Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FYCC new order S460013746-560121121.exe

Overview

General Information

Sample name:FYCC new order S460013746-560121121.exe
Analysis ID:1523586
MD5:78eff09f295aa4b3aaf36af5245efe94
SHA1:dea545e8b85f2c1201f7aa3a54f643826ca8a6ed
SHA256:38f275624c634801c164c2c8f3294cbeea49b47e8e8d83bda53a0bc8aa7f7106
Tags:AgentTeslaexeTNTuser-cocaman
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • FYCC new order S460013746-560121121.exe (PID: 6956 cmdline: "C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe" MD5: 78EFF09F295AA4B3AAF36AF5245EFE94)
    • powershell.exe (PID: 2136 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5216 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zriEHRxkd.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7408 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 1508 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zriEHRxkd" /XML "C:\Users\user\AppData\Local\Temp\tmpF74B.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 2504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • zriEHRxkd.exe (PID: 7288 cmdline: C:\Users\user\AppData\Roaming\zriEHRxkd.exe MD5: 78EFF09F295AA4B3AAF36AF5245EFE94)
    • schtasks.exe (PID: 7508 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zriEHRxkd" /XML "C:\Users\user\AppData\Local\Temp\tmp8B0.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • zriEHRxkd.exe (PID: 7560 cmdline: "C:\Users\user\AppData\Roaming\zriEHRxkd.exe" MD5: 78EFF09F295AA4B3AAF36AF5245EFE94)
    • zriEHRxkd.exe (PID: 7568 cmdline: "C:\Users\user\AppData\Roaming\zriEHRxkd.exe" MD5: 78EFF09F295AA4B3AAF36AF5245EFE94)
    • zriEHRxkd.exe (PID: 7576 cmdline: "C:\Users\user\AppData\Roaming\zriEHRxkd.exe" MD5: 78EFF09F295AA4B3AAF36AF5245EFE94)
    • zriEHRxkd.exe (PID: 7584 cmdline: "C:\Users\user\AppData\Roaming\zriEHRxkd.exe" MD5: 78EFF09F295AA4B3AAF36AF5245EFE94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "admin@iaa-airferight.com", "Password": "manlikeyou88"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.2933747926.0000000002C00000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000010.00000002.2934757026.000000000309E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000008.00000002.2933747926.0000000002BB1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000008.00000002.2933747926.0000000002BB1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000010.00000002.2934757026.0000000003051000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.FYCC new order S460013746-560121121.exe.4af0930.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.FYCC new order S460013746-560121121.exe.4af0930.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.FYCC new order S460013746-560121121.exe.4af0930.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x316cb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x3173d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x317c7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x31859:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x318c3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x31935:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x319cb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31a5b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                8.2.FYCC new order S460013746-560121121.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.FYCC new order S460013746-560121121.exe.4af0930.0.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 3 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe", ParentImage: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe, ParentProcessId: 6956, ParentProcessName: FYCC new order S460013746-560121121.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe", ProcessId: 2136, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe", ParentImage: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe, ParentProcessId: 6956, ParentProcessName: FYCC new order S460013746-560121121.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe", ProcessId: 2136, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zriEHRxkd" /XML "C:\Users\user\AppData\Local\Temp\tmp8B0.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zriEHRxkd" /XML "C:\Users\user\AppData\Local\Temp\tmp8B0.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\zriEHRxkd.exe, ParentImage: C:\Users\user\AppData\Roaming\zriEHRxkd.exe, ParentProcessId: 7288, ParentProcessName: zriEHRxkd.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zriEHRxkd" /XML "C:\Users\user\AppData\Local\Temp\tmp8B0.tmp", ProcessId: 7508, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe, Initiated: true, ProcessId: 7204, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49733
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zriEHRxkd" /XML "C:\Users\user\AppData\Local\Temp\tmpF74B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zriEHRxkd" /XML "C:\Users\user\AppData\Local\Temp\tmpF74B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe", ParentImage: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe, ParentProcessId: 6956, ParentProcessName: FYCC new order S460013746-560121121.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zriEHRxkd" /XML "C:\Users\user\AppData\Local\Temp\tmpF74B.tmp", ProcessId: 1508, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe", ParentImage: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe, ParentProcessId: 6956, ParentProcessName: FYCC new order S460013746-560121121.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe", ProcessId: 2136, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zriEHRxkd" /XML "C:\Users\user\AppData\Local\Temp\tmpF74B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zriEHRxkd" /XML "C:\Users\user\AppData\Local\Temp\tmpF74B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe", ParentImage: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe, ParentProcessId: 6956, ParentProcessName: FYCC new order S460013746-560121121.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zriEHRxkd" /XML "C:\Users\user\AppData\Local\Temp\tmpF74B.tmp", ProcessId: 1508, ProcessName: schtasks.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.FYCC new order S460013746-560121121.exe.4af0930.0.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "admin@iaa-airferight.com", "Password": "manlikeyou88"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeReversingLabs: Detection: 63%
                    Multi AV Scanner detection for submitted file
                    Source: FYCC new order S460013746-560121121.exeReversingLabs: Detection: 63%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: FYCC new order S460013746-560121121.exeJoe Sandbox ML: detected
                    Source: FYCC new order S460013746-560121121.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: FYCC new order S460013746-560121121.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: GxQf.pdb source: FYCC new order S460013746-560121121.exe, zriEHRxkd.exe.0.dr
                    Source: Binary string: GxQf.pdbSHA256 source: FYCC new order S460013746-560121121.exe, zriEHRxkd.exe.0.dr

