Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Receipt.exe

Overview

General Information

Sample Name:Receipt.exe
Analysis ID:714970
MD5:59082912cb9d1d4ece0567b1354d0f34
SHA1:a3c3e88b6c905eaee872bb21916c792a3ec1d7e7
SHA256:7ef24f6499dd9fc7809783a98febc44c2dc25a3f74d02c9bf8ddbae0d3b781c6
Tags:exeNanoCoreRAT
Infos:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Detected Nanocore Rat
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Snort IDS alert for network traffic
Initial sample is a PE file and has a suspicious name
Yara detected Costura Assembly Loader
Encrypted powershell cmdline option found
Machine Learning detection for sample
Machine Learning detection for dropped file
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
PE file contains executable resources (Code or Archives)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • Receipt.exe (PID: 4740 cmdline: C:\Users\user\Desktop\Receipt.exe MD5: 59082912CB9D1D4ECE0567B1354D0F34)
    • powershell.exe (PID: 5996 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Receipt.exe (PID: 2912 cmdline: C:\Users\user\Desktop\Receipt.exe MD5: 59082912CB9D1D4ECE0567B1354D0F34)
    • Receipt.exe (PID: 572 cmdline: C:\Users\user\Desktop\Receipt.exe MD5: 59082912CB9D1D4ECE0567B1354D0F34)
    • Receipt.exe (PID: 3492 cmdline: C:\Users\user\Desktop\Receipt.exe MD5: 59082912CB9D1D4ECE0567B1354D0F34)
  • Jzqbsob.exe (PID: 676 cmdline: "C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe" MD5: 59082912CB9D1D4ECE0567B1354D0F34)
  • Jzqbsob.exe (PID: 2892 cmdline: "C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe" MD5: 59082912CB9D1D4ECE0567B1354D0F34)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000008.00000002.599774933.000000000360C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    00000008.00000002.618961337.000000000394C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000000.00000002.578345911.0000000006B00000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          00000007.00000002.634818451.0000000004556000.00000004.00000800.00020000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0x10185:$x1: NanoCore.ClientPluginHost
          • 0x101c2:$x2: IClientNetworkHost
          • 0x13cf5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
          Click to see the 24 entries
          SourceRuleDescriptionAuthorStrings
          0.2.Receipt.exe.6b00000.4.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            7.3.Receipt.exe.5010e10.3.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              7.3.Receipt.exe.5010e10.3.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                7.2.Receipt.exe.5770000.1.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                  0.2.Receipt.exe.6b00000.4.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                    Click to see the 6 entries
                    No Sigma rule has matched
                    Timestamp:103.141.138.125192.168.2.524980496972841753 10/03/22-13:30:23.588911
                    SID:2841753
                    Source Port:24980
                    Destination Port:49697
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.5103.141.138.12549697249802025019 10/03/22-13:30:08.258701
                    SID:2025019
                    Source Port:49697
                    Destination Port:24980
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.5103.141.138.12549697249802816766 10/03/22-13:30:23.935676
                    SID:2816766
                    Source Port:49697
                    Destination Port:24980
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: Receipt.exeReversingLabs: Detection: 35%
                    Source: Receipt.exeAvira: detected
                    Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exeAvira: detection malicious, Label: HEUR/AGEN.1252994
                    Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exeReversingLabs: Detection: 35%
                    Source: Yara matchFile source: 00000007.00000002.634818451.0000000004556000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.633515113.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Receipt.exe PID: 3492, type: MEMORYSTR
                    Source: Receipt.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exeJoe Sandbox ML: detected
                    Source: Receipt.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: Receipt.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256w^ source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp

                    Networking

                    barindex
                    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49697 -> 103.141.138.125:24980
                    Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49697 -> 103.141.138.125:24980
                    Source: TrafficSnort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 103.141.138.125:24980 -> 192.168.2.5:49697
                    Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                    Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                    Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
                    Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                    Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                    Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
                    Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                    Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                    Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
                    Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                    Source: Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
                    Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                    Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0K
                    Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0N
                    Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                    Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                    Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                    Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/json
                    Source: Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
                    Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

