Windows Analysis Report
Receipt.exe

Machine Learning detection for sample

Source: Yara match	File source: 00000007.00000002.634818451.0000000004556000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.633515113.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Receipt.exe PID: 3492, type: MEMORYSTR

Source: Receipt.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe

Joe Sandbox ML: detected

Source: Receipt.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Receipt.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256w^ source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49697 -> 103.141.138.125:24980
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49697 -> 103.141.138.125:24980
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 103.141.138.125:24980 -> 192.168.2.5:49697

Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0K
Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/json
Source: Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 00000007.00000002.634818451.0000000004556000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.633515113.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Receipt.exe PID: 3492, type: MEMORYSTR

System Summary

Source: 00000007.00000002.634818451.0000000004556000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.634818451.0000000004556000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.634818451.0000000004556000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000007.00000002.633515113.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.633515113.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.633515113.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: Receipt.exe PID: 3492, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Receipt.exe PID: 3492, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Receipt.exe PID: 3492, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Receipt.exe

Source: Receipt.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000007.00000002.634818451.0000000004556000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.634818451.0000000004556000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.634818451.0000000004556000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000007.00000002.633515113.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.633515113.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.633515113.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: Receipt.exe PID: 3492, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: Receipt.exe PID: 3492, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Receipt.exe PID: 3492, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\Receipt.exe	Code function: 0_2_018111B0
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 0_2_01815BD1
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 0_2_01BF7120
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 0_2_01BF33A8
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 0_2_01BF8CB8
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 0_2_01BF3043
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 0_2_01BF2E90
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 7_2_01621127
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 7_2_01623000
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 7_2_01625BE0
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 7_2_01625BD1
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 7_2_018891D8
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 7_2_018833A8
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 7_2_01882FEF
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 7_2_032E9E00
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 7_2_0590D5D0
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 7_2_05900CF0

Source: Receipt.exe	Static PE information: Resource name: RT_VERSION type: ARC archive data, packed
Source: Jzqbsob.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARC archive data, packed

Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQnwarliipjooijoxqlleev.dll" vs Receipt.exe
Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs Receipt.exe
Source: Receipt.exe, 00000000.00000002.530701855.0000000005891000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamethats.exe" vs Receipt.exe
Source: Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs Receipt.exe
Source: Receipt.exe, 00000000.00000002.559896437.0000000005D91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamethats.exe" vs Receipt.exe
Source: Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs Receipt.exe
Source: Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs Receipt.exe
Source: Receipt.exe, 00000000.00000002.461260742.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamethats.exe" vs Receipt.exe
Source: Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs Receipt.exe
Source: Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs Receipt.exe
Source: Receipt.exe, 00000007.00000000.457523111.0000000000702000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamethats.exe" vs Receipt.exe
Source: Receipt.exe, 00000007.00000003.470098072.000000000488E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUwtpxswhphuvnrulrb.dll" vs Receipt.exe

Source: Receipt.exe

ReversingLabs: Detection: 35%

Source: C:\Users\user\Desktop\Receipt.exe

File read: C:\Users\user\Desktop\Receipt.exe

Source: Receipt.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Receipt.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\Receipt.exe C:\Users\user\Desktop\Receipt.exe
Source: C:\Users\user\Desktop\Receipt.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Receipt.exe	Process created: C:\Users\user\Desktop\Receipt.exe C:\Users\user\Desktop\Receipt.exe
Source: C:\Users\user\Desktop\Receipt.exe	Process created: C:\Users\user\Desktop\Receipt.exe C:\Users\user\Desktop\Receipt.exe
Source: C:\Users\user\Desktop\Receipt.exe	Process created: C:\Users\user\Desktop\Receipt.exe C:\Users\user\Desktop\Receipt.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe "C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe "C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe"
Source: C:\Users\user\Desktop\Receipt.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
Source: C:\Users\user\Desktop\Receipt.exe	Process created: C:\Users\user\Desktop\Receipt.exe C:\Users\user\Desktop\Receipt.exe
Source: C:\Users\user\Desktop\Receipt.exe	Process created: C:\Users\user\Desktop\Receipt.exe C:\Users\user\Desktop\Receipt.exe
Source: C:\Users\user\Desktop\Receipt.exe	Process created: C:\Users\user\Desktop\Receipt.exe C:\Users\user\Desktop\Receipt.exe

Source: C:\Users\user\Desktop\Receipt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: C:\Users\user\Desktop\Receipt.exe

File created: C:\Users\user\AppData\Roaming\Bouqi

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_twhdr2os.ade.ps1

Source: classification engine

Classification label: mal100.troj.evad.winEXE@12/7@0/0

Source: C:\Users\user\Desktop\Receipt.exe

File read: C:\Users\user\Desktop\desktop.ini

Yara detected Costura Assembly Loader

Source: Receipt.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Receipt.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Receipt.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6008:120:WilError_01