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.FYCC new order S460013746-560121121.exe.4af0930.0.raw.unpack, type: UNPACKEDPE
                    Source: Joe Sandbox ViewIP Address: 46.175.148.58 46.175.148.58
                    Source: Joe Sandbox ViewASN Name: ASLAGIDKOM-NETUA ASLAGIDKOM-NETUA
                    Source: global trafficTCP traffic: 192.168.2.4:49733 -> 46.175.148.58:25
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: mail.iaa-airferight.com
                    Source: FYCC new order S460013746-560121121.exe, 00000008.00000002.2933747926.0000000002C08000.00000004.00000800.00020000.00000000.sdmp, zriEHRxkd.exe, 00000010.00000002.2934757026.00000000030A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.iaa-airferight.com
                    Source: FYCC new order S460013746-560121121.exe, 00000000.00000002.1717936997.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, zriEHRxkd.exe, 00000009.00000002.1762195000.00000000029D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: FYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: FYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: FYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: FYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: FYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: FYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: FYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: FYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: FYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: FYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: FYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: FYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: FYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: FYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: FYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: FYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: FYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: FYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: FYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: FYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: FYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: FYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: FYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: FYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: FYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: FYCC new order S460013746-560121121.exe, 00000000.00000002.1718618655.00000000048EA000.00000004.00000800.00020000.00000000.sdmp, FYCC new order S460013746-560121121.exe, 00000008.00000002.2930996785.0000000000436000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.FYCC new order S460013746-560121121.exe.4af0930.0.raw.unpack, SKTzxzsJw.cs.Net Code: sf6jJs8S

