Windows Analysis Report
rRECEIPTTRANSFE.exe

Overview

General Information

Sample name: rRECEIPTTRANSFE.exe
Analysis ID: 1428889
MD5: adf620aba1bbc1fcd60ac711b56d2d46
SHA1: edcda5c4d22266c12511c657f7e13edf9ee21975
SHA256: 10fa69c12a7a433da024600a736e659323276015e79824e45cd6eb9cacfc442a
Tags: AgentTeslaexe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: rRECEIPTTRANSFE.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Avira: detection malicious, Label: HEUR/AGEN.1309691
Found malware configuration
Source: 10.2.HqEYLS.exe.470a988.10.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.victorytrans.com", "Username": "victoryhn@victorytrans.com", "Password": "Chienthang30f99"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe ReversingLabs: Detection: 76%
Multi AV Scanner detection for submitted file
Source: rRECEIPTTRANSFE.exe ReversingLabs: Detection: 76%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: rRECEIPTTRANSFE.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: rRECEIPTTRANSFE.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: rRECEIPTTRANSFE.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Code function: 4x nop then jmp 032F4C3Ah 0_2_032F5600

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49714 -> 112.213.93.72:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.6:49714 -> 112.213.93.72:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49719 -> 112.213.93.72:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.6:49719 -> 112.213.93.72:587
Yara detected Generic Downloader
Source: Yara match File source: 9.2.rRECEIPTTRANSFE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.HqEYLS.exe.47461a8.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.HqEYLS.exe.470a988.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rRECEIPTTRANSFE.exe.45e99d8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rRECEIPTTRANSFE.exe.46251f8.10.raw.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49714 -> 112.213.93.72:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SUPERDATA-AS-VNSUPERDATA-VN SUPERDATA-AS-VNSUPERDATA-VN
May check the online IP address of the machine
Source: unknown DNS query: name: ip-api.com
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.6:49714 -> 112.213.93.72:587
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: ip-api.com
Source: rRECEIPTTRANSFE.exe, 00000009.00000002.3351327707.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, HqEYLS.exe, 0000000E.00000002.3351448103.00000000029D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com
Source: HqEYLS.exe, 0000000E.00000002.3345057429.0000000000B85000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: rRECEIPTTRANSFE.exe, 00000009.00000002.3351327707.0000000002BCD000.00000004.00000800.00020000.00000000.sdmp, HqEYLS.exe, 0000000E.00000002.3351448103.0000000002A2D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.victorytrans.com
Source: rRECEIPTTRANSFE.exe, 00000000.00000002.2131576032.00000000033FE000.00000004.00000800.00020000.00000000.sdmp, rRECEIPTTRANSFE.exe, 00000009.00000002.3351327707.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, HqEYLS.exe, 0000000A.00000002.2174534474.000000000351E000.00000004.00000800.00020000.00000000.sdmp, HqEYLS.exe, 0000000E.00000002.3351448103.00000000029D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rRECEIPTTRANSFE.exe, 00000000.00000002.2132934407.00000000045E9000.00000004.00000800.00020000.00000000.sdmp, rRECEIPTTRANSFE.exe, 00000009.00000002.3339650118.000000000042E000.00000040.00000400.00020000.00000000.sdmp, HqEYLS.exe, 0000000A.00000002.2176331174.000000000470A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.rRECEIPTTRANSFE.exe.46251f8.10.raw.unpack, cPKWk.cs .Net Code: B84OJxNS5
Source: 0.2.rRECEIPTTRANSFE.exe.45e99d8.11.raw.unpack, cPKWk.cs .Net Code: B84OJxNS5
Installs a global keyboard hook
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\HqEYLS.exe
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Window created: window name: CLIPBRDWNDCLASS

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 10.2.HqEYLS.exe.470a988.10.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.rRECEIPTTRANSFE.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.rRECEIPTTRANSFE.exe.46251f8.10.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.HqEYLS.exe.47461a8.12.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.HqEYLS.exe.47461a8.12.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.rRECEIPTTRANSFE.exe.45e99d8.11.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.HqEYLS.exe.470a988.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.rRECEIPTTRANSFE.exe.45e99d8.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.rRECEIPTTRANSFE.exe.46251f8.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
.NET source code contains very large array initializations
Source: 0.2.rRECEIPTTRANSFE.exe.33d6494.1.raw.unpack, SQL.cs Large array initialization: : array initializer size 13797
Source: 0.2.rRECEIPTTRANSFE.exe.5e40000.13.raw.unpack, SQL.cs Large array initialization: : array initializer size 13797
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: rRECEIPTTRANSFE.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Code function: 0_2_019BDFCC 0_2_019BDFCC
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Code function: 0_2_032F4B28 0_2_032F4B28
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Code function: 0_2_032F6E30 0_2_032F6E30
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Code function: 0_2_032F4B1A 0_2_032F4B1A
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Code function: 0_2_032F02A0 0_2_032F02A0
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Code function: 0_2_032F0C50 0_2_032F0C50
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Code function: 0_2_07C614D8 0_2_07C614D8
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Code function: 0_2_07C6A211 0_2_07C6A211
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Code function: 0_2_07C6A220 0_2_07C6A220
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Code function: 0_2_07C65F89 0_2_07C65F89
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Code function: 0_2_07C65F90 0_2_07C65F90
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Code function: 0_2_07C6EF00 0_2_07C6EF00
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Code function: 0_2_07C6EAC8 0_2_07C6EAC8
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Code function: 9_2_00D74AC0 9_2_00D74AC0
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Code function: 9_2_00D73EA8 9_2_00D73EA8
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Code function: 9_2_00D741F0 9_2_00D741F0
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Code function: 9_2_00D7F4A0 9_2_00D7F4A0