                    E-Banking Fraud

                    barindex
                    Source: Yara matchFile source: 00000007.00000002.634818451.0000000004556000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.633515113.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Receipt.exe PID: 3492, type: MEMORYSTR

                    System Summary

                    barindex
                    Source: 00000007.00000002.634818451.0000000004556000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000007.00000002.634818451.0000000004556000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000007.00000002.634818451.0000000004556000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
                    Source: 00000007.00000002.633515113.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000007.00000002.633515113.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000007.00000002.633515113.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
                    Source: Process Memory Space: Receipt.exe PID: 3492, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: Process Memory Space: Receipt.exe PID: 3492, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: Process Memory Space: Receipt.exe PID: 3492, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
                    Source: initial sampleStatic PE information: Filename: Receipt.exe
                    Source: Receipt.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 00000007.00000002.634818451.0000000004556000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 00000007.00000002.634818451.0000000004556000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000007.00000002.634818451.0000000004556000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
                    Source: 00000007.00000002.633515113.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 00000007.00000002.633515113.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000007.00000002.633515113.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
                    Source: Process Memory Space: Receipt.exe PID: 3492, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: Process Memory Space: Receipt.exe PID: 3492, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: Process Memory Space: Receipt.exe PID: 3492, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
                    Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_018111B00_2_018111B0
                    Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_01815BD10_2_01815BD1
                    Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_01BF71200_2_01BF7120
                    Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_01BF33A80_2_01BF33A8
                    Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_01BF8CB80_2_01BF8CB8
                    Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_01BF30430_2_01BF3043
                    Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_01BF2E900_2_01BF2E90
                    Source: C:\Users\user\Desktop\Receipt.exeCode function: 7_2_016211277_2_01621127
                    Source: C:\Users\user\Desktop\Receipt.exeCode function: 7_2_016230007_2_01623000
                    Source: C:\Users\user\Desktop\Receipt.exeCode function: 7_2_01625BE07_2_01625BE0
                    Source: C:\Users\user\Desktop\Receipt.exeCode function: 7_2_01625BD17_2_01625BD1
                    Source: C:\Users\user\Desktop\Receipt.exeCode function: 7_2_018891D87_2_018891D8
                    Source: C:\Users\user\Desktop\Receipt.exeCode function: 7_2_018833A87_2_018833A8
                    Source: C:\Users\user\Desktop\Receipt.exeCode function: 7_2_01882FEF7_2_01882FEF
                    Source: C:\Users\user\Desktop\Receipt.exeCode function: 7_2_032E9E007_2_032E9E00
                    Source: C:\Users\user\Desktop\Receipt.exeCode function: 7_2_0590D5D07_2_0590D5D0
                    Source: C:\Users\user\Desktop\Receipt.exeCode function: 7_2_05900CF07_2_05900CF0
                    Source: Receipt.exeStatic PE information: Resource name: RT_VERSION type: ARC archive data, packed
                    Source: Jzqbsob.exe.0.drStatic PE information: Resource name: RT_VERSION type: ARC archive data, packed
                    Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameQnwarliipjooijoxqlleev.dll" vs Receipt.exe
                    Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs Receipt.exe
                    Source: Receipt.exe, 00000000.00000002.530701855.0000000005891000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamethats.exe" vs Receipt.exe
                    Source: Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs Receipt.exe
                    Source: Receipt.exe, 00000000.00000002.559896437.0000000005D91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamethats.exe" vs Receipt.exe
                    Source: Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs Receipt.exe
                    Source: Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs Receipt.exe
                    Source: Receipt.exe, 00000000.00000002.461260742.00000000033B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamethats.exe" vs Receipt.exe
                    Source: Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs Receipt.exe
                    Source: Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs Receipt.exe
                    Source: Receipt.exe, 00000007.00000000.457523111.0000000000702000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamethats.exe" vs Receipt.exe
                    Source: Receipt.exe, 00000007.00000003.470098072.000000000488E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUwtpxswhphuvnrulrb.dll" vs Receipt.exe
                    Source: Receipt.exeReversingLabs: Detection: 35%
                    Source: C:\Users\user\Desktop\Receipt.exeFile read: C:\Users\user\Desktop\Receipt.exeJump to behavior