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.FYCC new order S460013746-560121121.exe.4af0930.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.FYCC new order S460013746-560121121.exe.4af0930.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: FYCC new order S460013746-560121121.exe
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeCode function: 0_2_012BD5BC0_2_012BD5BC
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeCode function: 0_2_0C231C380_2_0C231C38
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeCode function: 0_2_0C233DF00_2_0C233DF0
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeCode function: 0_2_0C2318000_2_0C231800
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeCode function: 0_2_0C2334400_2_0C233440
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeCode function: 0_2_0C2342E80_2_0C2342E8
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeCode function: 8_2_00FF4A988_2_00FF4A98
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeCode function: 8_2_00FF9B388_2_00FF9B38
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeCode function: 8_2_00FFCDB08_2_00FFCDB0
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeCode function: 8_2_00FF3E808_2_00FF3E80
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeCode function: 8_2_00FF41C88_2_00FF41C8
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeCode function: 8_2_059095388_2_05909538
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeCode function: 8_2_0590B0188_2_0590B018
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeCode function: 9_2_0101D5BC9_2_0101D5BC
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeCode function: 9_2_04F56FD89_2_04F56FD8
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeCode function: 9_2_04F500409_2_04F50040
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeCode function: 9_2_04F5001E9_2_04F5001E
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeCode function: 9_2_04F56FC89_2_04F56FC8
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeCode function: 9_2_055665739_2_05566573
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeCode function: 9_2_05563DF09_2_05563DF0
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeCode function: 9_2_055634409_2_05563440
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeCode function: 9_2_05561C389_2_05561C38
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeCode function: 9_2_055618009_2_05561800
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeCode function: 9_2_055642DA9_2_055642DA
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeCode function: 9_2_055642E89_2_055642E8
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeCode function: 16_2_015B9B3816_2_015B9B38
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeCode function: 16_2_015B4A9816_2_015B4A98
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeCode function: 16_2_015BCDB016_2_015BCDB0
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeCode function: 16_2_015B3E8016_2_015B3E80
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeCode function: 16_2_015B41C816_2_015B41C8
                    Source: FYCC new order S460013746-560121121.exe, 00000000.00000002.1717137417.000000000131E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs FYCC new order S460013746-560121121.exe
                    Source: FYCC new order S460013746-560121121.exe, 00000000.00000002.1718618655.00000000048EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7e5bb978-3a35-43a5-95fe-dd44d69d6a5a.exe4 vs FYCC new order S460013746-560121121.exe
                    Source: FYCC new order S460013746-560121121.exe, 00000000.00000002.1718618655.00000000048EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs FYCC new order S460013746-560121121.exe
                    Source: FYCC new order S460013746-560121121.exe, 00000000.00000002.1730824331.000000000A1B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs FYCC new order S460013746-560121121.exe
                    Source: FYCC new order S460013746-560121121.exe, 00000000.00000002.1717936997.00000000030D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7e5bb978-3a35-43a5-95fe-dd44d69d6a5a.exe4 vs FYCC new order S460013746-560121121.exe
                    Source: FYCC new order S460013746-560121121.exe, 00000000.00000000.1687040380.0000000000C34000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameGxQf.exeF vs FYCC new order S460013746-560121121.exe
                    Source: FYCC new order S460013746-560121121.exe, 00000008.00000002.2930996785.0000000000438000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename7e5bb978-3a35-43a5-95fe-dd44d69d6a5a.exe4 vs FYCC new order S460013746-560121121.exe
                    Source: FYCC new order S460013746-560121121.exe, 00000008.00000002.2931569369.0000000000CF9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs FYCC new order S460013746-560121121.exe
                    Source: FYCC new order S460013746-560121121.exeBinary or memory string: OriginalFilenameGxQf.exeF vs FYCC new order S460013746-560121121.exe
                    Source: FYCC new order S460013746-560121121.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.FYCC new order S460013746-560121121.exe.4af0930.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.FYCC new order S460013746-560121121.exe.4af0930.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: FYCC new order S460013746-560121121.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: zriEHRxkd.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.FYCC new order S460013746-560121121.exe.4af0930.0.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.FYCC new order S460013746-560121121.exe.4af0930.0.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.FYCC new order S460013746-560121121.exe.4af0930.0.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.FYCC new order S460013746-560121121.exe.4af0930.0.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.FYCC new order S460013746-560121121.exe.4af0930.0.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.FYCC new order S460013746-560121121.exe.4af0930.0.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.FYCC new order S460013746-560121121.exe.4af0930.0.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.FYCC new order S460013746-560121121.exe.4af0930.0.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.FYCC new order S460013746-560121121.exe.a1b0000.3.raw.unpack, zdSIkGnMMCQd2O9mPf.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.FYCC new order S460013746-560121121.exe.a1b0000.3.raw.unpack, zdSIkGnMMCQd2O9mPf.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.FYCC new order S460013746-560121121.exe.a1b0000.3.raw.unpack, zdSIkGnMMCQd2O9mPf.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.FYCC new order S460013746-560121121.exe.a1b0000.3.raw.unpack, mTdaZDYY21clRXMKNH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@25/15@1/1
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeFile created: C:\Users\user\AppData\Roaming\zriEHRxkd.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2504:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7516:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3620:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7108:120:WilError_03
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeFile created: C:\Users\user\AppData\Local\Temp\tmpF74B.tmpJump to behavior
                    Source: FYCC new order S460013746-560121121.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: FYCC new order S460013746-560121121.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: FYCC new order S460013746-560121121.exeReversingLabs: Detection: 63%
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeFile read: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe "C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe"
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zriEHRxkd.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zriEHRxkd" /XML "C:\Users\user\AppData\Local\Temp\tmpF74B.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess created: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe "C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\zriEHRxkd.exe C:\Users\user\AppData\Roaming\zriEHRxkd.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zriEHRxkd" /XML "C:\Users\user\AppData\Local\Temp\tmp8B0.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess created: C:\Users\user\AppData\Roaming\zriEHRxkd.exe "C:\Users\user\AppData\Roaming\zriEHRxkd.exe"
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess created: C:\Users\user\AppData\Roaming\zriEHRxkd.exe "C:\Users\user\AppData\Roaming\zriEHRxkd.exe"
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess created: C:\Users\user\AppData\Roaming\zriEHRxkd.exe "C:\Users\user\AppData\Roaming\zriEHRxkd.exe"
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess created: C:\Users\user\AppData\Roaming\zriEHRxkd.exe "C:\Users\user\AppData\Roaming\zriEHRxkd.exe"
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zriEHRxkd.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zriEHRxkd" /XML "C:\Users\user\AppData\Local\Temp\tmpF74B.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess created: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe "C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zriEHRxkd" /XML "C:\Users\user\AppData\Local\Temp\tmp8B0.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess created: C:\Users\user\AppData\Roaming\zriEHRxkd.exe "C:\Users\user\AppData\Roaming\zriEHRxkd.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess created: C:\Users\user\AppData\Roaming\zriEHRxkd.exe "C:\Users\user\AppData\Roaming\zriEHRxkd.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess created: C:\Users\user\AppData\Roaming\zriEHRxkd.exe "C:\Users\user\AppData\Roaming\zriEHRxkd.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess created: C:\Users\user\AppData\Roaming\zriEHRxkd.exe "C:\Users\user\AppData\Roaming\zriEHRxkd.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: FYCC new order S460013746-560121121.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: FYCC new order S460013746-560121121.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: FYCC new order S460013746-560121121.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: GxQf.pdb source: FYCC new order S460013746-560121121.exe, zriEHRxkd.exe.0.dr
                    Source: Binary string: GxQf.pdbSHA256 source: FYCC new order S460013746-560121121.exe, zriEHRxkd.exe.0.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: FYCC new order S460013746-560121121.exe, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                    Source: zriEHRxkd.exe.0.dr, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.FYCC new order S460013746-560121121.exe.a1b0000.3.raw.unpack, zdSIkGnMMCQd2O9mPf.cs.Net Code: g0TOeynRl1 System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.FYCC new order S460013746-560121121.exe.40b9c80.1.raw.unpack, MainForm.cs.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.FYCC new order S460013746-560121121.exe.77c0000.2.raw.unpack, MainForm.cs.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
                    Source: FYCC new order S460013746-560121121.exeStatic PE information: 0xD86F640D [Wed Jan 24 12:46:05 2085 UTC]
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeCode function: 0_2_012BF590 pushfd ; iretd 0_2_012BF599
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeCode function: 0_2_0C236968 push eax; ret 0_2_0C236969
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeCode function: 0_2_0C230948 push eax; retf 0_2_0C230951
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeCode function: 0_2_0C23A48D push FFFFFF8Bh; iretd 0_2_0C23A48F
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeCode function: 9_2_05567C88 pushad ; retf 9_2_05567C89
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeCode function: 9_2_05560948 push eax; retf 9_2_05560951
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeCode function: 9_2_055699BD push FFFFFF8Bh; iretd 9_2_055699BF
                    Source: FYCC new order S460013746-560121121.exeStatic PE information: section name: .text entropy: 7.7202729821894875
                    Source: zriEHRxkd.exe.0.drStatic PE information: section name: .text entropy: 7.7202729821894875
                    Source: 0.2.FYCC new order S460013746-560121121.exe.a1b0000.3.raw.unpack, repIJbGsRd48EmhpAf.csHigh entropy of concatenated method names: 'BX48VBFLpk', 'fR58Q5EMPm', 'ntm8G2rymv', 'vW28gQvUfT', 'q4c8SE12V4', 'Y8T8ZW7DtB', 'gXs8Pb9Slr', 'dj986PtvXT', 'xyW85bM0k9', 'LMx8cxGAwp'
                    Source: 0.2.FYCC new order S460013746-560121121.exe.a1b0000.3.raw.unpack, Vr1kURpLoYhuA9eBqC.csHigh entropy of concatenated method names: 'WDRbUrExSn', 'KItbuwlPEo', 'CCvbrRrB79', 'dCxbCKNkSS', 'pjmbnksxQj', 'Yc0rdAYoRD', 'nLQrMOAMWm', 'FOlry1JLwX', 'mRQrFZh4qv', 'iuBr0sHibE'
                    Source: 0.2.FYCC new order S460013746-560121121.exe.a1b0000.3.raw.unpack, pmA9WIswyXlfwkwokB5.csHigh entropy of concatenated method names: 'yIUkqJi09p', 'pPlkXj0GUU', 'mQIkeEAsaQ', 'Jr9kJscBrq', 'hYrkW02Ttv', 'znsklD0buS', 'DElkjpMN2Y', 'romkY1ZPKe', 'OP7k1KfK24', 'EjUkTLOJH7'
                    Source: 0.2.FYCC new order S460013746-560121121.exe.a1b0000.3.raw.unpack, rEZGS2OLGTMOroknYa.csHigh entropy of concatenated method names: 'EB3sCTdaZD', 'E21snclRXM', 'IQnsKln6U2', 'WjXs3UXqXt', 'wEgs8VDMr1', 'rURsRLoYhu', 'WOom3Wi4gXjpRSM5pj', 'lKtrw1SHfFbdZIDC9B', 'mGassmdH50', 'TQbsLKl0U7'
                    Source: 0.2.FYCC new order S460013746-560121121.exe.a1b0000.3.raw.unpack, mTdaZDYY21clRXMKNH.csHigh entropy of concatenated method names: 'dx8uGiulP3', 'YorugxnAml', 'UFGuEdQZSX', 'wHnuIM7JTd', 'DGqudBf7PQ', 'TcouMKkKxT', 'KTUuy0rsQG', 'GILuFKud6l', 'm7Lu0R1Eba', 'HJuuvKe9pO'
                    Source: 0.2.FYCC new order S460013746-560121121.exe.a1b0000.3.raw.unpack, KcsQAHhWUhy0uOPPuB.csHigh entropy of concatenated method names: 'qtqeScgSI', 'lGIJrfKf5', 'PrgllygW3', 'TfujrNhQl', 'hwM1D2Aa2', 'sB8TYFgxC', 'e7Q36u1qyR6P0KxPOT', 'EYf9E3aQ2laUS0vOrb', 'yeLxFV3jS', 'xu94AOaZZ'
