 0xf06c:$j: #=q
        • 0xf09c:$j: #=q
        • 0xf0b8:$j: #=q
        0.2.receipt.exe.3c85f20.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 8 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 6632, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CjkDta' /XML 'C:\Users\user\AppData\Local\Temp\tmp15FF.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CjkDta' /XML 'C:\Users\user\AppData\Local\Temp\tmp15FF.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\receipt.exe' , ParentImage: C:\Users\user\Desktop\receipt.exe, ParentProcessId: 7032, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CjkDta' /XML 'C:\Users\user\AppData\Local\Temp\tmp15FF.tmp', ProcessId: 5728

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\CjkDta.exeReversingLabs: Detection: 31%
        Multi AV Scanner detection for submitted fileShow sources
        Source: receipt.exeVirustotal: Detection: 43%Perma Link
        Source: receipt.exeReversingLabs: Detection: 31%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.698303043.0000000003F26000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.695413546.0000000003A98000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: receipt.exe PID: 7032, type: MEMORY
        Source: Yara matchFile source: 0.2.receipt.exe.3c85f20.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.receipt.exe.3c85f20.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.receipt.exe.3f268d8.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.receipt.exe.3b85e70.1.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\CjkDta.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: receipt.exeJoe Sandbox ML: detected
        Source: 0.2.receipt.exe.410000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen3

        Compliance:

        barindex
        Uses 32bit PE filesShow sources
        Source: receipt.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Uses new MSVCR DllsShow sources
        Source: C:\Users\user\Desktop\receipt.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
        Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
        Source: receipt.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Binary contains paths to debug symbolsShow sources
        Source: Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.8.dr
        Source: Binary string: mscorrc.pdb source: receipt.exe, 00000000.00000002.699989873.0000000005A60000.00000002.00000001.sdmp

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49736 -> 45.15.143.249:7890
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49743 -> 45.15.143.249:7890
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49745 -> 45.15.143.249:7890
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49746 -> 45.15.143.249:7890
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49748 -> 45.15.143.249:7890
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49758 -> 45.15.143.249:7890
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49761 -> 45.15.143.249:7890
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49762 -> 45.15.143.249:7890
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49768 -> 45.15.143.249:7890
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49769 -> 45.15.143.249:7890
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49770 -> 45.15.143.249:7890
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49771 -> 45.15.143.249:7890
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49774 -> 45.15.143.249:7890
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49775 -> 45.15.143.249:7890
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49776 -> 45.15.143.249:7890
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49777 -> 45.15.143.249:7890
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49778 -> 45.15.143.249:7890
        Source: global trafficTCP traffic: 192.168.2.4:49736 -> 45.15.143.249:7890
        Source: Joe Sandbox ViewASN Name: DEDIPATH-LLCUS DEDIPATH-LLCUS
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.249
        Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: receipt.exe, 00000000.00000003.648538472.00000000052B4000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
        Source: receipt.exe, 00000000.00000003.648039451.00000000052B4000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com.
        Source: receipt.exe, 00000000.00000003.648097931.00000000052B4000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coma
        Source: receipt.exe, 00000000.00000003.648538472.00000000052B4000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comel
        Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: receipt.exe, 00000000.00000003.653972981.00000000052AE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: receipt.exe, 00000000.00000003.651051823.00000000052AE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/
        Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: receipt.exe, 00000000.00000003.660320142.00000000052B9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers$
        Source: receipt.exe, 00000000.00000003.651023261.00000000052BF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
        Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: receipt.exe, 00000000.00000003.652003773.00000000052AE000.00000004.00000001.sdmp, receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
        Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: receipt.exe, 00000000.00000003.655160906.00000000052BF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersE
        Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: receipt.exe, 00000000.00000003.651625918.00000000052BF000.00000004.00000001.sdmp, receipt.exe, 00000000.00000003.651542933.00000000052BF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersP
        Source: receipt.exe, 00000000.00000003.651099578.00000000052BF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers_
        Source: receipt.exe, 00000000.00000003.654447369.00000000052BF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers~
        Source: receipt.exe, 00000000.00000003.652761536.00000000052AE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com=
        Source: receipt.exe, 00000000.00000003.653972981.00000000052AE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comE.TTF
        Source: receipt.exe, 00000000.00000003.655351438.00000000052AE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
        Source: receipt.exe, 00000000.00000002.699420600.00000000052AE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comI
        Source: receipt.exe, 00000000.00000003.653972981.00000000052AE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comI.TTF
        Source: receipt.exe, 00000000.00000003.655351438.00000000052AE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comals
        Source: receipt.exe, 00000000.00000003.654868204.00000000052AE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsF
        Source: receipt.exe, 00000000.00000003.652420790.00000000052AE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
        Source: receipt.exe, 00000000.00000003.655351438.00000000052AE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come
        Source: receipt.exe, 00000000.00000002.699420600.00000000052AE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comepko
        Source: receipt.exe, 00000000.00000003.651507255.00000000052AE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coml1
        Source: receipt.exe, 00000000.00000003.651125862.00000000052AE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comldf;
        Source: receipt.exe, 00000000.00000002.699420600.00000000052AE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comldu
        Source: receipt.exe, 00000000.00000003.653972981.00000000052AE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
        Source: receipt.exe, 00000000.00000003.653260424.00000000052AE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm;
        Source: receipt.exe, 00000000.00000003.653260424.00000000052AE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsief
        Source: receipt.exe, 00000000.00000003.655351438.00000000052AE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsiva
        Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: receipt.exe, 00000000.00000003.647713348.00000000052AF000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
        Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: receipt.exe, 00000000.00000003.647614140.00000000052AF000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn:
        Source: receipt.exe, 00000000.00000003.647816511.00000000052B3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnTN(
        Source: receipt.exe, 00000000.00000003.656612702.00000000052AE000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
        Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: receipt.exe, 00000000.00000003.656612702.00000000052AE000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/I
        Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: receipt.exe, 00000000.00000003.649726282.00000000052B3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: receipt.exe, 00000000.00000003.649569000.00000000052B3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/%
        Source: receipt.exe, 00000000.00000003.649726282.00000000052B3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/C
        Source: receipt.exe, 00000000.00000003.649098670.00000000052B3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Curs%
        Source: receipt.exe, 00000000.00000003.649726282.00000000052B3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/I
        Source: receipt.exe, 00000000.00000003.649496258.00000000052B3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/V
        Source: receipt.exe, 00000000.00000003.649726282.00000000052B3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0tr
        Source: receipt.exe, 00000000.00000003.649726282.00000000052B3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/anaz
        Source: receipt.exe, 00000000.00000003.649496258.00000000052B3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/d
        Source: receipt.exe, 00000000.00000003.649726282.00000000052B3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
        Source: receipt.exe, 00000000.00000003.649569000.00000000052B3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/;
        Source: receipt.exe, 00000000.00000003.649569000.00000000052B3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/m
        Source: receipt.exe, 00000000.00000003.659671357.00000000052AE000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
        Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: receipt.exe, 00000000.00000003.649702876.00000000052AE000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.comt=
        Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: receipt.exe, 00000000.00000003.648660858.00000000052AE000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comN==0
        Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: receipt.exe, 00000000.00000003.655351438.00000000052AE000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
        Source: receipt.exe, 00000000.00000003.651014423.00000000052AE000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deC
        Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: receipt.exe, 00000000.00000003.655351438.00000000052AE000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deFTm=
        Source: receipt.exe, 00000000.00000003.655351438.00000000052AE000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deN==0
        Source: receipt.exe, 00000000.00000003.648039451.00000000052B4000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: receipt.exe, 00000000.00000003.647991891.00000000052B4000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.698303043.0000000003F26000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.695413546.0000000003A98000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: receipt.exe PID: 7032, type: MEMORY
        Source: Yara matchFile source: 0.2.receipt.exe.3c85f20.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.receipt.exe.3c85f20.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.receipt.exe.3f268d8.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.receipt.exe.3b85e70.1.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000000.00000002.698303043.0000000003F26000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.698303043.0000000003F26000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.695413546.0000000003A98000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.695413546.0000000003A98000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: receipt.exe PID: 7032, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: receipt.exe PID: 7032, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.receipt.exe.3c85f20.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.receipt.exe.3c85f20.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.receipt.exe.3c85f20.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.receipt.exe.3c85f20.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.receipt.exe.3f268d8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.receipt.exe.3f268d8.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.receipt.exe.3b85e70.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.receipt.exe.3b85e70.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        PE file contains section with special charsShow sources
        Source: receipt.exeStatic PE information: section name: 3(G7gV
        Source: CjkDta.exe.0.drStatic PE information: section name: 3(G7gV
        PE file has nameless sectionsShow sources
        Source: receipt.exeStatic PE information: section name:
        Source: CjkDta.exe.0.drStatic PE information: section name:
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_00B9ABEE NtQuerySystemInformation,
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_00B9ABB3 NtQuerySystemInformation,
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_00B92477
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04C63CA0
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04C624A8
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04C6A050
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04C62DF3
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04C61D98
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04C6854B
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04C612A3
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04C69BA8
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04C63C9B
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04C65440
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04C6944B
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04C6887C
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04C6543B
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04C649C3
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04C68DC3
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04C68DC8
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04C649C8
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04C659F8
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04C61D8B
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04C60128
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04C65A08
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04C6961B
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04C68A22
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04C69620
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04C65E28
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04C65E38
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04C65FC9
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04C65BE3
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04C65BE8
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04C687F3
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04C687F8
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04FCBA08
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04FC7790
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04FC6C20
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04FC7210
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04FCC750
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_086D5970
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_086D006B
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_086D0070
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_086D5960
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_086D1B27
        Source: receipt.exeBinary or memory string: OriginalFilename vs receipt.exe
        Source: receipt.exe, 00000000.00000002.703722345.00000000087E0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs receipt.exe
        Source: receipt.exe, 00000000.00000002.699989873.0000000005A60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs receipt.exe
        Source: receipt.exe, 00000000.00000002.698303043.0000000003F26000.00000004.00000001.sdmpBinary or memory string: OriginalFilename4 vs receipt.exe
        Source: receipt.exe, 00000000.00000002.699337341.0000000005110000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs receipt.exe
        Source: receipt.exe, 00000000.00000002.693730770.0000000002A41000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs receipt.exe
        Source: receipt.exe, 00000000.00000002.703631857.0000000008690000.00000002.00000001.sdmpBinary or memory string: originalfilename vs receipt.exe
        Source: receipt.exe, 00000000.00000002.703631857.0000000008690000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs receipt.exe
        Source: receipt.exeBinary or memory string: OriginalFilename4 vs receipt.exe
        Source: C:\Users\user\Desktop\receipt.exeSection loaded: onecoreuapcommonproxystub.dll
        Source: receipt.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 00000000.00000002.698303043.0000000003F26000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.698303043.0000000003F26000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.695413546.0000000003A98000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.695413546.0000000003A98000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: receipt.exe PID: 7032, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: receipt.exe PID: 7032, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.receipt.exe.3c85f20.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.receipt.exe.3c85f20.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.receipt.exe.3c85f20.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.receipt.exe.3c85f20.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.receipt.exe.3c85f20.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.receipt.exe.3f268d8.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.receipt.exe.3f268d8.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.receipt.exe.3b85e70.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.receipt.exe.3b85e70.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: receipt.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: CjkDta.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: receipt.exeStatic PE information: Section: 3(G7gV ZLIB complexity 1.00040097268
        Source: CjkDta.exe.0.drStatic PE information: Section: 3(G7gV ZLIB complexity 1.00040097268
        Source: receipt.exe, 00000000.00000003.648822422.00000000052AC000.00000004.00000001.sdmpBinary or memory string: DYu Type Library is a Trademark of JIYUKOBO Ltd. registered in Japan.slnt
        Source: classification engineClassification label: mal100.troj.evad.winEXE@10/11@0/1
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_00B9A592 AdjustTokenPrivileges,
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_00B9A55B AdjustTokenPrivileges,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Users\user\Desktop\receipt.exeFile created: C:\Users\user\AppData\Roaming\CjkDta.exeJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5720:120:WilError_01
        Source: C:\Users\user\Desktop\receipt.exeMutant created: \Sessions\1\BaseNamedObjects\dyOTlUQYOFXIogRwP
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{e77d3ae2-5d58-46f0-8bbe-00fca4f52942}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5960:120:WilError_01
        Source: C:\Users\user\Desktop\receipt.exeFile created: C:\Users\user\AppData\Local\Temp\tmp15FF.tmpJump to behavior
        Source: C:\Users\user\Desktop\receipt.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\receipt.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Users\user\Desktop\receipt.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Users\user\Desktop\receipt.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\receipt.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: receipt.exeVirustotal: Detection: 43%
        Source: receipt.exeReversingLabs: Detection: 31%
        Source: C:\Users\user\Desktop\receipt.exeFile read: C:\Users\user\Desktop\receipt.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\receipt.exe 'C:\Users\user\Desktop\receipt.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CjkDta' /XML 'C:\Users\user\AppData\Local\Temp\tmp15FF.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\receipt.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CjkDta' /XML 'C:\Users\user\AppData\Local\Temp\tmp15FF.tmp'
        Source: C:\Users\user\Desktop\receipt.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
        Source: C:\Users\user\Desktop\receipt.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
        Source: C:\Users\user\Desktop\receipt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\receipt.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
        Source: receipt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: C:\Users\user\Desktop\receipt.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
        Source: receipt.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.8.dr
        Source: Binary string: mscorrc.pdb source: receipt.exe, 00000000.00000002.699989873.0000000005A60000.00000002.00000001.sdmp