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Code function: 9_2_066586F8 9_2_066586F8
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Code function: 9_2_0665F700 9_2_0665F700
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Code function: 9_2_0665E7A9 9_2_0665E7A9
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Code function: 9_2_066565C0 9_2_066565C0
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Code function: 9_2_0665B2F8 9_2_0665B2F8
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Code function: 9_2_066532B8 9_2_066532B8
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Code function: 9_2_06650040 9_2_06650040
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Code function: 9_2_06659B60 9_2_06659B60
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Code function: 9_2_06658E4B 9_2_06658E4B
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Code function: 9_2_0665AC18 9_2_0665AC18
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Code function: 9_2_06650006 9_2_06650006
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Code function: 9_2_06653590 9_2_06653590
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Code function: 10_2_018FDFCC 10_2_018FDFCC
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Code function: 10_2_033B3B78 10_2_033B3B78
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Code function: 10_2_033B5E88 10_2_033B5E88
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Code function: 10_2_033B3B73 10_2_033B3B73
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Code function: 10_2_033B02A0 10_2_033B02A0
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Code function: 10_2_033B0C50 10_2_033B0C50
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Code function: 10_2_03480040 10_2_03480040
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Code function: 10_2_0348001A 10_2_0348001A
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Code function: 14_2_00E64AC0 14_2_00E64AC0
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Code function: 14_2_00E63EA8 14_2_00E63EA8
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Code function: 14_2_00E641F0 14_2_00E641F0
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Code function: 14_2_00E6F4A0 14_2_00E6F4A0
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Code function: 14_2_064286F8 14_2_064286F8
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Code function: 14_2_0642F700 14_2_0642F700
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Code function: 14_2_0642E7A9 14_2_0642E7A9
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Code function: 14_2_064265C0 14_2_064265C0
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Code function: 14_2_0642B2F8 14_2_0642B2F8
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Code function: 14_2_064232B8 14_2_064232B8
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Code function: 14_2_06420040 14_2_06420040
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Code function: 14_2_06429B60 14_2_06429B60
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Code function: 14_2_06428E4B 14_2_06428E4B
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Code function: 14_2_0642AC18 14_2_0642AC18
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Code function: 14_2_06420006 14_2_06420006
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Code function: 14_2_06423590 14_2_06423590
Sample file is different than original file name gathered from version info
Source: rRECEIPTTRANSFE.exe, 00000000.00000002.2130182471.000000000146E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs rRECEIPTTRANSFE.exe
Source: rRECEIPTTRANSFE.exe, 00000000.00000002.2137767664.0000000007B8E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameschtasks.exej% vs rRECEIPTTRANSFE.exe
Source: rRECEIPTTRANSFE.exe, 00000000.00000002.2138481687.0000000007CD0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs rRECEIPTTRANSFE.exe
Source: rRECEIPTTRANSFE.exe, 00000000.00000002.2136723501.0000000005E40000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs rRECEIPTTRANSFE.exe
Source: rRECEIPTTRANSFE.exe, 00000000.00000002.2132934407.00000000045E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamef14c86c5-3333-4ec6-9a5d-d97686ccc1c0.exe4 vs rRECEIPTTRANSFE.exe
Source: rRECEIPTTRANSFE.exe, 00000000.00000002.2132934407.00000000045E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs rRECEIPTTRANSFE.exe
Source: rRECEIPTTRANSFE.exe, 00000000.00000002.2131576032.0000000003430000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamef14c86c5-3333-4ec6-9a5d-d97686ccc1c0.exe4 vs rRECEIPTTRANSFE.exe
Source: rRECEIPTTRANSFE.exe, 00000000.00000000.2090851932.0000000001010000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameOeCQ.exeX vs rRECEIPTTRANSFE.exe
Source: rRECEIPTTRANSFE.exe, 00000000.00000002.2131576032.00000000033B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs rRECEIPTTRANSFE.exe
Source: rRECEIPTTRANSFE.exe, 00000009.00000002.3341083583.00000000009A9000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs rRECEIPTTRANSFE.exe
Source: rRECEIPTTRANSFE.exe Binary or memory string: OriginalFilenameOeCQ.exeX vs rRECEIPTTRANSFE.exe
Uses 32bit PE files
Source: rRECEIPTTRANSFE.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 10.2.HqEYLS.exe.470a988.10.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.rRECEIPTTRANSFE.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.rRECEIPTTRANSFE.exe.46251f8.10.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.HqEYLS.exe.47461a8.12.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.HqEYLS.exe.47461a8.12.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.rRECEIPTTRANSFE.exe.45e99d8.11.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.HqEYLS.exe.470a988.10.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.rRECEIPTTRANSFE.exe.45e99d8.11.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.rRECEIPTTRANSFE.exe.46251f8.10.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: rRECEIPTTRANSFE.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: HqEYLS.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.rRECEIPTTRANSFE.exe.46251f8.10.raw.unpack, cPs8D.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rRECEIPTTRANSFE.exe.46251f8.10.raw.unpack, 72CF8egH.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rRECEIPTTRANSFE.exe.46251f8.10.raw.unpack, G5CXsdn.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rRECEIPTTRANSFE.exe.46251f8.10.raw.unpack, 3uPsILA6U.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.rRECEIPTTRANSFE.exe.46251f8.10.raw.unpack, 6oQOw74dfIt.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rRECEIPTTRANSFE.exe.46251f8.10.raw.unpack, aMIWm.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.rRECEIPTTRANSFE.exe.46251f8.10.raw.unpack, 3QjbQ514BDx.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rRECEIPTTRANSFE.exe.46251f8.10.raw.unpack, 3QjbQ514BDx.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rRECEIPTTRANSFE.exe.471bec0.12.raw.unpack, JU8Khs1msJUV9P8qWx.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rRECEIPTTRANSFE.exe.7cd0000.16.raw.unpack, JU8Khs1msJUV9P8qWx.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rRECEIPTTRANSFE.exe.471bec0.12.raw.unpack, GwdGba7NHiFnL1W60s.cs Security API names: _0020.SetAccessControl