                    Source: 0.2.FYCC new order S460013746-560121121.exe.a1b0000.3.raw.unpack, EcPGur7ANRD1TPvEbs.csHigh entropy of concatenated method names: 'f6tCq7ayXN', 'OFdCXYF5bW', 'SqNCeouOKp', 'SiICJ39yBF', 'MoHCWhXi95', 'j10ClsLo5o', 'X7FCjdMNV2', 'NEcCYalMhQ', 'o4wC1bMyrc', 't7SCTIgwvW'
                    Source: 0.2.FYCC new order S460013746-560121121.exe.a1b0000.3.raw.unpack, yqXtJjT0m1dmgBEgVD.csHigh entropy of concatenated method names: 'qtRrWXbSWR', 'LwrrjpQ1T7', 'CdGNZphCXG', 'ybtNP5wUTg', 'xjcN6juNN3', 'I6DN5rgnED', 'TuZNcKI0bC', 'vl6NaB3xJX', 'GaxN7YXuEo', 'J4ENVIrinv'
                    Source: 0.2.FYCC new order S460013746-560121121.exe.a1b0000.3.raw.unpack, W4jU5dvpdOZeHqSI0c.csHigh entropy of concatenated method names: 'xixksKjqAh', 'qk4kLLZyGV', 'CCOkOUrpP9', 'TVQkfDf9LT', 'sbnkusbHjB', 'yZ0krdurmd', 'wSVkblBek7', 'e2nxyxS3Ki', 'OqnxFIp91K', 'y6jx0vxUWd'
                    Source: 0.2.FYCC new order S460013746-560121121.exe.a1b0000.3.raw.unpack, C6XToXF8OhcGVkX9VC.csHigh entropy of concatenated method names: 'VlwxfbSJqj', 'ctOxu1BsE8', 'koZxN9eUAb', 'vyTxrUndQm', 'famxb4S2Av', 'KPaxCwQmTR', 'FqXxn2W41Y', 'BruxiSGx0g', 'lg3xKEhfjl', 'm7dx3uDrjD'
                    Source: 0.2.FYCC new order S460013746-560121121.exe.a1b0000.3.raw.unpack, zdSIkGnMMCQd2O9mPf.csHigh entropy of concatenated method names: 'FyRLUqWl8J', 'Pl4LfANMjH', 'QWaLu1OjJo', 'yVYLNMlimP', 'g3yLrUZevw', 'rQeLbIFLj3', 'v3iLCmmbm3', 'QhELna7p92', 'vpdLidTREA', 'PZuLKiha81'
                    Source: 0.2.FYCC new order S460013746-560121121.exe.a1b0000.3.raw.unpack, TiBcUXMHMywYj2Ntbf.csHigh entropy of concatenated method names: 'Vwv9FWkQCL', 'cKI9vkXsQY', 'Wj6xw02bon', 'rnSxsugnjN', 'cXH9HVmsUp', 'vVk9QuZGrZ', 'lGF9Dnsiay', 'EZT9GTUKQR', 'YyK9gGDlt8', 'nmL9EXYXM9'
                    Source: 0.2.FYCC new order S460013746-560121121.exe.a1b0000.3.raw.unpack, r1RxJQIOnrv16pIjnS.csHigh entropy of concatenated method names: 'uI09KiWiPc', 'iks93S8I6I', 'ToString', 'Rct9fLTZcF', 'eM49usewjV', 'Q5k9NiVloR', 'N7U9rGrKUH', 'R8E9bToh0v', 'AWK9CNGaxP', 'JWu9n99aZi'
                    Source: 0.2.FYCC new order S460013746-560121121.exe.a1b0000.3.raw.unpack, dyR5ubz2UFIhLaeg84.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mZJkAt3xAK', 'Kxjk8BeaUf', 'fNVkRglM6I', 'XZfk9jmuCA', 'P8Mkxr669P', 'AAhkkISIuv', 'xRpk47RMoj'
                    Source: 0.2.FYCC new order S460013746-560121121.exe.a1b0000.3.raw.unpack, VLVl7u0FLtPXrIMTdL.csHigh entropy of concatenated method names: 'EbOxpbil1j', 'TfGxSFt5vO', 'fErxZrNPPl', 'qGKxPZHar3', 'IJ0xGokMqm', 'DKEx6SHIMM', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.FYCC new order S460013746-560121121.exe.a1b0000.3.raw.unpack, wNCpuMDPhcXVljnkRc.csHigh entropy of concatenated method names: 'QRsAYnYcDI', 'zMXA1sNQWH', 'tCkApdjwNG', 'AYjASPBwAM', 'rUNAPKPZxD', 'akAA62c1JL', 'dh6AcA8mO6', 'dxgAaVSPHJ', 'C0wAVcwxtH', 'qgAAHfsXJV'
                    Source: 0.2.FYCC new order S460013746-560121121.exe.a1b0000.3.raw.unpack, SpGcZpNMxGsn0LRmfO.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'efmh0iVW0M', 'YRghvMRbnC', 'Bk6hzImgAm', 'PZOLwNPel2', 'gHILsTeqhD', 'DrqLhM8NoV', 'nxyLLJYEpj', 'ATVlwX4Tw5M9TlIuCG1'
                    Source: 0.2.FYCC new order S460013746-560121121.exe.a1b0000.3.raw.unpack, xrUZKjsLyPVxqpRoZk1.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'RxX4Gsuuy1', 'CIw4gF33c2', 'xmh4EviStj', 'veK4I98uCV', 'uAs4d7BIFN', 'r4o4MhtYsw', 'OvA4y50gXF'
                    Source: 0.2.FYCC new order S460013746-560121121.exe.a1b0000.3.raw.unpack, GxrXjZ1Qnln6U2yjXU.csHigh entropy of concatenated method names: 'RNMNJlVKHl', 'BCkNlOce2j', 'yRmNYVqIdu', 'aRdN1GUNb1', 'vgqN80RPoZ', 'L2iNRfBovx', 'Y5xN9SBoXv', 'CkWNxn5URC', 'v1rNkcg4RN', 'RqAN4c2Avq'
                    Source: 0.2.FYCC new order S460013746-560121121.exe.a1b0000.3.raw.unpack, aO5RTWcB52QqTKOiOc.csHigh entropy of concatenated method names: 'smOCfJOWJh', 'aA9CNRVPQZ', 'OEfCbs9bB6', 'Hqqbvp7Gx3', 'ABlbztKJT0', 'T7lCwabFoH', 'CELCsqiwZ6', 'AXkChkXrqG', 'B7NCLleqQC', 'O6xCOrJmVe'
                    Source: 0.2.FYCC new order S460013746-560121121.exe.a1b0000.3.raw.unpack, yhfjMwuWd4iYkcRX6m.csHigh entropy of concatenated method names: 'Dispose', 'xqVs09Ko5r', 'zILhS9WSDx', 'phKvvMY7Ek', 'Cj6svXToX8', 'dhcszGVkX9', 'ProcessDialogKey', 'NCyhwLVl7u', 'XLthsPXrIM', 'FdLhhF4jU5'
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeFile created: C:\Users\user\AppData\Roaming\zriEHRxkd.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zriEHRxkd" /XML "C:\Users\user\AppData\Local\Temp\tmpF74B.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Icon mismatch, binary includes an icon from a different legit application in order to fool users
                    Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (129).png
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: FYCC new order S460013746-560121121.exe PID: 6956, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: zriEHRxkd.exe PID: 7288, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeMemory allocated: 12B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeMemory allocated: 3090000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeMemory allocated: 2DF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeMemory allocated: 7AC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeMemory allocated: 8AC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeMemory allocated: 8C60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeMemory allocated: 9C60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeMemory allocated: A230000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeMemory allocated: B230000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeMemory allocated: FF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeMemory allocated: 2BB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeMemory allocated: 4BB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeMemory allocated: 1010000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeMemory allocated: 2990000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeMemory allocated: 4990000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeMemory allocated: 6FA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeMemory allocated: 7FA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeMemory allocated: 8130000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeMemory allocated: 9130000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeMemory allocated: 97F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeMemory allocated: A7F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeMemory allocated: 11D0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeMemory allocated: 3050000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeMemory allocated: 11D0000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5652Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6759Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1011Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeWindow / User API: threadDelayed 5593Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeWindow / User API: threadDelayed 4223Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeWindow / User API: threadDelayed 1746
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeWindow / User API: threadDelayed 8116
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7036Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7240Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6376Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7276Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7220Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep count: 35 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -32281802128991695s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7332Thread sleep count: 5593 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -99874s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -99763s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -99652s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -99531s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -99360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -99110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -98984s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -98851s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7332Thread sleep count: 4223 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -98735s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -98610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -98495s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -98376s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -98250s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -98140s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -98031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -97922s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -97797s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -97688s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -97563s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -97453s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -97344s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -97219s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -97110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -96987s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -96860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -96735s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -96610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -96485s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -96360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -96235s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -96110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -95985s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -95860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -95735s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -95610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -95485s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -95360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -95235s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -95110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -94985s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -94860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -94735s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -94610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -94485s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -94360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -94235s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -94110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -93985s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -93860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -93735s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe TID: 7316Thread sleep time: -93610s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7344Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -23058430092136925s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -100000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7672Thread sleep count: 1746 > 30
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -99872s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7672Thread sleep count: 8116 > 30
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -99749s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -99639s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -99531s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -99422s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -99312s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -99203s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -99094s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -98984s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -98875s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -98766s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -98641s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -98516s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -98406s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -98297s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -98187s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -98078s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -97969s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -97859s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -97748s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -97640s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -97531s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -97422s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -97312s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -97203s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -97094s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -96984s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -96872s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -96766s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -96656s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -96547s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -96437s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -96328s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -96219s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -96109s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -96000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -95891s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -95766s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -95641s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -95531s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -95422s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -95312s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -95203s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -95094s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -94984s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -94875s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -94766s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -94641s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exe TID: 7660Thread sleep time: -94516s >= -30000s