        Data Obfuscation:

        barindex
        Detected unpacking (changes PE section rights)Show sources
        Source: C:\Users\user\Desktop\receipt.exeUnpacked PE file: 0.2.receipt.exe.410000.0.unpack 3(G7gV:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
        Source: receipt.exeStatic PE information: section name: 3(G7gV
        Source: receipt.exeStatic PE information: section name:
        Source: CjkDta.exe.0.drStatic PE information: section name: 3(G7gV
        Source: CjkDta.exe.0.drStatic PE information: section name:
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_00416A34 push edi; retf
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_0041278B push esi; iretd
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04C60063 push es; ret
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04C62009 push ss; ret
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04FC0006 push ebp; ret
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_04FC358D push ds; retf
        Source: C:\Users\user\Desktop\receipt.exeCode function: 0_2_086D3753 push ds; retf
        Source: initial sampleStatic PE information: section name: 3(G7gV entropy: 7.99735306844
        Source: initial sampleStatic PE information: section name: .text entropy: 7.96127820812
        Source: initial sampleStatic PE information: section name: 3(G7gV entropy: 7.99735306844
        Source: initial sampleStatic PE information: section name: .text entropy: 7.96127820812
        Source: C:\Users\user\Desktop\receipt.exeFile created: C:\Users\user\AppData\Roaming\CjkDta.exeJump to dropped file
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CjkDta' /XML 'C:\Users\user\AppData\Local\Temp\tmp15FF.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
        Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon (4).png
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\receipt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\receipt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\receipt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\receipt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\receipt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\receipt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\receipt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\receipt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\receipt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\receipt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\receipt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\receipt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\receipt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\receipt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\receipt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\receipt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\receipt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\receipt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\receipt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\receipt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\receipt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\receipt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\receipt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\receipt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\receipt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\receipt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\receipt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\receipt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\receipt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\receipt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\receipt.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\receipt.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: C:\Users\user\Desktop\receipt.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: foregroundWindowGot 588
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: foregroundWindowGot 641
        Source: C:\Users\user\Desktop\receipt.exe TID: 7052Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7092Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\receipt.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\receipt.exeProcess queried: DebugPort
        Source: C:\Users\user\Desktop\receipt.exeProcess queried: DebugPort
        Source: C:\Users\user\Desktop\receipt.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\receipt.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Allocates memory in foreign processesShow sources
        Source: C:\Users\user\Desktop\receipt.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 protect: page execute and read and write
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\receipt.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A
        Writes to foreign memory regionsShow sources
        Source: C:\Users\user\Desktop\receipt.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000
        Source: C:\Users\user\Desktop\receipt.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000
        Source: C:\Users\user\Desktop\receipt.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000
        Source: C:\Users\user\Desktop\receipt.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000
        Source: C:\Users\user\Desktop\receipt.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: C1C008
        Source: C:\Users\user\Desktop\receipt.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CjkDta' /XML 'C:\Users\user\AppData\Local\Temp\tmp15FF.tmp'
        Source: C:\Users\user\Desktop\receipt.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
        Source: C:\Users\user\Desktop\receipt.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\receipt.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.698303043.0000000003F26000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.695413546.0000000003A98000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: receipt.exe PID: 7032, type: MEMORY
        Source: Yara matchFile source: 0.2.receipt.exe.3c85f20.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.receipt.exe.3c85f20.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.receipt.exe.3f268d8.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.receipt.exe.3b85e70.1.raw.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: receipt.exe, 00000000.00000002.698303043.0000000003F26000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.698303043.0000000003F26000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.695413546.0000000003A98000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: receipt.exe PID: 7032, type: MEMORY
        Source: Yara matchFile source: 0.2.receipt.exe.3c85f20.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.receipt.exe.3c85f20.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.receipt.exe.3f268d8.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.receipt.exe.3b85e70.1.raw.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Access Token Manipulation1Masquerading12OS Credential DumpingSecurity Software Discovery13Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/Job1DLL Side-Loading1Process Injection311Virtualization/Sandbox Evasion4LSASS MemoryVirtualization/Sandbox Evasion4Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Scheduled Task/Job1Disable or Modify Tools1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)DLL Side-Loading1Access Token Manipulation1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection311LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing14Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)DLL Side-Loading1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 357256 Sample: receipt.exe Startdate: 24/02/2021 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for dropped file 2->42 44 11 other signatures 2->44 7 receipt.exe 6 2->7         started        11 dhcpmon.exe 4 2->11         started        process3 file4 26 C:\Users\user\AppData\Roaming\CjkDta.exe, PE32 7->26 dropped 28 C:\Users\user\AppData\Local\...\tmp15FF.tmp, XML 7->28 dropped 30 C:\Users\user\AppData\...\receipt.exe.log, ASCII 7->30 dropped 46 Detected unpacking (changes PE section rights) 7->46 48 Writes to foreign memory regions 7->48 50 Allocates memory in foreign processes 7->50 52 Injects a PE file into a foreign processes 7->52 13 RegSvcs.exe 1 14 7->13         started        18 schtasks.exe 1 7->18         started        20 RegSvcs.exe 7->20         started        22 conhost.exe 11->22         started        signatures5 process6 dnsIp7 36 45.15.143.249, 49736, 49743, 49745 DEDIPATH-LLCUS Latvia 13->36 32 C:\Users\user\AppData\Roaming\...\run.dat, data 13->32 dropped 34 C:\Program Files (x86)\...\dhcpmon.exe, PE32 13->34 dropped 54 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->54 24 conhost.exe 18->24         started        file8 signatures9 process10

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        receipt.exe43%VirustotalBrowse
        receipt.exe31%ReversingLabsWin32.Trojan.Wacatac
        receipt.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\CjkDta.exe100%Joe Sandbox ML
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%MetadefenderBrowse
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs
        C:\Users\user\AppData\Roaming\CjkDta.exe31%ReversingLabsWin32.Trojan.Wacatac

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        0.2.receipt.exe.410000.0.unpack100%AviraTR/Crypt.XPACK.Gen3Download File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://www.fontbureau.comI.TTF0%URL Reputationsafe
        http://www.fontbureau.comI.TTF0%URL Reputationsafe
        http://www.fontbureau.comI.TTF0%URL Reputationsafe
        http://www.fontbureau.comI.TTF0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.sakkal.comt=0%Avira URL Cloudsafe
        http://www.tiro.comN==00%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/anaz0%Avira URL Cloudsafe
        http://www.urwpp.deFTm=0%Avira URL Cloudsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.fontbureau.comepko0%URL Reputationsafe
        http://www.fontbureau.comepko0%URL Reputationsafe
        http://www.fontbureau.comepko0%URL Reputationsafe
        http://www.founder.com.cn/cn:0%Avira URL Cloudsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/Y0tr0%Avira URL Cloudsafe
        http://www.carterandcone.com0%URL Reputationsafe
        http://www.carterandcone.com0%URL Reputationsafe
        http://www.carterandcone.com0%URL Reputationsafe
        http://www.founder.com.cn/cnTN(0%Avira URL Cloudsafe
        http://www.carterandcone.com.0%URL Reputationsafe
        http://www.carterandcone.com.0%URL Reputationsafe
        http://www.carterandcone.com.0%URL Reputationsafe
        http://www.fontbureau.comalsF0%URL Reputationsafe
        http://www.fontbureau.comalsF0%URL Reputationsafe
        http://www.fontbureau.comalsF0%URL Reputationsafe
        http://www.fontbureau.coml10%URL Reputationsafe
        http://www.fontbureau.coml10%URL Reputationsafe
        http://www.fontbureau.coml10%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/jp/;0%Avira URL Cloudsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://www.fontbureau.comldu0%Avira URL Cloudsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.carterandcone.comel0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/%0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/%0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/%0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.urwpp.deN==00%Avira URL Cloudsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.de0%URL Reputationsafe
        http://www.urwpp.de0%URL Reputationsafe
        http://www.urwpp.de0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.fontbureau.com=0%Avira URL Cloudsafe
        http://www.carterandcone.coma0%URL Reputationsafe
        http://www.carterandcone.coma0%URL Reputationsafe
        http://www.carterandcone.coma0%URL Reputationsafe
        http://www.fontbureau.comI0%Avira URL Cloudsafe
        http://www.fontbureau.comsiva0%Avira URL Cloudsafe
        http://www.galapagosdesign.com/0%URL Reputationsafe
        http://www.galapagosdesign.com/0%URL Reputationsafe
        http://www.galapagosdesign.com/0%URL Reputationsafe
        http://www.fontbureau.comF0%URL Reputationsafe
        http://www.fontbureau.comF0%URL Reputationsafe
        http://www.fontbureau.comF0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/V0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/I0%Avira URL Cloudsafe
        http://www.fontbureau.comldf;0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/C0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
        http://www.fontbureau.comd0%URL Reputationsafe
        http://www.fontbureau.comd0%URL Reputationsafe
        http://www.fontbureau.comd0%URL Reputationsafe
        http://www.galapagosdesign.com/I0%Avira URL Cloudsafe
        http://www.carterandcone.coml0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        No contacted domains info