Source: 0.2.rRECEIPTTRANSFE.exe.471bec0.12.raw.unpack, GwdGba7NHiFnL1W60s.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rRECEIPTTRANSFE.exe.471bec0.12.raw.unpack, GwdGba7NHiFnL1W60s.cs Security API names: _0020.AddAccessRule
Source: 0.2.rRECEIPTTRANSFE.exe.7cd0000.16.raw.unpack, GwdGba7NHiFnL1W60s.cs Security API names: _0020.SetAccessControl
Source: 0.2.rRECEIPTTRANSFE.exe.7cd0000.16.raw.unpack, GwdGba7NHiFnL1W60s.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rRECEIPTTRANSFE.exe.7cd0000.16.raw.unpack, GwdGba7NHiFnL1W60s.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@19/15@2/2
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe File created: C:\Users\user\AppData\Roaming\HqEYLS.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5664:120:WilError_03
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Mutant created: \Sessions\1\BaseNamedObjects\dXFYtSCktBgyRYnuBUyHY
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3136:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6520:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2724:120:WilError_03
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe File created: C:\Users\user\AppData\Local\Temp\tmpE622.tmp Jump to behavior
Source: rRECEIPTTRANSFE.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: rRECEIPTTRANSFE.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: rRECEIPTTRANSFE.exe ReversingLabs: Detection: 76%
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe File read: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe:Zone.Identifier Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe "C:\Users\user\Desktop\rRECEIPTTRANSFE.exe"
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rRECEIPTTRANSFE.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HqEYLS.exe"
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HqEYLS" /XML "C:\Users\user\AppData\Local\Temp\tmpE622.tmp"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process created: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe "C:\Users\user\Desktop\rRECEIPTTRANSFE.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\HqEYLS.exe C:\Users\user\AppData\Roaming\HqEYLS.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HqEYLS" /XML "C:\Users\user\AppData\Local\Temp\tmpF7D5.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process created: C:\Users\user\AppData\Roaming\HqEYLS.exe "C:\Users\user\AppData\Roaming\HqEYLS.exe"
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rRECEIPTTRANSFE.exe" Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HqEYLS.exe" Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HqEYLS" /XML "C:\Users\user\AppData\Local\Temp\tmpE622.tmp" Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process created: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe "C:\Users\user\Desktop\rRECEIPTTRANSFE.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HqEYLS" /XML "C:\Users\user\AppData\Local\Temp\tmpF7D5.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process created: C:\Users\user\AppData\Roaming\HqEYLS.exe "C:\Users\user\AppData\Roaming\HqEYLS.exe" Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Section loaded: edputil.dll
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: rRECEIPTTRANSFE.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: rRECEIPTTRANSFE.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.rRECEIPTTRANSFE.exe.33d6494.1.raw.unpack, SQL.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.rRECEIPTTRANSFE.exe.471bec0.12.raw.unpack, GwdGba7NHiFnL1W60s.cs .Net Code: sTU0lMqTxS System.Reflection.Assembly.Load(byte[])
Source: 0.2.rRECEIPTTRANSFE.exe.5e40000.13.raw.unpack, SQL.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.rRECEIPTTRANSFE.exe.7cd0000.16.raw.unpack, GwdGba7NHiFnL1W60s.cs .Net Code: sTU0lMqTxS System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Code function: 9_2_00D70CEB push edi; retf 9_2_00D70CAA
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Code function: 9_2_0665D881 push es; retf 9_2_0665D88C
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Code function: 10_2_03486ED0 push 8BFFFFF9h; iretd 10_2_03486ED5
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Code function: 14_2_00E60C23 push edi; retf 14_2_00E60CAA
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Code function: 14_2_0642D881 push es; retf 14_2_0642D88C
Source: rRECEIPTTRANSFE.exe Static PE information: section name: .text entropy: 7.968459128990862
Source: HqEYLS.exe.0.dr Static PE information: section name: .text entropy: 7.968459128990862
Source: 0.2.rRECEIPTTRANSFE.exe.471bec0.12.raw.unpack, Nl0XtImW34wh2dJWSa.cs High entropy of concatenated method names: 'B0nOq6mG06', 'ddHOGB7sxM', 'KhnOwYFlei', 'sejOIeGeSF', 'H52Oklrcis', 'WCuOXw98Pb', 'DW6O1ck8eF', 'GGUOYa3P5U', 'LjZOLaADhb', 'cfKOmVNPoR'
Source: 0.2.rRECEIPTTRANSFE.exe.471bec0.12.raw.unpack, DiJivcCCAq5gb7yS7WH.cs High entropy of concatenated method names: 'ToString', 'msnrc74y5g', 'Vu5r0TRA4m', 'FoOryD3Lb2', 'XkursafWis', 'y6TrWoef3p', 'ppMrTZmAaE', 'inirBt82Eo', 'Ulkl5Yu1X5xAJwrqZ05', 'YO3CFhuhVhhrDr3vxkm'
Source: 0.2.rRECEIPTTRANSFE.exe.471bec0.12.raw.unpack, dLLDqKzJnwQrSrgImp.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Uno5OJmufU', 'g2p5n79BX0', 'yX75UZcJYv', 'USa5Ks1tcm', 'Cli5MML4f2', 'g0r55SOi0r', 'Sif5rH7tSJ'
Source: 0.2.rRECEIPTTRANSFE.exe.471bec0.12.raw.unpack, Iuu42jsfWoJ2UUu2hK.cs High entropy of concatenated method names: 'PrqdDHTOtZ', 'bD3d7ITUSX', 'JsgdlpwIsC', 'EMdd3GwZJg', 'DJLd4kiTNK', 'lF3d9BwbSr', 'd6RdNBuXUt', 't6RdqN7WnK', 'OhndG8Hgwp', 'G8odpeobZe'
Source: 0.2.rRECEIPTTRANSFE.exe.471bec0.12.raw.unpack, GwdGba7NHiFnL1W60s.cs High entropy of concatenated method names: 'Sc6cyAMRHk', 'ioQcsSRd0K', 'kSdcWbN7aG', 'ftCcT6EkMT', 'KPQcBy71Cp', 'JGUcuIGPgn', 'UpEcdELOd8', 'MYXcftWJJ9', 'cQpcvlA0ug', 'nUgcj97gjZ'
Source: 0.2.rRECEIPTTRANSFE.exe.471bec0.12.raw.unpack, VjUuUc2KZYn9CLcx5g.cs High entropy of concatenated method names: 'WD6MwUlSUl', 'mm6MIaQUNq', 'XiCMaisfoV', 'BlbMkAjyoe', 'rVmMoh1JB9', 'syjMXjeqiU', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.rRECEIPTTRANSFE.exe.471bec0.12.raw.unpack, YPVuIa5CsCIRWYuK5H.cs High entropy of concatenated method names: 'rfndsTNFKw', 'JcgdTfu5io', 'rRVduUdrZZ', 'zSeutm6ErQ', 'R6euzbq9O7', 'vmBdVtJDXP', 'HD7dQJt1YC', 'D1NdEtuOw2', 'yIbdc5jDY8', 'U6Yd0y0yhC'