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 99874Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 99763Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 99652Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 99531Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 99360Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 99110Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 98984Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 98851Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 98735Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 98610Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 98495Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 98376Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 98250Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 98140Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 98031Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 97922Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 97797Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 97688Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 97563Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 97453Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 97344Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 97219Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 97110Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 96987Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 96860Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 96735Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 96610Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 96485Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 96360Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 96235Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 96110Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 95985Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 95860Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 95735Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 95610Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 95485Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 95360Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 95235Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 95110Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 94985Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 94860Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 94735Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 94610Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 94485Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 94360Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 94235Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 94110Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 93985Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 93860Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 93735Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeThread delayed: delay time: 93610Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 100000
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 99872
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 99749
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 99639
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 99531
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 99422
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 99312
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 99203
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 99094
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 98984
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 98875
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 98766
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 98641
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 98516
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 98406
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 98297
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 98187
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 98078
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 97969
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 97859
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 97748
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 97640
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 97531
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 97422
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 97312
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 97203
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 97094
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 96984
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 96872
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 96766
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 96656
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 96547
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 96437
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 96328
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 96219
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 96109
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 96000
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 95891
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 95766
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 95641
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 95531
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 95422
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 95312
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 95203
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 95094
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 94984
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 94875
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 94766
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 94641
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeThread delayed: delay time: 94516
                    Source: zriEHRxkd.exe, 00000010.00000002.2932246307.0000000001344000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.
                    Source: FYCC new order S460013746-560121121.exe, 00000008.00000002.2931782915.0000000000F23000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllT
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe"
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zriEHRxkd.exe"
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zriEHRxkd.exe"Jump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeMemory written: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zriEHRxkd.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zriEHRxkd" /XML "C:\Users\user\AppData\Local\Temp\tmpF74B.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeProcess created: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe "C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zriEHRxkd" /XML "C:\Users\user\AppData\Local\Temp\tmp8B0.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess created: C:\Users\user\AppData\Roaming\zriEHRxkd.exe "C:\Users\user\AppData\Roaming\zriEHRxkd.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess created: C:\Users\user\AppData\Roaming\zriEHRxkd.exe "C:\Users\user\AppData\Roaming\zriEHRxkd.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess created: C:\Users\user\AppData\Roaming\zriEHRxkd.exe "C:\Users\user\AppData\Roaming\zriEHRxkd.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeProcess created: C:\Users\user\AppData\Roaming\zriEHRxkd.exe "C:\Users\user\AppData\Roaming\zriEHRxkd.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeQueries volume information: C:\Users\user\AppData\Roaming\zriEHRxkd.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeQueries volume information: C:\Users\user\AppData\Roaming\zriEHRxkd.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.FYCC new order S460013746-560121121.exe.4af0930.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.FYCC new order S460013746-560121121.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.FYCC new order S460013746-560121121.exe.4af0930.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.2933747926.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.2934757026.000000000309E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2933747926.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.2934757026.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1718618655.00000000048EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: FYCC new order S460013746-560121121.exe PID: 6956, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: FYCC new order S460013746-560121121.exe PID: 7204, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: zriEHRxkd.exe PID: 7584, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeFile opened: C:\FTP Navigator\Ftplist.txt
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\FYCC new order S460013746-560121121.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\user\AppData\Roaming\zriEHRxkd.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 0.2.FYCC new order S460013746-560121121.exe.4af0930.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.FYCC new order S460013746-560121121.exe.4af0930.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.2933747926.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.2934757026.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1718618655.00000000048EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: FYCC new order S460013746-560121121.exe PID: 6956, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: FYCC new order S460013746-560121121.exe PID: 7204, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: zriEHRxkd.exe PID: 7584, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.FYCC new order S460013746-560121121.exe.4af0930.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.FYCC new order S460013746-560121121.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.FYCC new order S460013746-560121121.exe.4af0930.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.2933747926.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.2934757026.000000000309E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2933747926.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.2934757026.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1718618655.00000000048EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: FYCC new order S460013746-560121121.exe PID: 6956, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: FYCC new order S460013746-560121121.exe PID: 7204, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: zriEHRxkd.exe PID: 7584, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		111
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		1
                    Non-Application Layer Protocol                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Scheduled Task/Job                    		2
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		211
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		11
                    Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model1
                    Input Capture                    		Protocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets141
                    Virtualization/Sandbox Evasion                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                    Masquerading                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
                    Virtualization/Sandbox Evasion                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt111
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1523586 Sample: FYCC new order S460013746-5... Startdate: 01/10/2024 Architecture: WINDOWS Score: 100 50 mail.iaa-airferight.com 2->50 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->58 60 14 other signatures 2->60 8 FYCC new order S460013746-560121121.exe 7 2->8         started        12 zriEHRxkd.exe 5 2->12         started        signatures3 process4 file5 42 C:\Users\user\AppData\Roaming\zriEHRxkd.exe, PE32 8->42 dropped 44 C:\Users\...\zriEHRxkd.exe:Zone.Identifier, ASCII 8->44 dropped 46 C:\Users\user\AppData\Local\...\tmpF74B.tmp, XML 8->46 dropped 48 FYCC new order S46...6-560121121.exe.log, ASCII 8->48 dropped 62 Adds a directory exclusion to Windows Defender 8->62 64 Injects a PE file into a foreign processes 8->64 14 FYCC new order S460013746-560121121.exe 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        66 Multi AV Scanner detection for dropped file 12->66 68 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->68 70 Machine Learning detection for dropped file 12->70 24 zriEHRxkd.exe 12->24         started        26 schtasks.exe 12->26         started        28 zriEHRxkd.exe 12->28         started        30 2 other processes 12->30 signatures6 process7 dnsIp8 52 mail.iaa-airferight.com 46.175.148.58, 25 ASLAGIDKOM-NETUA Ukraine 14->52 72 Loading BitLocker PowerShell Module 18->72 32 conhost.exe 18->32         started        34 WmiPrvSE.exe 18->34         started        36 conhost.exe 20->36         started        38 conhost.exe 22->38         started        74 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->74 76 Tries to steal Mail credentials (via file / registry access) 24->76 78 Tries to harvest and steal ftp login credentials 24->78 80 Tries to harvest and steal browser information (history, passwords, etc) 24->80 40 conhost.exe 26->40         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    FYCC new order S460013746-560121121.exe63%ReversingLabsWin32.Ransomware.CryptoJoker
                    FYCC new order S460013746-560121121.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\zriEHRxkd.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\zriEHRxkd.exe63%ReversingLabsWin32.Ransomware.CryptoJoker