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.fontbureau.com/designersGreceipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpfalse
          		high
          http://www.fontbureau.comI.TTFreceipt.exe, 00000000.00000003.653972981.00000000052AE000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://www.fontbureau.com/designers/?receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpfalse
            		high
            http://www.founder.com.cn/cn/bThereceipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.sakkal.comt=receipt.exe, 00000000.00000003.649702876.00000000052AE000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		low
            http://www.tiro.comN==0receipt.exe, 00000000.00000003.648660858.00000000052AE000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		low
            http://www.fontbureau.com/designers?receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpfalse
              		high
              http://www.fontbureau.com/designersEreceipt.exe, 00000000.00000003.655160906.00000000052BF000.00000004.00000001.sdmpfalse
                		high
                http://www.jiyu-kobo.co.jp/anazreceipt.exe, 00000000.00000003.649726282.00000000052B3000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.urwpp.deFTm=receipt.exe, 00000000.00000003.655351438.00000000052AE000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://www.tiro.comreceipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designersreceipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpfalse
                  		high
                  http://www.fontbureau.comepkoreceipt.exe, 00000000.00000002.699420600.00000000052AE000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.founder.com.cn/cn:receipt.exe, 00000000.00000003.647614140.00000000052AF000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.goodfont.co.krreceipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.jiyu-kobo.co.jp/Y0trreceipt.exe, 00000000.00000003.649726282.00000000052B3000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.carterandcone.comreceipt.exe, 00000000.00000003.648538472.00000000052B4000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designersPreceipt.exe, 00000000.00000003.651625918.00000000052BF000.00000004.00000001.sdmp, receipt.exe, 00000000.00000003.651542933.00000000052BF000.00000004.00000001.sdmpfalse
                    		high
                    http://www.founder.com.cn/cnTN(receipt.exe, 00000000.00000003.647816511.00000000052B3000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.carterandcone.com.receipt.exe, 00000000.00000003.648039451.00000000052B4000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.comalsFreceipt.exe, 00000000.00000003.654868204.00000000052AE000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.coml1receipt.exe, 00000000.00000003.651507255.00000000052AE000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/jp/;receipt.exe, 00000000.00000003.649569000.00000000052B3000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.sajatypeworks.comreceipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.typography.netDreceipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cn/cThereceipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/staff/dennis.htmreceipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://fontfabrik.comreceipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers_receipt.exe, 00000000.00000003.651099578.00000000052BF000.00000004.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.com/receipt.exe, 00000000.00000003.651051823.00000000052AE000.00000004.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.comldureceipt.exe, 00000000.00000002.699420600.00000000052AE000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.galapagosdesign.com/DPleasereceipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.carterandcone.comelreceipt.exe, 00000000.00000003.648538472.00000000052B4000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fonts.comreceipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpfalse
                          		high
                          http://www.jiyu-kobo.co.jp/%receipt.exe, 00000000.00000003.649569000.00000000052B3000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.sandoll.co.krreceipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.urwpp.deN==0receipt.exe, 00000000.00000003.655351438.00000000052AE000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://www.urwpp.deDPleasereceipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.urwpp.dereceipt.exe, 00000000.00000003.655351438.00000000052AE000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.zhongyicts.com.cnreceipt.exe, 00000000.00000003.648039451.00000000052B4000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.sakkal.comreceipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com=receipt.exe, 00000000.00000003.652761536.00000000052AE000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://www.carterandcone.comareceipt.exe, 00000000.00000003.648097931.00000000052B4000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.comIreceipt.exe, 00000000.00000002.699420600.00000000052AE000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.comsivareceipt.exe, 00000000.00000003.655351438.00000000052AE000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.comreceipt.exe, 00000000.00000003.653972981.00000000052AE000.00000004.00000001.sdmpfalse
                              		high
                              http://www.galapagosdesign.com/receipt.exe, 00000000.00000003.656612702.00000000052AE000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.comFreceipt.exe, 00000000.00000003.655351438.00000000052AE000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/Vreceipt.exe, 00000000.00000003.649496258.00000000052B3000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designers~receipt.exe, 00000000.00000003.654447369.00000000052BF000.00000004.00000001.sdmpfalse
                                		high
                                http://www.jiyu-kobo.co.jp/Ireceipt.exe, 00000000.00000003.649726282.00000000052B3000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.comldf;receipt.exe, 00000000.00000003.651125862.00000000052AE000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                http://www.jiyu-kobo.co.jp/Creceipt.exe, 00000000.00000003.649726282.00000000052B3000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/jp/receipt.exe, 00000000.00000003.649726282.00000000052B3000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comdreceipt.exe, 00000000.00000003.652420790.00000000052AE000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/Ireceipt.exe, 00000000.00000003.656612702.00000000052AE000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.carterandcone.comlreceipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.urwpp.deCreceipt.exe, 00000000.00000003.651014423.00000000052AE000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.founder.com.cn/cn/receipt.exe, 00000000.00000003.647713348.00000000052AF000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/cabarga.htmlNreceipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cnreceipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/frere-user.htmlreceipt.exe, 00000000.00000003.652003773.00000000052AE000.00000004.00000001.sdmp, receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.fontbureau.comereceipt.exe, 00000000.00000003.655351438.00000000052AE000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.comm;receipt.exe, 00000000.00000003.653260424.00000000052AE000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		low
                                    http://www.monotype.receipt.exe, 00000000.00000003.659671357.00000000052AE000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/mreceipt.exe, 00000000.00000003.649569000.00000000052B3000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.com/designers$receipt.exe, 00000000.00000003.660320142.00000000052B9000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.fontbureau.commreceipt.exe, 00000000.00000003.653972981.00000000052AE000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/receipt.exe, 00000000.00000003.649726282.00000000052B3000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/Curs%receipt.exe, 00000000.00000003.649098670.00000000052B3000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.zhongyicts.com.cno.receipt.exe, 00000000.00000003.647991891.00000000052B4000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers8receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.fontbureau.comalsreceipt.exe, 00000000.00000003.655351438.00000000052AE000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/dreceipt.exe, 00000000.00000003.649496258.00000000052B3000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/receipt.exe, 00000000.00000003.651023261.00000000052BF000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.comsiefreceipt.exe, 00000000.00000003.653260424.00000000052AE000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.comE.TTFreceipt.exe, 00000000.00000003.653972981.00000000052AE000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown

                                          Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public

                                          IPDomainCountryFlagASNASN NameMalicious
                                          45.15.143.249
                                          		unknownLatvia
                                          		35913DEDIPATH-LLCUStrue

                                          General Information

                                          Joe Sandbox Version:31.0.0 Emerald
                                          Analysis ID:357256
                                          Start date:24.02.2021
                                          Start time:10:51:33
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 7m 50s
                                          Hypervisor based Inspection enabled:false
                                          Report type:light
                                          Sample file name:receipt.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:23
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winEXE@10/11@0/1
                                          EGA Information:Failed
                                          HDC Information:
                                          • Successful, ratio: 7% (good quality ratio 3.5%)
                                          • Quality average: 29.8%
                                          • Quality standard deviation: 33.4%
                                          HCA Information:
                                          • Successful, ratio: 80%
                                          • Number of executed functions: 0
                                          • Number of non-executed functions: 0
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .exe
                                          Warnings:
                                          Show All
                                          • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                          • TCP Packets have been reduced to 100
                                          • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          10:52:29API Interceptor1x Sleep call for process: receipt.exe modified
                                          10:52:44API Interceptor815x Sleep call for process: RegSvcs.exe modified
                                          10:52:46AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          45.15.143.249oMWv1Zof2y.exeGet hashmaliciousBrowse

                                            Domains

                                            No context

                                            ASN

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            DEDIPATH-LLCUSoMWv1Zof2y.exeGet hashmaliciousBrowse
                                            • 45.15.143.249
                                            Vessel Line Up 7105082938.exeGet hashmaliciousBrowse
                                            • 193.239.147.77
                                            2-090000000900.exeGet hashmaliciousBrowse
                                            • 193.239.147.103
                                            CHT International.exeGet hashmaliciousBrowse
                                            • 45.145.185.209
                                            PO 20191003.exeGet hashmaliciousBrowse
                                            • 45.145.185.209
                                            SecuriteInfo.com.Trojan.DownloaderNET.117.13478.exeGet hashmaliciousBrowse
                                            • 193.239.147.103
                                            SecuriteInfo.com.Trojan.DownloaderNET.117.10549.exeGet hashmaliciousBrowse
                                            • 193.239.147.103
                                            SecuriteInfo.com.Trojan.DownloaderNET.117.21662.exeGet hashmaliciousBrowse
                                            • 193.239.147.103
                                            SecuriteInfo.com.Trojan.DownloaderNET.117.16476.exeGet hashmaliciousBrowse
                                            • 193.239.147.103
                                            f733jX7bkz.exeGet hashmaliciousBrowse
                                            • 193.239.147.165
                                            TfRB8EdIBv.exeGet hashmaliciousBrowse
                                            • 193.239.147.165
                                            AmazonSetup.exeGet hashmaliciousBrowse
                                            • 45.145.185.40
                                            PO 20191003.exeGet hashmaliciousBrowse
                                            • 45.145.185.209
                                            Server.exeGet hashmaliciousBrowse
                                            • 171.22.116.126
                                            5tE5R0eVwq.exeGet hashmaliciousBrowse
                                            • 45.145.185.153
                                            eYwQ9loD5Q.exeGet hashmaliciousBrowse
                                            • 45.15.170.154
                                            SecuriteInfo.com.Trojan.Packed2.42841.8000.exeGet hashmaliciousBrowse
                                            • 45.145.185.153
                                            SecuriteInfo.com.Trojan.GenericKD.36275553.12090.docGet hashmaliciousBrowse
                                            • 45.145.185.167
                                            Tax Invoice.exeGet hashmaliciousBrowse
                                            • 139.28.235.223
                                            payment_slip_ receipt.docGet hashmaliciousBrowse
                                            • 193.239.147.103