Source: 0.2.rRECEIPTTRANSFE.exe.471bec0.12.raw.unpack, S1bvdjU8Jq6IuhE79s.cs High entropy of concatenated method names: 'D4IMs9NmS4', 'VIuMW7DQXO', 'FjkMTvP6YH', 'UUnMBHIufT', 'XafMuHgs2q', 'xowMdMv3s9', 'kk0Mfq7nAM', 'GTdMvFFNN5', 'e9iMjoPqEw', 'hFBMx2iYNl'
Source: 0.2.rRECEIPTTRANSFE.exe.471bec0.12.raw.unpack, TVk1yCOhSpiLEPrxTQ.cs High entropy of concatenated method names: 'w96QdCiUhv', 'yDnQfoawO4', 'ImOQjQVFxb', 'KCxQxJGuag', 'hCiQn3Ll59', 'eQ5QUiuUX6', 'e7fI3r1ddjVtJgg4sK', 'Iv14GShk4vHtXy43ks', 'RwAQQ6PQZY', 'U8EQcSyB3l'
Source: 0.2.rRECEIPTTRANSFE.exe.471bec0.12.raw.unpack, nA2qGXBOdOw1xQ6HsY.cs High entropy of concatenated method names: 'OLiB4Gljq2', 'hA0BNjdKtS', 'UscTaY4s9p', 'bcTTkWDy1n', 'qh2TXSlQ1e', 'mJ0TRL4CTg', 'C8QT1EtYvx', 'qbITYPyhiB', 'voCTS1CIGS', 'BvyTLuXr7R'
Source: 0.2.rRECEIPTTRANSFE.exe.471bec0.12.raw.unpack, GUY7lMCEWlZTW41nMB2.cs High entropy of concatenated method names: 'lYj5D37lfd', 'YRm57vy8WP', 'Ipl5liMWSf', 'xBZ53xXe2L', 'LAu54xIemM', 'oMh59mGJD8', 'g6d5NJJZJS', 'qiu5qVOUCh', 'SlA5GS6oQl', 'Vx25pRChDa'
Source: 0.2.rRECEIPTTRANSFE.exe.471bec0.12.raw.unpack, HpC3v9IO6SAR7blhdG.cs High entropy of concatenated method names: 'IEE5QFPyJP', 'KnY5cXc0vN', 'rI550Tejfd', 'rOq5sW38AJ', 'TAY5W1LhAC', 'CA45BjP65J', 'NSf5u1q2Mo', 'WABMeruB6U', 'eM7MJo1wL1', 'VSFMF73Gon'
Source: 0.2.rRECEIPTTRANSFE.exe.471bec0.12.raw.unpack, J7j7ILCpLIdR8fnQJaO.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'AyYroQHyIM', 'u6ar8wkvNj', 'hWErHa6g7t', 'lpDr6aq4Vx', 'rsjrPvSgHL', 'v1jrZqtPVj', 'ROmreCqdlc'
Source: 0.2.rRECEIPTTRANSFE.exe.471bec0.12.raw.unpack, J6SCI1Du5RI3RyeUai.cs High entropy of concatenated method names: 'KOsuy13ptZ', 'nW3uWkBgBS', 'hQmuBQqgYL', 'Et4udQiieJ', 'BnJufmQ86Q', 'nUHBPY3rj5', 'NEiBZouCB3', 'WQ4BeIRNBX', 'UBUBJ3Tbrn', 'MWHBFkPqoc'
Source: 0.2.rRECEIPTTRANSFE.exe.471bec0.12.raw.unpack, trld6hlKiXBCeglKkV.cs High entropy of concatenated method names: 'iyUT3nuZef', 'N7mT9hfnUe', 'PIkTqaUnql', 'BHRTGKnvac', 'tfkTnRIVIa', 'JpXTUUwDZj', 'RZnTKv0yZI', 'm2pTMyTjOu', 'MUiT5uRLvP', 'OYtTrx0xSp'
Source: 0.2.rRECEIPTTRANSFE.exe.471bec0.12.raw.unpack, JU8Khs1msJUV9P8qWx.cs High entropy of concatenated method names: 'orAWoS5ety', 'gmLW8pnuYM', 'PdLWHxAmZu', 'yrJW65tCeY', 'vHxWPp206D', 'IHsWZPRN7j', 'mDGWesxAIB', 'VaPWJX5b2G', 'g9pWFnHPBm', 'W69WtqE4kn'
Source: 0.2.rRECEIPTTRANSFE.exe.471bec0.12.raw.unpack, G57qiPG5FKR8pxW3mh.cs High entropy of concatenated method names: 'Dispose', 'oGnQFA1gLY', 'swAEIyKCLq', 'fRxiimtmP1', 'xKQQtMoCd2', 'RY6Qzy04EE', 'ProcessDialogKey', 'vgYEVMi3Kg', 'VtEEQcZyj0', 'PyUEEHAUE9'
Source: 0.2.rRECEIPTTRANSFE.exe.471bec0.12.raw.unpack, MifJa0X1kcxl6jZLJH.cs High entropy of concatenated method names: 'qbGlgoOij', 'LkQ3hVNNL', 'zsQ9RKnu0', 'E1NNYKuUi', 'x1pGEEMme', 'HUap37dt2', 'E31psEoSNoaZc4L3K6', 'XMHZ2hkyPMNUfqyCg0', 'AslM59pca', 'VlnrVkoxD'
Source: 0.2.rRECEIPTTRANSFE.exe.471bec0.12.raw.unpack, po5EpPPTBLYxF0tOrO.cs High entropy of concatenated method names: 'nHxnL49UnV', 'eipnC7UKa9', 'HcJnohcInU', 'V1jn8bIkjB', 'iaxnI3rOds', 'wX5na4gMxe', 'mKGnkQOlNE', 'qQRnXn6eYy', 'qw8nRsjABA', 'Pkxn1rOe7M'
Source: 0.2.rRECEIPTTRANSFE.exe.471bec0.12.raw.unpack, XwKhUGWLJRBX6ZGn7t.cs High entropy of concatenated method names: 'V43KjrbkA7', 'AM0KxyxTSA', 'ToString', 'VUQKs7MHjB', 'E2YKWCSFB8', 'TS9KTAmk5W', 'oWZKBYjXXD', 'MjAKukfnLL', 'RcAKdHua5g', 'hTVKfR7TH6'
Source: 0.2.rRECEIPTTRANSFE.exe.471bec0.12.raw.unpack, GLyZBqL4DDAJOI5jL2.cs High entropy of concatenated method names: 'cjPuHaBC7n', 'dSDu6H6wrw', 'odOuPvcCsf', 'ToString', 'kIUuZh7V3t', 'ApfuejtCYm', 'lFQ2NP0A9rcxFKDDNO5', 'lwZmYX0VGPfy4pbLK7v'
Source: 0.2.rRECEIPTTRANSFE.exe.7cd0000.16.raw.unpack, Nl0XtImW34wh2dJWSa.cs High entropy of concatenated method names: 'B0nOq6mG06', 'ddHOGB7sxM', 'KhnOwYFlei', 'sejOIeGeSF', 'H52Oklrcis', 'WCuOXw98Pb', 'DW6O1ck8eF', 'GGUOYa3P5U', 'LjZOLaADhb', 'cfKOmVNPoR'
Source: 0.2.rRECEIPTTRANSFE.exe.7cd0000.16.raw.unpack, DiJivcCCAq5gb7yS7WH.cs High entropy of concatenated method names: 'ToString', 'msnrc74y5g', 'Vu5r0TRA4m', 'FoOryD3Lb2', 'XkursafWis', 'y6TrWoef3p', 'ppMrTZmAaE', 'inirBt82Eo', 'Ulkl5Yu1X5xAJwrqZ05', 'YO3CFhuhVhhrDr3vxkm'
Source: 0.2.rRECEIPTTRANSFE.exe.7cd0000.16.raw.unpack, dLLDqKzJnwQrSrgImp.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Uno5OJmufU', 'g2p5n79BX0', 'yX75UZcJYv', 'USa5Ks1tcm', 'Cli5MML4f2', 'g0r55SOi0r', 'Sif5rH7tSJ'
Source: 0.2.rRECEIPTTRANSFE.exe.7cd0000.16.raw.unpack, Iuu42jsfWoJ2UUu2hK.cs High entropy of concatenated method names: 'PrqdDHTOtZ', 'bD3d7ITUSX', 'JsgdlpwIsC', 'EMdd3GwZJg', 'DJLd4kiTNK', 'lF3d9BwbSr', 'd6RdNBuXUt', 't6RdqN7WnK', 'OhndG8Hgwp', 'G8odpeobZe'
Source: 0.2.rRECEIPTTRANSFE.exe.7cd0000.16.raw.unpack, GwdGba7NHiFnL1W60s.cs High entropy of concatenated method names: 'Sc6cyAMRHk', 'ioQcsSRd0K', 'kSdcWbN7aG', 'ftCcT6EkMT', 'KPQcBy71Cp', 'JGUcuIGPgn', 'UpEcdELOd8', 'MYXcftWJJ9', 'cQpcvlA0ug', 'nUgcj97gjZ'
Source: 0.2.rRECEIPTTRANSFE.exe.7cd0000.16.raw.unpack, VjUuUc2KZYn9CLcx5g.cs High entropy of concatenated method names: 'WD6MwUlSUl', 'mm6MIaQUNq', 'XiCMaisfoV', 'BlbMkAjyoe', 'rVmMoh1JB9', 'syjMXjeqiU', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.rRECEIPTTRANSFE.exe.7cd0000.16.raw.unpack, YPVuIa5CsCIRWYuK5H.cs High entropy of concatenated method names: 'rfndsTNFKw', 'JcgdTfu5io', 'rRVduUdrZZ', 'zSeutm6ErQ', 'R6euzbq9O7', 'vmBdVtJDXP', 'HD7dQJt1YC', 'D1NdEtuOw2', 'yIbdc5jDY8', 'U6Yd0y0yhC'
Source: 0.2.rRECEIPTTRANSFE.exe.7cd0000.16.raw.unpack, S1bvdjU8Jq6IuhE79s.cs High entropy of concatenated method names: 'D4IMs9NmS4', 'VIuMW7DQXO', 'FjkMTvP6YH', 'UUnMBHIufT', 'XafMuHgs2q', 'xowMdMv3s9', 'kk0Mfq7nAM', 'GTdMvFFNN5', 'e9iMjoPqEw', 'hFBMx2iYNl'
Source: 0.2.rRECEIPTTRANSFE.exe.7cd0000.16.raw.unpack, TVk1yCOhSpiLEPrxTQ.cs High entropy of concatenated method names: 'w96QdCiUhv', 'yDnQfoawO4', 'ImOQjQVFxb', 'KCxQxJGuag', 'hCiQn3Ll59', 'eQ5QUiuUX6', 'e7fI3r1ddjVtJgg4sK', 'Iv14GShk4vHtXy43ks', 'RwAQQ6PQZY', 'U8EQcSyB3l'
Source: 0.2.rRECEIPTTRANSFE.exe.7cd0000.16.raw.unpack, nA2qGXBOdOw1xQ6HsY.cs High entropy of concatenated method names: 'OLiB4Gljq2', 'hA0BNjdKtS', 'UscTaY4s9p', 'bcTTkWDy1n', 'qh2TXSlQ1e', 'mJ0TRL4CTg', 'C8QT1EtYvx', 'qbITYPyhiB', 'voCTS1CIGS', 'BvyTLuXr7R'
Source: 0.2.rRECEIPTTRANSFE.exe.7cd0000.16.raw.unpack, GUY7lMCEWlZTW41nMB2.cs High entropy of concatenated method names: 'lYj5D37lfd', 'YRm57vy8WP', 'Ipl5liMWSf', 'xBZ53xXe2L', 'LAu54xIemM', 'oMh59mGJD8', 'g6d5NJJZJS', 'qiu5qVOUCh', 'SlA5GS6oQl', 'Vx25pRChDa'
Source: 0.2.rRECEIPTTRANSFE.exe.7cd0000.16.raw.unpack, HpC3v9IO6SAR7blhdG.cs High entropy of concatenated method names: 'IEE5QFPyJP', 'KnY5cXc0vN', 'rI550Tejfd', 'rOq5sW38AJ', 'TAY5W1LhAC', 'CA45BjP65J', 'NSf5u1q2Mo', 'WABMeruB6U', 'eM7MJo1wL1', 'VSFMF73Gon'