                    Source: Receipt.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\Receipt.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\Receipt.exe C:\Users\user\Desktop\Receipt.exe
                    Source: C:\Users\user\Desktop\Receipt.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Receipt.exeProcess created: C:\Users\user\Desktop\Receipt.exe C:\Users\user\Desktop\Receipt.exe
                    Source: C:\Users\user\Desktop\Receipt.exeProcess created: C:\Users\user\Desktop\Receipt.exe C:\Users\user\Desktop\Receipt.exe
                    Source: C:\Users\user\Desktop\Receipt.exeProcess created: C:\Users\user\Desktop\Receipt.exe C:\Users\user\Desktop\Receipt.exe
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe "C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe "C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe"
                    Source: C:\Users\user\Desktop\Receipt.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==Jump to behavior
                    Source: C:\Users\user\Desktop\Receipt.exeProcess created: C:\Users\user\Desktop\Receipt.exe C:\Users\user\Desktop\Receipt.exeJump to behavior
                    Source: C:\Users\user\Desktop\Receipt.exeProcess created: C:\Users\user\Desktop\Receipt.exe C:\Users\user\Desktop\Receipt.exeJump to behavior
                    Source: C:\Users\user\Desktop\Receipt.exeProcess created: C:\Users\user\Desktop\Receipt.exe C:\Users\user\Desktop\Receipt.exeJump to behavior
                    Source: C:\Users\user\Desktop\Receipt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\Receipt.exeFile created: C:\Users\user\AppData\Roaming\BouqiJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_twhdr2os.ade.ps1Jump to behavior
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@12/7@0/0
                    Source: C:\Users\user\Desktop\Receipt.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: Receipt.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\Receipt.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\Receipt.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6008:120:WilError_01
                    Source: C:\Users\user\Desktop\Receipt.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: Receipt.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                    Source: Receipt.exeStatic file information: File size 4574208 > 1048576
                    Source: Receipt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Receipt.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x44fc00
                    Source: Receipt.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256w^ source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    Source: Yara matchFile source: 0.2.Receipt.exe.6b00000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.3.Receipt.exe.5010e10.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.3.Receipt.exe.5010e10.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.Receipt.exe.5770000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Receipt.exe.6b00000.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.Receipt.exe.5bd1038.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.3.Receipt.exe.4c90db0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.Receipt.exe.5bd1038.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.3.Receipt.exe.4c50d90.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.Receipt.exe.5770000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.3.Receipt.exe.4c30d70.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.599774933.000000000360C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.618961337.000000000394C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.578345911.0000000006B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.596522547.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.444317098.00000000059D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.614181534.000000000322B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.466500426.00000000036FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.599218252.0000000003355000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000003.491615975.0000000005010000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.461260742.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.635737864.0000000005770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000003.470098072.000000000488E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Receipt.exe PID: 4740, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Receipt.exe PID: 3492, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Jzqbsob.exe PID: 676, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Jzqbsob.exe PID: 2892, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_01BFE0E0 push 0000003Bh; ret 0_2_01BFE0E2
                    Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_01BFE0D2 push 0000003Bh; ret 0_2_01BFE0D4
                    Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_01BFD2D5 push FFFFFF8Bh; retf 0_2_01BFD2DF
                    Source: C:\Users\user\Desktop\Receipt.exeCode function: 0_2_01BFDFA8 push 0000003Bh; ret 0_2_01BFDFAA
                    Source: C:\Users\user\Desktop\Receipt.exeCode function: 7_2_05909C4A pushfd ; retf 7_2_05909C51
                    Source: C:\Users\user\Desktop\Receipt.exeCode function: 7_2_05900FB0 push ss; ret 7_2_05900FE9
                    Source: C:\Users\user\Desktop\Receipt.exeCode function: 7_2_05900F58 push ss; ret 7_2_05900FE9
                    Source: C:\Users\user\Desktop\Receipt.exeFile created: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exeJump to dropped file
                    Source: C:\Users\user\Desktop\Receipt.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run JzqbsobJump to behavior
                    Source: C:\Users\user\Desktop\Receipt.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run JzqbsobJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (102).png
                    Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Receipt.exe