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeYoWPu2BQzA9FeDd.exeGet hashmaliciousBrowse
                                              M5QDAaK9yM.exeGet hashmaliciousBrowse
                                                oMWv1Zof2y.exeGet hashmaliciousBrowse
                                                  TdX45jQWjj.exeGet hashmaliciousBrowse
                                                    QTxFuxF5NQ.exeGet hashmaliciousBrowse
                                                      a34b93ef-dea2-45f8-a5bf-4f6b0b5291c7.exeGet hashmaliciousBrowse
                                                        3fcd8c19-af88-4cd9-87e7-0bfea1de01a1.exeGet hashmaliciousBrowse
                                                          Vietnam Order.exeGet hashmaliciousBrowse
                                                            Dhl Shipping Document.exeGet hashmaliciousBrowse
                                                              PO-WJO-001, pdf.exeGet hashmaliciousBrowse
                                                                byWuWAR5FD.exeGet hashmaliciousBrowse
                                                                  parcel_images.exeGet hashmaliciousBrowse
                                                                    0712020.exeGet hashmaliciousBrowse
                                                                      JfRbEbUkpV39K4L.exeGet hashmaliciousBrowse
                                                                        DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.exeGet hashmaliciousBrowse
                                                                          DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.exeGet hashmaliciousBrowse
                                                                            zC3edqmNNt.exeGet hashmaliciousBrowse
                                                                              Shipping Document.pdf..exeGet hashmaliciousBrowse
                                                                                PPR & CPR_HEA_DECEMBER 4 2020.exeGet hashmaliciousBrowse
                                                                                  AdministratorDownloadsBL,.rar.exeGet hashmaliciousBrowse