Source: 0.2.rRECEIPTTRANSFE.exe.7cd0000.16.raw.unpack, J7j7ILCpLIdR8fnQJaO.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'AyYroQHyIM', 'u6ar8wkvNj', 'hWErHa6g7t', 'lpDr6aq4Vx', 'rsjrPvSgHL', 'v1jrZqtPVj', 'ROmreCqdlc'
Source: 0.2.rRECEIPTTRANSFE.exe.7cd0000.16.raw.unpack, J6SCI1Du5RI3RyeUai.cs High entropy of concatenated method names: 'KOsuy13ptZ', 'nW3uWkBgBS', 'hQmuBQqgYL', 'Et4udQiieJ', 'BnJufmQ86Q', 'nUHBPY3rj5', 'NEiBZouCB3', 'WQ4BeIRNBX', 'UBUBJ3Tbrn', 'MWHBFkPqoc'
Source: 0.2.rRECEIPTTRANSFE.exe.7cd0000.16.raw.unpack, trld6hlKiXBCeglKkV.cs High entropy of concatenated method names: 'iyUT3nuZef', 'N7mT9hfnUe', 'PIkTqaUnql', 'BHRTGKnvac', 'tfkTnRIVIa', 'JpXTUUwDZj', 'RZnTKv0yZI', 'm2pTMyTjOu', 'MUiT5uRLvP', 'OYtTrx0xSp'
Source: 0.2.rRECEIPTTRANSFE.exe.7cd0000.16.raw.unpack, JU8Khs1msJUV9P8qWx.cs High entropy of concatenated method names: 'orAWoS5ety', 'gmLW8pnuYM', 'PdLWHxAmZu', 'yrJW65tCeY', 'vHxWPp206D', 'IHsWZPRN7j', 'mDGWesxAIB', 'VaPWJX5b2G', 'g9pWFnHPBm', 'W69WtqE4kn'
Source: 0.2.rRECEIPTTRANSFE.exe.7cd0000.16.raw.unpack, G57qiPG5FKR8pxW3mh.cs High entropy of concatenated method names: 'Dispose', 'oGnQFA1gLY', 'swAEIyKCLq', 'fRxiimtmP1', 'xKQQtMoCd2', 'RY6Qzy04EE', 'ProcessDialogKey', 'vgYEVMi3Kg', 'VtEEQcZyj0', 'PyUEEHAUE9'
Source: 0.2.rRECEIPTTRANSFE.exe.7cd0000.16.raw.unpack, MifJa0X1kcxl6jZLJH.cs High entropy of concatenated method names: 'qbGlgoOij', 'LkQ3hVNNL', 'zsQ9RKnu0', 'E1NNYKuUi', 'x1pGEEMme', 'HUap37dt2', 'E31psEoSNoaZc4L3K6', 'XMHZ2hkyPMNUfqyCg0', 'AslM59pca', 'VlnrVkoxD'
Source: 0.2.rRECEIPTTRANSFE.exe.7cd0000.16.raw.unpack, po5EpPPTBLYxF0tOrO.cs High entropy of concatenated method names: 'nHxnL49UnV', 'eipnC7UKa9', 'HcJnohcInU', 'V1jn8bIkjB', 'iaxnI3rOds', 'wX5na4gMxe', 'mKGnkQOlNE', 'qQRnXn6eYy', 'qw8nRsjABA', 'Pkxn1rOe7M'
Source: 0.2.rRECEIPTTRANSFE.exe.7cd0000.16.raw.unpack, XwKhUGWLJRBX6ZGn7t.cs High entropy of concatenated method names: 'V43KjrbkA7', 'AM0KxyxTSA', 'ToString', 'VUQKs7MHjB', 'E2YKWCSFB8', 'TS9KTAmk5W', 'oWZKBYjXXD', 'MjAKukfnLL', 'RcAKdHua5g', 'hTVKfR7TH6'
Source: 0.2.rRECEIPTTRANSFE.exe.7cd0000.16.raw.unpack, GLyZBqL4DDAJOI5jL2.cs High entropy of concatenated method names: 'cjPuHaBC7n', 'dSDu6H6wrw', 'odOuPvcCsf', 'ToString', 'kIUuZh7V3t', 'ApfuejtCYm', 'lFQ2NP0A9rcxFKDDNO5', 'lwZmYX0VGPfy4pbLK7v'
Drops PE files
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe File created: C:\Users\user\AppData\Roaming\HqEYLS.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HqEYLS" /XML "C:\Users\user\AppData\Local\Temp\tmpE622.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: rRECEIPTTRANSFE.exe PID: 6992, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: HqEYLS.exe PID: 616, type: MEMORYSTR
Check if machine is in data center or colocation facility
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: rRECEIPTTRANSFE.exe, 00000000.00000002.2132934407.00000000045E9000.00000004.00000800.00020000.00000000.sdmp, rRECEIPTTRANSFE.exe, 00000009.00000002.3339650118.000000000042E000.00000040.00000400.00020000.00000000.sdmp, HqEYLS.exe, 0000000A.00000002.2176331174.000000000470A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Memory allocated: 19A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Memory allocated: 33B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Memory allocated: 3290000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Memory allocated: 9930000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Memory allocated: 81D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Memory allocated: A930000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Memory allocated: B930000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Memory allocated: D70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Memory allocated: 2B70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Memory allocated: 2960000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Memory allocated: 1580000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Memory allocated: 34D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Memory allocated: 3350000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Memory allocated: 8FC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Memory allocated: 7940000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Memory allocated: 9FC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Memory allocated: AFC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Memory allocated: E60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Memory allocated: 29D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Memory allocated: 28F0000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 3540000 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 3539875 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 3539766 Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6488 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5842 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Window / User API: threadDelayed 3797 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Window / User API: threadDelayed 6055 Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Window / User API: threadDelayed 1724
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Window / User API: threadDelayed 8131
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 6764 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6720 Thread sleep count: 6488 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4184 Thread sleep count: 211 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5344 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6472 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5208 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4928 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -26747778906878833s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -99874s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 3260 Thread sleep count: 3797 > 30 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 3260 Thread sleep count: 6055 > 30 