Source: C:\Users\user\Desktop\Receipt.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: Receipt.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Receipt.exe

Static file information: File size 4574208 > 1048576

Source: Receipt.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Receipt.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x44fc00

Source: Receipt.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256w^ source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Source: Yara match	File source: 0.2.Receipt.exe.6b00000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Receipt.exe.5010e10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Receipt.exe.5010e10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Receipt.exe.5770000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Receipt.exe.6b00000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Receipt.exe.5bd1038.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Receipt.exe.4c90db0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Receipt.exe.5bd1038.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Receipt.exe.4c50d90.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Receipt.exe.5770000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Receipt.exe.4c30d70.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.599774933.000000000360C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.618961337.000000000394C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.578345911.0000000006B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.596522547.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.444317098.00000000059D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.614181534.000000000322B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.466500426.00000000036FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.599218252.0000000003355000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.491615975.0000000005010000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.461260742.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.635737864.0000000005770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.470098072.000000000488E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Receipt.exe PID: 4740, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Receipt.exe PID: 3492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jzqbsob.exe PID: 676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jzqbsob.exe PID: 2892, type: MEMORYSTR

Source: C:\Users\user\Desktop\Receipt.exe	Code function: 0_2_01BFE0E0 push 0000003Bh; ret
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 0_2_01BFE0D2 push 0000003Bh; ret
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 0_2_01BFD2D5 push FFFFFF8Bh; retf
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 0_2_01BFDFA8 push 0000003Bh; ret
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 7_2_05909C4A pushfd ; retf
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 7_2_05900FB0 push ss; ret
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 7_2_05900F58 push ss; ret

Source: C:\Users\user\Desktop\Receipt.exe

File created: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Receipt.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Jzqbsob			Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Jzqbsob			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (102).png

Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\Receipt.exe TID: 5036	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 260	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 160	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\Receipt.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Window / User API: threadDelayed 8239

Source: C:\Users\user\Desktop\Receipt.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\Receipt.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Receipt.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Receipt.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Encrypted powershell cmdline option found

Source: C:\Users\user\Desktop\Receipt.exe	Process created: Base64 decoded Start-Sleep -Seconds 50
Source: C:\Users\user\Desktop\Receipt.exe	Process created: Base64 decoded Start-Sleep -Seconds 50

Source: C:\Users\user\Desktop\Receipt.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
Source: C:\Users\user\Desktop\Receipt.exe	Process created: C:\Users\user\Desktop\Receipt.exe C:\Users\user\Desktop\Receipt.exe
Source: C:\Users\user\Desktop\Receipt.exe	Process created: C:\Users\user\Desktop\Receipt.exe C:\Users\user\Desktop\Receipt.exe
Source: C:\Users\user\Desktop\Receipt.exe	Process created: C:\Users\user\Desktop\Receipt.exe C:\Users\user\Desktop\Receipt.exe

Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Users\user\Desktop\Receipt.exe VolumeInformation
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Users\user\Desktop\Receipt.exe VolumeInformation
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Queries volume information: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Queries volume information: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation

Source: C:\Users\user\Desktop\Receipt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match	File source: 00000007.00000002.634818451.0000000004556000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.633515113.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Receipt.exe PID: 3492, type: MEMORYSTR

Remote Access Functionality

Detected Nanocore Rat

Source: Receipt.exe, 00000007.00000002.634818451.0000000004556000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Receipt.exe, 00000007.00000002.633515113.00000000044DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Source: Yara match	File source: 00000007.00000002.634818451.0000000004556000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.633515113.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Receipt.exe PID: 3492, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 PowerShell	1 Registry Run Keys / Startup Folder	11 Process Injection	11 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Remote Access Software	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Obfuscated Files or Information	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
Receipt.exe	36%	ReversingLabs	Win32.Trojan.Woreflint
Receipt.exe	100%	Avira	HEUR/AGEN.1252994
Receipt.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	100%	Avira	HEUR/AGEN.1252994
C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	36%	ReversingLabs	Win32.Trojan.Woreflint

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
7.0.Receipt.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1232002		Download File
0.0.Receipt.exe.c60000.0.unpack	100%	Avira	HEUR/AGEN.1252994		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://james.newtonking.com/projects/json	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.newtonsoft.com/json	Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.nuget.org/packages/Newtonsoft.Json.Bson	Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://james.newtonking.com/projects/json	Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.newtonsoft.com/jsonschema	Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	714970
Start date and time:	2022-10-03 13:26:47 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 38s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Receipt.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@12/7@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:27:54	API Interceptor	13x Sleep call for process: powershell.exe modified
13:28:51	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Jzqbsob "C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe"
13:28:59	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Jzqbsob "C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe"
13:30:08	Task Scheduler	Run new task: DHCP Monitor path: "C:\Users\user\Desktop\Receipt.exe" s>$(Arg0)