                                                                                    Created / dropped Files

                                                                                    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):32768
                                                                                    Entropy (8bit):3.7515815714465193
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:BOj9Y8/gS7SDriLGKq1MHR5U4Ag6ihJSxUCR1rgCPKabK2t0X5P7DZ+JgWSW72uw:B+gSAdN1MH3HAFRJngW2u
                                                                                    MD5:71369277D09DA0830C8C59F9E22BB23A
                                                                                    SHA1:37F9781314F0F6B7E9CB529A573F2B1C8DE9E93F
                                                                                    SHA-256:D4527B7AD2FC4778CC5BE8709C95AEA44EAC0568B367EE14F7357D72898C3698
                                                                                    SHA-512:2F470383E3C796C4CF212EC280854DBB9E7E8C8010CE6857E58F8E7066D7516B7CD7039BC5C0F547E1F5C7F9F2287869ADFFB2869800B08B2982A88BE96E9FB7
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Joe Sandbox View:
                                                                                    • Filename: YoWPu2BQzA9FeDd.exe, Detection: malicious, Browse
                                                                                    • Filename: M5QDAaK9yM.exe, Detection: malicious, Browse
                                                                                    • Filename: oMWv1Zof2y.exe, Detection: malicious, Browse
                                                                                    • Filename: TdX45jQWjj.exe, Detection: malicious, Browse
                                                                                    • Filename: QTxFuxF5NQ.exe, Detection: malicious, Browse
                                                                                    • Filename: a34b93ef-dea2-45f8-a5bf-4f6b0b5291c7.exe, Detection: malicious, Browse
                                                                                    • Filename: 3fcd8c19-af88-4cd9-87e7-0bfea1de01a1.exe, Detection: malicious, Browse
                                                                                    • Filename: Vietnam Order.exe, Detection: malicious, Browse
                                                                                    • Filename: Dhl Shipping Document.exe, Detection: malicious, Browse
                                                                                    • Filename: PO-WJO-001, pdf.exe, Detection: malicious, Browse
                                                                                    • Filename: byWuWAR5FD.exe, Detection: malicious, Browse
                                                                                    • Filename: parcel_images.exe, Detection: malicious, Browse
                                                                                    • Filename: 0712020.exe, Detection: malicious, Browse
                                                                                    • Filename: JfRbEbUkpV39K4L.exe, Detection: malicious, Browse
                                                                                    • Filename: DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.exe, Detection: malicious, Browse
                                                                                    • Filename: DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.exe, Detection: malicious, Browse
                                                                                    • Filename: zC3edqmNNt.exe, Detection: malicious, Browse
                                                                                    • Filename: Shipping Document.pdf..exe, Detection: malicious, Browse
                                                                                    • Filename: PPR & CPR_HEA_DECEMBER 4 2020.exe, Detection: malicious, Browse
                                                                                    • Filename: AdministratorDownloadsBL,.rar.exe, Detection: malicious, Browse
                                                                                    Reputation:moderate, very likely benign file
                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{Z.................P... .......k... ........@.. ...............................[....@..................................k..K................................... k............................................... ............... ..H............text....K... ...P.................. ..`.rsrc................`..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
                                                                                    Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:modified
                                                                                    Size (bytes):120
                                                                                    Entropy (8bit):5.016405576253028
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:QHXMKaoWglAFXMWA2yTMGfsbNXLVd49Am12MFuAvOAsDeieVyn:Q3LawlAFXMWTyAGCFLIP12MUAvvrs
                                                                                    MD5:50DEC1858E13F033E6DCA3CBFAD5E8DE
                                                                                    SHA1:79AE1E9131B0FAF215B499D2F7B4C595AA120925
                                                                                    SHA-256:14A557E226E3BA8620BB3A70035E1E316F1E9FB5C9E8F74C07110EE90B8D8AE4
                                                                                    SHA-512:1BD73338DF685A5B57B0546E102ECFDEE65800410D6F77845E50456AC70DE72929088AF19B59647F01CBA7A5ACFB399C52D9EF2402A9451366586862EF88E7BF
                                                                                    Malicious:false
                                                                                    Reputation:moderate, very likely benign file
                                                                                    Preview: 1,"fusion","GAC",0..2,"System.EnterpriseServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\receipt.exe.log
                                                                                    Process:C:\Users\user\Desktop\receipt.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):525
                                                                                    Entropy (8bit):5.2874233355119316
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                                                                                    MD5:61CCF53571C9ABA6511D696CB0D32E45
                                                                                    SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                                                                                    SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                                                                                    SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                                                                                    Malicious:true
                                                                                    Reputation:moderate, very likely benign file
                                                                                    Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                                                                    C:\Users\user\AppData\Local\Temp\tmp15FF.tmp
                                                                                    Process:C:\Users\user\Desktop\receipt.exe
                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):1639
                                                                                    Entropy (8bit):5.173941092991223
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGrtn:cbhK79lNQR/rydbz9I3YODOLNdq3S
                                                                                    MD5:326073424F138CC1885296C478A8924E
                                                                                    SHA1:CE52D5D40A74406D6FCAAB315E518DBBA52C70E7
                                                                                    SHA-256:1DDD684BF5D1A1E85B77B51B630B021342754D36F3CD7AD13E46F1262BD62186
                                                                                    SHA-512:E009D02B48E5EA00E137A84488CAFF4A05E6F6AEAD606EC5507387600845DD8EFB0FA52C4E3240FD1C7FFD21FB303F912FA57AA6747B3583E6D76AD08365CF02
                                                                                    Malicious:true
                                                                                    Reputation:low
                                                                                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                                                    C:\Users\user\AppData\Roaming\CjkDta.exe
                                                                                    Process:C:\Users\user\Desktop\receipt.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):577536
                                                                                    Entropy (8bit):7.796026251145376
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:SncU0euEk1BdSfVfDpr26vgOIWO2UUA+4ZPZ4x07dtSvz:SGdkV2V0cSxOdtSL
                                                                                    MD5:A4A4BC6E3283ECC66CD4A4DC864ACD9A
                                                                                    SHA1:2114E1C9FBBC3FFA9921338E09DEFF202ABA01BF
                                                                                    SHA-256:962DEBF4655A7917256AD3234217B1927A2C88AFD4631ED8258121C5B9E2DFEE