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -99742s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -99625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -99512s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -99403s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -99292s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -99169s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -99062s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -98953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -98843s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -98734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -98624s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -98513s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -98405s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -98296s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -98183s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -98078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -97968s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -97856s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -97749s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -97632s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -97515s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -97406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -97296s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -97186s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -97078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -96968s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -96859s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -96750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -96640s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -96531s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -96421s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -96312s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -96203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -96091s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -95984s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -95874s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -95765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -95656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -95546s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -95437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -95328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -95218s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -95109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -95000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -94890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -94781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -3540000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -3539875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe TID: 2120 Thread sleep time: -3539766s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 1804 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep count: 32 > 30
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -29514790517935264s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 884 Thread sleep count: 1724 > 30
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -99891s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 884 Thread sleep count: 8131 > 30
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -99766s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -99641s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -99527s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -99422s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -99312s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -99203s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -99094s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -98984s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -98875s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -98766s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -98641s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -98516s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -98406s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -98297s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -98187s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -98078s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -97969s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -97859s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -97750s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -97641s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -97516s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -97391s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -97281s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -97171s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -97062s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -96953s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -96844s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -96734s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -96625s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -96515s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -96406s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -96297s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -96188s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -96078s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -95969s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -95859s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -95750s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -95641s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -95531s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -95421s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -95312s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -95203s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -95094s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -94984s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -94875s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -94766s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -94641s >= -30000s
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe TID: 5928 Thread sleep time: -94516s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 99874 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 99742 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 99625 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 99512 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 99403 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 99292 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 99169 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 99062 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 98953 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 98843 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 98734 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 98624 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 98513 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 98405 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 98296 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 98183 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 98078 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 97968 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 97856 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 97749 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 97632 