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.fontbureau.com0%URL Reputationsafe
                    http://www.fontbureau.com/designersG0%URL Reputationsafe
                    http://www.fontbureau.com/designers/?0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    http://www.fontbureau.com/designers?0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.fontbureau.com/designers0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.fontbureau.com/designers80%URL Reputationsafe
                    http://www.fonts.com0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.iaa-airferight.com
                    		46.175.148.58
                    		truetrue
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.apache.org/licenses/LICENSE-2.0FYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        http://www.fontbureau.comFYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designersGFYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/?FYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cn/bTheFYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://account.dyn.com/FYCC new order S460013746-560121121.exe, 00000000.00000002.1718618655.00000000048EA000.00000004.00000800.00020000.00000000.sdmp, FYCC new order S460013746-560121121.exe, 00000008.00000002.2930996785.0000000000436000.00000040.00000400.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers?FYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://mail.iaa-airferight.comFYCC new order S460013746-560121121.exe, 00000008.00000002.2933747926.0000000002C08000.00000004.00000800.00020000.00000000.sdmp, zriEHRxkd.exe, 00000010.00000002.2934757026.00000000030A6000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          http://www.tiro.comFYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersFYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.goodfont.co.krFYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.carterandcone.comlFYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.sajatypeworks.comFYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.typography.netDFYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/cabarga.htmlNFYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cn/cTheFYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/staff/dennis.htmFYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cnFYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/frere-user.htmlFYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/FYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/DPleaseFYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers8FYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fonts.comFYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.sandoll.co.krFYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.urwpp.deDPleaseFYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.zhongyicts.com.cnFYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameFYCC new order S460013746-560121121.exe, 00000000.00000002.1717936997.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, zriEHRxkd.exe, 00000009.00000002.1762195000.00000000029D1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.sakkal.comFYCC new order S460013746-560121121.exe, 00000000.00000002.1728542847.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          46.175.148.58
                          		mail.iaa-airferight.comUkraine
                          		56394ASLAGIDKOM-NETUAtrue