                                                                                    SHA-512:B45EA70E2D6FAA54AE5FC6A26158B47A5B51C7064D85C9ED7C1F632924CC0D6A82D50D5A68D46CA7060427D59625EE4E447CC7892F8B924335CFEAC849A8A355
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                    • Antivirus: ReversingLabs, Detection: 31%
                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....M5`..............0......@.......@...`... ....@.. .......................`............@..................................i..W............................ .......................................................@...............`..H...........3(.G7gV..,... ......................@....text........`.......2.............. ..`.rsrc...............................@..@.reloc....... ......................@..B.............@...................... ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1488
                                                                                    Entropy (8bit):6.997351629001838
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:IQnybgCIC9oE/3blQnybgCIC9oE/3blQnybgCIC9oE/3blQnybgCIC9oE/3blQnT:IkXCNlkXCNlkXCNlkXCNlkXCNlkXCg
                                                                                    MD5:C9F2440AA7796CD29110666CC178E7F4
                                                                                    SHA1:BC55644B59BE9DA50D3BE05129C2FB38A703DF6A
                                                                                    SHA-256:5CAF3D80729A320F4B71B72BAEFD1096C257821EA9996A9AE4F811206B3D8307
                                                                                    SHA-512:FFDBE91785DB3E47F3F4361E8CE0CD920F5B913E1F2379000555575DF40EB6747C3B0A92B5235FC54BDB3DDC48C68921EEEAFBF46BB4882F71AA889634EDBDF1
                                                                                    Malicious:false
                                                                                    Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*.............S.Ty.K.&....q$.7....."....F... .N.k.C.X.D.^.....u.\...X........s^.;...m/.,7X..v"B..#.T.F L...h.....t 5.|ZGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*.............S.Ty.K.&....q$.7....."....F... .N.k.C.X.D.^.....u.\...X........s^.;...m/.,7X..v"B..#.T.F L...h.....t 5.|ZGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*.............S.Ty.K.&....q$.7....."....F... .N.k.C.X.D.^.....u.\...X........s^.;...m/.,7X..v"B..#.T.F L...h.....t 5.|ZGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*.............S.Ty.K.&....q$.7....."....F... .N.k.C.X.D.^.....u.\...X........s^.;...m/.,7X..v"B..#.T.F L...h.....t 5.|ZGj.h\.3.
                                                                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):8
                                                                                    Entropy (8bit):2.75
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:g4V:g4V
                                                                                    MD5:0DA39798C7C07335778F7D2F0F1FC776
                                                                                    SHA1:2979F0AA7FF28CFE7584A74C6317F94D07951BE6
                                                                                    SHA-256:D636D85F4DA64AB2A21322F373E0ACA6777B89A31D778B303AD8C434E1E75FA9
                                                                                    SHA-512:F148C85A2C0A80EC9E23E92CEDD5E6ED6E0CC2E7BE40CB46784B7E0348044E03149D44565184C2AB050D155A4DCEE6B9299A589666C8A1D21E4C20CE5479B39B
                                                                                    Malicious:true
                                                                                    Preview: ......H
                                                                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak
                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):24
                                                                                    Entropy (8bit):4.501629167387823
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:9bzY6oRDIvYk:RzWDI3
                                                                                    MD5:ACD3FB4310417DC77FE06F15B0E353E6
                                                                                    SHA1:80E7002E655EB5765FDEB21114295CB96AD9D5EB
                                                                                    SHA-256:DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
                                                                                    SHA-512:DA46A917DB6276CD4528CFE4AD113292D873CA2EBE53414730F442B83502E5FAF3D1AE87BFA295ADF01E3B44FDBCE239E21A318BFB2CCD1F4753846CB21F6F97
                                                                                    Malicious:false
                                                                                    Preview: 9iH...}Z.4..f..J".C;"a
                                                                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):64
                                                                                    Entropy (8bit):5.320159765557392
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:9bzY6oRDIvYVsRLY6oRDT6P2bfVn1:RzWDIfRWDT621
                                                                                    MD5:BB0F9B9992809E733EFFF8B0E562CFD6
                                                                                    SHA1:F0BAB3CF73A04F5A689E6AFC764FEE9276992742
                                                                                    SHA-256:C48F04FE7525AA3A3F9540889883F649726233DE021724823720A59B4F37CEAC
                                                                                    SHA-512:AE4280AA460DC1C0301D458A3A443F6884A0BE37481737B2ADAFD72C33C55F09BED88ED239C91FE6F19CA137AC3CD7C9B8454C21D3F8E759687F701C8B3C7A16
                                                                                    Malicious:false
                                                                                    Preview: 9iH...}Z.4..f..J".C;"a9iH...}Z.4..f.~a........~.~.......3.U.
                                                                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):433672
                                                                                    Entropy (8bit):7.9996054300907025
                                                                                    Encrypted:true
                                                                                    SSDEEP:12288:FYbLHD8RJ3R1u49pIS86MXt8c2m6FeMlYr:Fczqr9enDXmcUBlg
                                                                                    MD5:4D8AF7EC17CA5B66A617E00BB0C80481
                                                                                    SHA1:EC2FE147F5370DADADFF076D4043390C7B2A45C7
                                                                                    SHA-256:4251EF3033BB49F05311505FF955ED0989BA17C04F93B4DE47428A59FDFD33CB
                                                                                    SHA-512:81EE1ABA97A13874A2EEC9C501633087E949C861F08E956225E44CBFF3FD61C2404DC36110D4BBBAF14D73EB3E568BE97F1947311D518290FF42C81641B332B1
                                                                                    Malicious:false
                                                                                    Preview: .........O.......\8..5N..`S.]..[r.$*>.\.#v&..$.......Z.i..M.Mn5.@..@...3.R..Y...}>C.b....Z........K..^.d...Z...K.#...dn$e ..XP.^.#.......V...dB.Kn.Y.c..-k....M.D...Q.S..R.X.........._...Zz...#.=<.V.NHZq.h..ON..oq.:...,7H....../..Q..R.u6.."....<.`..z.5b($..9.CF.F1...o?.h.}....;Ay....kL}7...I.-.}..D&...C....%.J..+..1.5.a..Ih....s........G..?..9^0e...p..FCvNt.e...B/...y.h.G.0..o,Q.2[..........e.P8.....yr...*..Q..*..../..S..m.......\.wA.a1.]...oW........PY..h....f:.....Ss.....\.8...@R._A...M..X....V.f).]z..u{.z-....W...NaT+.&:...1.D../.7..\.S..z..!.....#..F.d......*.m'..........6.2....:H...bd].._......}.n.=...l.7%r.>...B.Q.K..q...Ex.6.6....P..^...i...Mx...;g...,t..fCd.\.b....e{.\...Y=4......+..T....j}..|66g.s...z...Y.kTi..?Xy...5\...SO..W.U.3A.$.l..{.D...no.E..v.2.:..a..hdhO..t.w.k..T|Po.....D?..mG.[.2.;....+...8.6.h!..w.3...w.o.....|....f.v.to.B.{`o..a.....f.cu..........?......"...u..EA...^)W..z..jtU{^......5#....y.s.......e.l..&...%...
                                                                                    \Device\ConDrv
                                                                                    Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):1145
                                                                                    Entropy (8bit):4.462201512373672
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:zKLXkzPDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0zPDQntKKH1MqJC
                                                                                    MD5:46EBEB88876A00A52CC37B1F8E0D0438
                                                                                    SHA1:5E5DB352F964E5F398301662FF558BD905798A65
                                                                                    SHA-256:D65BD5A6CC112838AFE8FA70BF61FD13C1313BCE3EE3E76C50E454D7B581238B
                                                                                    SHA-512:E713E6F304A469FB71235C598BC7E2C6F8458ABC61DAF3D1F364F66579CAFA4A7F3023E585BDA552FB400009E7805A8CA0311A50D5EDC9C2AD2D067772A071BE
                                                                                    Malicious:false
                                                                                    Preview: Microsoft (R) .NET Framework Services Installation Utility Version 2.0.50727.8922..Copyright (c) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output...