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Receipt.exe.log

Process:	C:\Users\user\Desktop\Receipt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1039
Entropy (8bit):	5.3436815157474165
Encrypted:	false
SSDEEP:	24:ML9E4Ks2wKDE4KhK3VZ9pKhyE4KdE4KBLWE4K5AE4Kzr7a:MxHKXwYHKhQnoyHKdHKBqHK5AHKzva
MD5:	6C24176D343957C767AA6536571797FA
SHA1:	64512F67A49AF75E9A67474DF54FCCD3472905B2
SHA-256:	63AB82B5B458425DB1E0831E1BB8CA642C602D9BCB0762A1E47C7836CACF3350
SHA-512:	D0DFB30B723CC1F0ADB8D9448220AC67A1A21243499B7EB31402CAA0CE9F6A892073E10C52D132E59BF2321F05DBB0973B7E1026023992FC33DE5AB74A6979A4
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"System.Numerics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\34957343ad5d84daee97a1affda91665\System.Runtime.Serialization.ni.dll",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b880

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	5829
Entropy (8bit):	4.8968676994158
Encrypted:	false
SSDEEP:	96:WCJ2Woe5o2k6Lm5emmXIGvgyg12jDs+un/iQLEYFjDaeWJ6KGcmXx9smyFRLcU6f:5xoe5oVsm5emd0gkjDt4iWN3yBGHh9s6
MD5:	36DE9155D6C265A1DE62A448F3B5B66E
SHA1:	02D21946CBDD01860A0DE38D7EEC6CDE3A964FC3
SHA-256:	8BA38D55AA8F1E4F959E7223FDF653ABB9BE5B8B5DE9D116604E1ABB371C1C87
SHA-512:	C734ADE161FB89472B1DF9B9F062F4A53E7010D3FF99EDC0BD564540A56BC35743625C50A00635C31D165A74DCDBB330FFB878C5919D7B267F6F33D2AAB328E7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	16484
Entropy (8bit):	5.5525830267255625
Encrypted:	false
SSDEEP:	384:3te/Rq01vrCHRZ/09E4xn6uxRiJ9gSSJ3uzp1AYv:5HRRYE4x6ux1ScuRv
MD5:	5E720B8C48A8866D6D7D049C08C1599B
SHA1:	AEF8EF6A27518FF21B7555F3BCB91D967583706D
SHA-256:	2F3A54859BBB76612C9C67167CD509C02496CE435E753FBADDEDBFC781EA5704
SHA-512:	76BA201A564BB26F9B8AC3AA78D45FD5BD3260276971C9BCDD2B996148567BD69BC98C2BE5EECC25AFECFF41146DBB9E2CA74DDDA388DA4D15D6AC73D362FF57
Malicious:	false
Preview:	@...e...............................8.M..............@..........H...............<@.^.L."My...:'..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.............System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mjzqitn5.ybc.psm1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_twhdr2os.ade.ps1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe

Process:	C:\Users\user\Desktop\Receipt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4574208
Entropy (8bit):	4.096422057850003
Encrypted:	false
SSDEEP:	24576:RzSiXemZQDLG5EeMRROEtrclFD0bWfeX7TXkQqAbTWP0BT3pWiQFEIJMmDwkchWa:
MD5:	59082912CB9D1D4ECE0567B1354D0F34
SHA1:	A3C3E88B6C905EAEE872BB21916C792A3EC1D7E7
SHA-256:	7EF24F6499DD9FC7809783A98FEBC44C2DC25A3F74D02C9BF8DDBAE0D3B781C6
SHA-512:	B0FF1A80EDF7A0D3CAC7882DE5626C2F54B415C63454C8AFE8D256560439D0B41709B57B1B0CE149E3D6B6859AB4DEFC3D39563E7C40731966E9310C4220EEF0
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 36%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....:c..............0...D...........E.. ........@.. ....................... F...........`.................................x.E.S.... E.......................F...................................................... ............... ..H............text.....D.. ....D................. ..`.rsrc........ E.......D.............@..@.reloc........F.......E.............@..B..................E.....H.......l.E..............................................................s....(......(.....0..`.......s......o....t....r...po......o....o.....1)~.....rI..p .......o....t....~.....(....&...,..o.............OU.......(....(......(.....(.... ..D......%.....(....o....(.......0..4.........(....o....o....(....s......o........,..o.....&...*.........%.........../.......0.......... ..........s...... ....(....o.....+<.o.............rq..p(..................o.......o.......o.....o..

C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe:Zone.Identifier