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1523586
                          Start date and time:2024-10-01 20:02:06 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 6m 20s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:22
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:FYCC new order S460013746-560121121.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@25/15@1/1
                          EGA Information:
                          • Successful, ratio: 75%
                          HCA Information:
                          • Successful, ratio: 99%
                          • Number of executed functions: 138
                          • Number of non-executed functions: 6
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Execution Graph export aborted for target zriEHRxkd.exe, PID 7584 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtCreateKey calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • VT rate limit hit for: FYCC new order S460013746-560121121.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          14:03:02API Interceptor176x Sleep call for process: FYCC new order S460013746-560121121.exe modified
                          14:03:04API Interceptor39x Sleep call for process: powershell.exe modified
                          14:03:07API Interceptor192x Sleep call for process: zriEHRxkd.exe modified
                          19:03:04Task SchedulerRun new task: zriEHRxkd path: C:\Users\user\AppData\Roaming\zriEHRxkd.exe

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          46.175.148.58Balance payment.exeGet hashmaliciousAgentTeslaBrowse
                            purchase order T&B19-20PO128.exeGet hashmaliciousAgentTeslaBrowse
                              Purchase order.exeGet hashmaliciousAgentTeslaBrowse
                                BOSSARD_ORDER_4923521.exeGet hashmaliciousAgentTeslaBrowse
                                  Telco 32pcs New Purchase Order.exeGet hashmaliciousAgentTeslaBrowse
                                    Ningbo - Past Due Invoices.scr.exeGet hashmaliciousAgentTeslaBrowse
                                      Samsung PO 20240920.exeGet hashmaliciousAgentTeslaBrowse
                                        PO-3500036071.exeGet hashmaliciousAgentTeslaBrowse
                                          PI #OVES1912196.scr.exeGet hashmaliciousAgentTeslaBrowse
                                            SPW AW25 - PO.010 SMS.exeGet hashmaliciousAgentTeslaBrowse