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 97515 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 97406 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 97296 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 97186 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 97078 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 96968 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 96859 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 96750 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 96640 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 96531 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 96421 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 96312 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 96203 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 96091 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 95984 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 95874 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 95765 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 95656 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 95546 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 95437 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 95328 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 95218 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 95109 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 95000 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 94890 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 94781 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 3540000 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 3539875 Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Thread delayed: delay time: 3539766 Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 99891
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 99766
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 99641
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 99527
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 99422
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 99312
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 99203
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 99094
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 98984
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 98875
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 98766
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 98641
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 98516
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 98406
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 98297
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 98187
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 98078
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 97969
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 97859
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 97750
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 97641
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 97516
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 97391
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 97281
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 97171
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 97062
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 96953
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 96844
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 96734
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 96625
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 96515
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 96406
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 96297
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 96188
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 96078
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 95969
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 95859
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 95750
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 95641
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 95531
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 95421
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 95312
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 95203
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 95094
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 94984
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 94875
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 94766
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 94641
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Thread delayed: delay time: 94516
Source: HqEYLS.exe, 0000000A.00000002.2176331174.000000000470A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: HqEYLS.exe, 0000000A.00000002.2176331174.000000000470A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: rRECEIPTTRANSFE.exe, 00000009.00000002.3345063693.0000000000E56000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
Source: HqEYLS.exe, 0000000E.00000002.3345057429.0000000000C1F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Code function: 9_2_00D770B0 CheckRemoteDebuggerPresent, 9_2_00D770B0
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process queried: DebugPort
Enables debug privileges
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rRECEIPTTRANSFE.exe"
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HqEYLS.exe"
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rRECEIPTTRANSFE.exe" Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HqEYLS.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Memory written: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Memory written: C:\Users\user\AppData\Roaming\HqEYLS.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rRECEIPTTRANSFE.exe" Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HqEYLS.exe" Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HqEYLS" /XML "C:\Users\user\AppData\Local\Temp\tmpE622.tmp" Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Process created: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe "C:\Users\user\Desktop\rRECEIPTTRANSFE.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HqEYLS" /XML "C:\Users\user\AppData\Local\Temp\tmpF7D5.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Process created: C:\Users\user\AppData\Roaming\HqEYLS.exe "C:\Users\user\AppData\Roaming\HqEYLS.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Queries volume information: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Queries volume information: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Queries volume information: C:\Users\user\AppData\Roaming\HqEYLS.