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Entropy (8bit):7.796026251145376
                                                                                    TrID:
                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                    • Win32 Executable (generic) a (10002005/4) 49.96%
                                                                                    • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                                    File name:receipt.exe
                                                                                    File size:577536
                                                                                    MD5:a4a4bc6e3283ecc66cd4a4dc864acd9a
                                                                                    SHA1:2114e1c9fbbc3ffa9921338e09deff202aba01bf
                                                                                    SHA256:962debf4655a7917256ad3234217b1927a2c88afd4631ed8258121c5b9e2dfee
                                                                                    SHA512:b45ea70e2d6faa54ae5fc6a26158b47a5b51c7064d85c9ed7c1f632924cc0d6a82d50d5a68d46ca7060427d59625ee4e447cc7892f8b924335cfeac849a8a355
                                                                                    SSDEEP:12288:SncU0euEk1BdSfVfDpr26vgOIWO2UUA+4ZPZ4x07dtSvz:SGdkV2V0cSxOdtSL
                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....M5`..............0......@.......@...`... ....@.. .......................`............@................................

                                                                                    File Icon

                                                                                    Icon Hash:c4c2c4dcf4c672bc

                                                                                    Static PE Info

                                                                                    General

                                                                                    Entrypoint:0x49400a
                                                                                    Entrypoint Section:
                                                                                    Digitally signed:false
                                                                                    Imagebase:0x400000
                                                                                    Subsystem:windows gui
                                                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                    Time Stamp:0x60354D8E [Tue Feb 23 18:46:38 2021 UTC]
                                                                                    TLS Callbacks:
                                                                                    CLR (.Net) Version:v2.0.50727
                                                                                    OS Version Major:4
                                                                                    OS Version Minor:0
                                                                                    File Version Major:4
                                                                                    File Version Minor:0
                                                                                    Subsystem Version Major:4
                                                                                    Subsystem Version Minor:0
                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                    Entrypoint Preview

                                                                                    Instruction
                                                                                    jmp dword ptr [00494000h]
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al

                                                                                    Data Directories

                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x169140x57.text
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x800000x10ec8.rsrc
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x920000xc.reloc
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x940000x8
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x160000x48.text
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                    Sections

                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    3(G7gV0x20000x12ce40x12e00False1.00040097268data7.99735306844IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                    .text0x160000x689000x68a00False0.94687359991data7.96127820812IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                    .rsrc0x800000x10ec80x11000False0.131333295037data4.37885859623IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .reloc0x920000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                    0x940000x100x200False0.044921875data0.142635768149IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

                                                                                    Resources

                                                                                    NameRVASizeTypeLanguageCountry
                                                                                    RT_ICON0x801300x10828dBase III DBT, version number 0, next free block index 40
                                                                                    RT_GROUP_ICON0x909580x14data
                                                                                    RT_VERSION0x9096c0x36cdata
                                                                                    RT_MANIFEST0x90cd80x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                    Imports

                                                                                    DLLImport
                                                                                    mscoree.dll_CorExeMain

                                                                                    Version Infos

                                                                                    DescriptionData
                                                                                    Translation0x0000 0x04b0
                                                                                    LegalCopyrightCopyright Neudesic 2017
                                                                                    Assembly Version1.0.0.0
                                                                                    InternalNameCsY.exe
                                                                                    FileVersion1.0.0.0
                                                                                    CompanyNameNeudesic
                                                                                    LegalTrademarks
                                                                                    Comments
                                                                                    ProductNameVectorBasedDrawing
                                                                                    ProductVersion1.0.0.0
                                                                                    FileDescriptionVectorBasedDrawing
                                                                                    OriginalFilenameCsY.exe

                                                                                    Network Behavior

                                                                                    Snort IDS Alerts

                                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                    02/24/21-10:52:47.506328TCP2025019ET TROJAN Possible NanoCore C2 60B497367890192.168.2.445.15.143.249
                                                                                    02/24/21-10:52:53.781107TCP2025019ET TROJAN Possible NanoCore C2 60B497437890192.168.2.445.15.143.249
                                                                                    02/24/21-10:53:00.216165TCP2025019ET TROJAN Possible NanoCore C2 60B497457890192.168.2.445.15.143.249
                                                                                    02/24/21-10:53:07.041786TCP2025019ET TROJAN Possible NanoCore C2 60B497467890192.168.2.445.15.143.249
                                                                                    02/24/21-10:53:13.112569TCP2025019ET TROJAN Possible NanoCore C2 60B497487890192.168.2.445.15.143.249
                                                                                    02/24/21-10:53:19.175131TCP2025019ET TROJAN Possible NanoCore C2 60B497587890192.168.2.445.15.143.249
                                                                                    02/24/21-10:53:25.317441TCP2025019ET TROJAN Possible NanoCore C2 60B497617890192.168.2.445.15.143.249
                                                                                    02/24/21-10:53:31.414875TCP2025019ET TROJAN Possible NanoCore C2 60B497627890192.168.2.445.15.143.249
                                                                                    02/24/21-10:53:37.354295TCP2025019ET TROJAN Possible NanoCore C2 60B497687890192.168.2.445.15.143.249
                                                                                    02/24/21-10:53:43.292313TCP2025019ET TROJAN Possible NanoCore C2 60B497697890192.168.2.445.15.143.249
                                                                                    02/24/21-10:53:49.283746TCP2025019ET TROJAN Possible NanoCore C2 60B497707890192.168.2.445.15.143.249
                                                                                    02/24/21-10:53:55.488604TCP2025019ET TROJAN Possible NanoCore C2 60B497717890192.168.2.445.15.143.249
                                                                                    02/24/21-10:54:01.591516TCP2025019ET TROJAN Possible NanoCore C2 60B497747890192.168.2.445.15.143.249
                                                                                    02/24/21-10:54:07.590336TCP2025019ET TROJAN Possible NanoCore C2 60B497757890192.168.2.445.15.143.249
                                                                                    02/24/21-10:54:13.590416TCP2025019ET TROJAN Possible NanoCore C2 60B497767890192.168.2.445.15.143.249
                                                                                    02/24/21-10:54:19.562525TCP2025019ET TROJAN Possible NanoCore C2 60B497777890192.168.2.445.15.143.249
                                                                                    02/24/21-10:54:25.518443TCP2025019ET TROJAN Possible NanoCore C2 60B497787890192.168.2.445.15.143.249