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Queries volume information: C:\Users\user\AppData\Roaming\HqEYLS.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 10.2.HqEYLS.exe.470a988.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rRECEIPTTRANSFE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rRECEIPTTRANSFE.exe.46251f8.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.HqEYLS.exe.47461a8.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.HqEYLS.exe.47461a8.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rRECEIPTTRANSFE.exe.45e99d8.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.HqEYLS.exe.470a988.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rRECEIPTTRANSFE.exe.45e99d8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rRECEIPTTRANSFE.exe.46251f8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.3351448103.0000000002A2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3351327707.0000000002BCD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3339650118.000000000042E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3351448103.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3351327707.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2176331174.000000000470A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2132934407.00000000045E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rRECEIPTTRANSFE.exe PID: 6992, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rRECEIPTTRANSFE.exe PID: 5036, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: HqEYLS.exe PID: 616, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: HqEYLS.exe PID: 2328, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe File opened: C:\FTP Navigator\Ftplist.txt
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\rRECEIPTTRANSFE.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\HqEYLS.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Yara detected Credential Stealer
Source: Yara match File source: 10.2.HqEYLS.exe.470a988.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rRECEIPTTRANSFE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rRECEIPTTRANSFE.exe.46251f8.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.HqEYLS.exe.47461a8.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.HqEYLS.exe.47461a8.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rRECEIPTTRANSFE.exe.45e99d8.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.HqEYLS.exe.470a988.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rRECEIPTTRANSFE.exe.45e99d8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rRECEIPTTRANSFE.exe.46251f8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.3339650118.000000000042E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3351448103.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3351327707.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2176331174.000000000470A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2132934407.00000000045E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rRECEIPTTRANSFE.exe PID: 6992, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rRECEIPTTRANSFE.exe PID: 5036, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: HqEYLS.exe PID: 616, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: HqEYLS.exe PID: 2328, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 10.2.HqEYLS.exe.470a988.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rRECEIPTTRANSFE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rRECEIPTTRANSFE.exe.46251f8.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.HqEYLS.exe.47461a8.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.HqEYLS.exe.47461a8.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rRECEIPTTRANSFE.exe.45e99d8.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.HqEYLS.exe.470a988.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rRECEIPTTRANSFE.exe.45e99d8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rRECEIPTTRANSFE.exe.46251f8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.3351448103.0000000002A2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3351327707.0000000002BCD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3339650118.000000000042E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3351448103.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3351327707.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2176331174.000000000470A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2132934407.00000000045E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rRECEIPTTRANSFE.exe PID: 6992, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rRECEIPTTRANSFE.exe PID: 5036, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: HqEYLS.exe PID: 616, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: HqEYLS.exe PID: 2328, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428889 Sample: rRECEIPTTRANSFE.exe Startdate: 19/04/2024 Architecture: WINDOWS Score: 100 42 mail.victorytrans.com 2->42 44 ip-api.com 2->44 50 Snort IDS alert for network traffic 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 13 other signatures 2->56 8 rRECEIPTTRANSFE.exe 7 2->8         started        12 HqEYLS.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\Roaming\HqEYLS.exe, PE32 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmpE622.tmp, XML 8->40 dropped 58 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->58 60 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->60 62 Uses schtasks.exe or at.exe to add and modify task schedules 8->62 70 3 other signatures 8->70 14 rRECEIPTTRANSFE.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        64 Antivirus detection for dropped file 12->64 66 Multi AV Scanner detection for dropped file 12->66 68 Machine Learning detection for dropped file 12->68 24 HqEYLS.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 46 mail.victorytrans.com 112.213.93.72, 49714, 49719, 587 SUPERDATA-AS-VNSUPERDATA-VN Viet Nam 14->46 48 ip-api.com 208.95.112.1, 49712, 49717, 80 TUT-ASUS United States 14->48 72 Installs a global keyboard hook 14->72 74 Loading BitLocker PowerShell Module 18->74 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        76 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->76 78 Tries to steal Mail credentials (via file / registry access) 24->78 80 Tries to harvest and steal ftp login credentials 24->80 82 Tries to harvest and steal browser information (history, passwords, etc) 24->82 36 conhost.exe 26->36         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS false
112.213.93.72
 mail.victorytrans.com Viet Nam
45544 SUPERDATA-AS-VNSUPERDATA-VN true

Contacted Domains

Name IP Active
ip-api.com 208.95.112.1 true
mail.victorytrans.com 112.213.93.72 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://ip-api.com/line/?fields=hosting false
    		high