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Feb 24, 2021 10:52:47.067248106 CET497367890192.168.2.445.15.143.249
                                                                                    Feb 24, 2021 10:52:47.190197945 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:47.190323114 CET497367890192.168.2.445.15.143.249
                                                                                    Feb 24, 2021 10:52:47.506328106 CET497367890192.168.2.445.15.143.249
                                                                                    Feb 24, 2021 10:52:47.647924900 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:47.648315907 CET497367890192.168.2.445.15.143.249
                                                                                    Feb 24, 2021 10:52:47.829463005 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:47.829793930 CET497367890192.168.2.445.15.143.249
                                                                                    Feb 24, 2021 10:52:47.952914000 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:47.964724064 CET497367890192.168.2.445.15.143.249
                                                                                    Feb 24, 2021 10:52:48.137679100 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.137999058 CET497367890192.168.2.445.15.143.249
                                                                                    Feb 24, 2021 10:52:48.313610077 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.313962936 CET497367890192.168.2.445.15.143.249
                                                                                    Feb 24, 2021 10:52:48.349737883 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.349807978 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.349838972 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.349867105 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.353349924 CET497367890192.168.2.445.15.143.249
                                                                                    Feb 24, 2021 10:52:48.353440046 CET497367890192.168.2.445.15.143.249
                                                                                    Feb 24, 2021 10:52:48.476177931 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.476227045 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.476253033 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.476275921 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.477191925 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.477231979 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.477247953 CET497367890192.168.2.445.15.143.249
                                                                                    Feb 24, 2021 10:52:48.477256060 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.477267027 CET497367890192.168.2.445.15.143.249
                                                                                    Feb 24, 2021 10:52:48.477278948 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.478059053 CET497367890192.168.2.445.15.143.249
                                                                                    Feb 24, 2021 10:52:48.478080034 CET497367890192.168.2.445.15.143.249
                                                                                    Feb 24, 2021 10:52:48.599980116 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.600017071 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.600033045 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.600052118 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.600069046 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.600090027 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.600107908 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.600158930 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.600222111 CET497367890192.168.2.445.15.143.249
                                                                                    Feb 24, 2021 10:52:48.600240946 CET497367890192.168.2.445.15.143.249
                                                                                    Feb 24, 2021 10:52:48.600438118 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.600464106 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.600508928 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.600533962 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.600608110 CET497367890192.168.2.445.15.143.249
                                                                                    Feb 24, 2021 10:52:48.600617886 CET497367890192.168.2.445.15.143.249
                                                                                    Feb 24, 2021 10:52:48.601325989 CET497367890192.168.2.445.15.143.249
                                                                                    Feb 24, 2021 10:52:48.603724957 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.603760004 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.603771925 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.603789091 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.604517937 CET497367890192.168.2.445.15.143.249
                                                                                    Feb 24, 2021 10:52:48.722706079 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.722738028 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.722755909 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.722771883 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.722789049 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.722809076 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.722816944 CET497367890192.168.2.445.15.143.249
                                                                                    Feb 24, 2021 10:52:48.722840071 CET497367890192.168.2.445.15.143.249
                                                                                    Feb 24, 2021 10:52:48.722891092 CET497367890192.168.2.445.15.143.249
                                                                                    Feb 24, 2021 10:52:48.722954988 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.722985029 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.723020077 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.723037958 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.723069906 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.723104000 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.723133087 CET497367890192.168.2.445.15.143.249
                                                                                    Feb 24, 2021 10:52:48.723144054 CET497367890192.168.2.445.15.143.249
                                                                                    Feb 24, 2021 10:52:48.723220110 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.723268032 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.723305941 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.723330975 CET497367890192.168.2.445.15.143.249
                                                                                    Feb 24, 2021 10:52:48.723335028 CET497367890192.168.2.445.15.143.249
                                                                                    Feb 24, 2021 10:52:48.723346949 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.723387957 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.723402023 CET497367890192.168.2.445.15.143.249
                                                                                    Feb 24, 2021 10:52:48.723454952 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.723465919 CET497367890192.168.2.445.15.143.249
                                                                                    Feb 24, 2021 10:52:48.723476887 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.723505020 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.723521948 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.723607063 CET497367890192.168.2.445.15.143.249
                                                                                    Feb 24, 2021 10:52:48.723614931 CET497367890192.168.2.445.15.143.249
                                                                                    Feb 24, 2021 10:52:48.724112034 CET497367890192.168.2.445.15.143.249
                                                                                    Feb 24, 2021 10:52:48.727200985 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.727231979 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.727247953 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.727307081 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.727350950 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.727384090 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.727410078 CET497367890192.168.2.445.15.143.249
                                                                                    Feb 24, 2021 10:52:48.727421999 CET497367890192.168.2.445.15.143.249
                                                                                    Feb 24, 2021 10:52:48.727421999 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.727442026 CET78904973645.15.143.249192.168.2.4
                                                                                    Feb 24, 2021 10:52:48.727473021 CET497367890192.168.2.445.15.143.249
                                                                                    Feb 24, 2021 10:52:48.727477074 CET497367890192.168.2.445.15.143.249
                                                                                    Feb 24, 2021 10:52:48.727910042 CET497367890192.168.2.445.15.143.249

                                                                                    Code Manipulations

                                                                                    Statistics

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    Analysis Process: receipt.exe PID: 7032 Parent PID: 5824

                                                                                    General

                                                                                    Start time:10:52:20
                                                                                    Start date:24/02/2021
                                                                                    Path:C:\Users\user\Desktop\receipt.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:'C:\Users\user\Desktop\receipt.exe'
                                                                                    Imagebase:0x410000
                                                                                    File size:577536 bytes
                                                                                    MD5 hash:A4A4BC6E3283ECC66CD4A4DC864ACD9A
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:.Net C# or VB.NET
                                                                                    Yara matches:
                                                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.698303043.0000000003F26000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.698303043.0000000003F26000.00000004.00000001.sdmp, Author: Joe Security
                                                                                    • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.698303043.0000000003F26000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.695413546.0000000003A98000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.695413546.0000000003A98000.00000004.00000001.sdmp, Author: Joe Security
                                                                                    • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.695413546.0000000003A98000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                    Reputation:low

                                                                                    Analysis Process: schtasks.exe PID: 5728 Parent PID: 7032

                                                                                    General

                                                                                    Start time:10:52:41
                                                                                    Start date:24/02/2021
                                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CjkDta' /XML 'C:\Users\user\AppData\Local\Temp\tmp15FF.tmp'
                                                                                    Imagebase:0xba0000
                                                                                    File size:185856 bytes
                                                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high

                                                                                    Analysis Process: conhost.exe PID: 5720 Parent PID: 5728

                                                                                    General

                                                                                    Start time:10:52:42
                                                                                    Start date:24/02/2021
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff724c50000
                                                                                    File size:625664 bytes
                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high

                                                                                    Analysis Process: RegSvcs.exe PID: 6664 Parent PID: 7032

                                                                                    General

                                                                                    Start time:10:52:42
                                                                                    Start date:24/02/2021
                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:{path}
                                                                                    Imagebase:0x300000
                                                                                    File size:32768 bytes
                                                                                    MD5 hash:71369277D09DA0830C8C59F9E22BB23A
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:moderate

                                                                                    Analysis Process: RegSvcs.exe PID: 6632 Parent PID: 7032

                                                                                    General

                                                                                    Start time:10:52:43
                                                                                    Start date:24/02/2021
                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:{path}
                                                                                    Imagebase:0xa70000
                                                                                    File size:32768 bytes
                                                                                    MD5 hash:71369277D09DA0830C8C59F9E22BB23A
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:.Net C# or VB.NET
                                                                                    Reputation:moderate

                                                                                    Analysis Process: dhcpmon.exe PID: 6296 Parent PID: 3424

                                                                                    General

                                                                                    Start time:10:52:54
                                                                                    Start date:24/02/2021
                                                                                    Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                                                                    Imagebase:0xbf0000
                                                                                    File size:32768 bytes
                                                                                    MD5 hash:71369277D09DA0830C8C59F9E22BB23A
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:.Net C# or VB.NET
                                                                                    Antivirus matches:
                                                                                    • Detection: 0%, Metadefender, Browse
                                                                                    • Detection: 0%, ReversingLabs
                                                                                    Reputation:moderate

                                                                                    Analysis Process: conhost.exe PID: 5960 Parent PID: 6296

                                                                                    General

                                                                                    Start time:10:52:55
                                                                                    Start date:24/02/2021
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff724c50000
                                                                                    File size:625664 bytes
                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high

                                                                                    Disassembly

                                                                                    Code Analysis

                                                                                    Reset < >