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              mail.iaa-airferight.comBalance payment.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              purchase order T&B19-20PO128.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              Purchase order.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              BOSSARD_ORDER_4923521.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              Telco 32pcs New Purchase Order.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              Ningbo - Past Due Invoices.scr.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              Samsung PO 20240920.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              PO-3500036071.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              PI #OVES1912196.scr.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              SPW AW25 - PO.010 SMS.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              ASLAGIDKOM-NETUABalance payment.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              purchase order T&B19-20PO128.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              Purchase order.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              BOSSARD_ORDER_4923521.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              Telco 32pcs New Purchase Order.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              Ningbo - Past Due Invoices.scr.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              Samsung PO 20240920.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              PO-3500036071.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              PI #OVES1912196.scr.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              SPW AW25 - PO.010 SMS.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FYCC new order S460013746-560121121.exe.log

                                              Download File
                                              Process:C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1216
                                              Entropy (8bit):5.34331486778365
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                              Malicious:true
                                              Reputation:high, very likely benign file
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\zriEHRxkd.exe.log

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\zriEHRxkd.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:modified
                                              Size (bytes):1216
                                              Entropy (8bit):5.34331486778365
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                              Malicious:false
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):2232
                                              Entropy (8bit):5.380134126512796
                                              Encrypted:false
                                              SSDEEP:48:+WSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//ZmUyus:+LHxvIIwLgZ2KRHWLOuggs
                                              MD5:2A51987DAFE4586D09FC4BE0507F6B71
                                              SHA1:AE3D26F5D8A78CB88E29ADEC340C56A0F6B3D3B7
                                              SHA-256:2EBC59B6B9D301FBFDD52FA8CF1C811F7814C4F24943D6BC3F5FD7B8529F8D16
                                              SHA-512:F1D8BFF693D16BEEE9D0C06CEA7CD925CACB33170201A35BC01099BA4225BB26EAE347213F9C29DF3E320CE0DD1D299D5B735D089145EE1E188A8024F62F78C3
                                              Malicious:false
                                              Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fe2r200w.yhc.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jcafdcfa.5jz.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mdycztaz.hqd.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ppqd0hcd.2qn.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r5up10i1.s32.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tnfhr2ps.efj.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ujec2vvu.5ib.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yeatg0jm.ngw.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\tmp8B0.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\zriEHRxkd.exe
                                              File Type:XML 1.0 document, ASCII text
                                              Category:dropped
                                              Size (bytes):1575
                                              Entropy (8bit):5.110337879118249
                                              Encrypted:false
                                              SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaYxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTfv
                                              MD5:FF4121E8B7DE47BC305AC24040026605
                                              SHA1:56F3B38FC1E704DED861DC33DACC41B669EA3558
                                              SHA-256:42058DE60132C229A385FD70DE2AA8EA8580F2276FAA3723ABDFBE903458D43D
                                              SHA-512:2FE24C6F31B07C0E545913B3EAF00DA244AAAAB2150A18DA4E4F3BF254B29BE8BBE6815B71964051F961EEE92EA3280FEAD0DD84878038632A08293FE23A5BBB
                                              Malicious:false
                                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                              C:\Users\user\AppData\Local\Temp\tmpF74B.tmp

                                              Download File
                                              Process:C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe
                                              File Type:XML 1.0 document, ASCII text
                                              Category:dropped
                                              Size (bytes):1575
                                              Entropy (8bit):5.110337879118249
                                              Encrypted:false
                                              SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaYxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTfv
                                              MD5:FF4121E8B7DE47BC305AC24040026605
                                              SHA1:56F3B38FC1E704DED861DC33DACC41B669EA3558
                                              SHA-256:42058DE60132C229A385FD70DE2AA8EA8580F2276FAA3723ABDFBE903458D43D
                                              SHA-512:2FE24C6F31B07C0E545913B3EAF00DA244AAAAB2150A18DA4E4F3BF254B29BE8BBE6815B71964051F961EEE92EA3280FEAD0DD84878038632A08293FE23A5BBB
                                              Malicious:true
                                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                              C:\Users\user\AppData\Roaming\zriEHRxkd.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):942592
                                              Entropy (8bit):7.22660784123778
                                              Encrypted:false
                                              SSDEEP:12288:T3TEG/N9AKPGu+MAyn6+6Slh5/2qVe2lR8XaZW4IaBAP7r9r/+ppppppppppppp7:8AnAPRo6+pPOnoR8X2W4JBA1q
                                              MD5:78EFF09F295AA4B3AAF36AF5245EFE94
                                              SHA1:DEA545E8B85F2C1201F7AA3A54F643826CA8A6ED
                                              SHA-256:38F275624C634801C164C2C8F3294CBEEA49B47E8E8D83BDA53A0BC8AA7F7106
                                              SHA-512:A8B49247156AA7004206F24211054F7F37C73DF06E8A85ECF843E9C44CC99A5CF29886E85BA03D89A87A1D3968322C25CDEF7877AE6C5EFCFA946910204CE67F
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 63%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....do...............0......T.......+... ...@....@.. ....................................@.................................G+..O....@..dP..............h4..........<...p............................................ ............... ..H............text........ ...................... ..`.rsrc...dP...@...R..................@..@.reloc...............`..............@..B................{+......H.......<_...C..........D....q..........................................z..}......}.....(.......(.....*..0..P..........{....o.....{....o....(.........,"...{....o.....{....o.....(......+....}.....*.0..\.........r...p(......,..r...pr)..p(....&..}......r...p(......,..r7..pr)..p(....&..}......{.....+..*.0...........r...p.r...p.~N...s.......o.....~O......s......r_..p.s........o......o....&..o.....+....o....( ......o....( ......o!.......-..o".......,7...(#.......,.rm..pr)..p(....&+

                                              C:\Users\user\AppData\Roaming\zriEHRxkd.exe:Zone.Identifier

                                              Download File
                                              Process:C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:true
                                              Preview:[ZoneTransfer]....ZoneId=0

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):7.22660784123778
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                              • Win32 Executable (generic) a (10002005/4) 49.97%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              • DOS Executable Generic (2002/1) 0.01%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:FYCC new order S460013746-560121121.exe
                                              File size:942'592 bytes
                                              MD5:78eff09f295aa4b3aaf36af5245efe94
                                              SHA1:dea545e8b85f2c1201f7aa3a54f643826ca8a6ed
                                              SHA256:38f275624c634801c164c2c8f3294cbeea49b47e8e8d83bda53a0bc8aa7f7106
                                              SHA512:a8b49247156aa7004206f24211054f7f37c73df06e8a85ecf843e9c44cc99a5cf29886e85ba03d89a87a1d3968322c25cdef7877ae6c5efcfa946910204ce67f
                                              SSDEEP:12288:T3TEG/N9AKPGu+MAyn6+6Slh5/2qVe2lR8XaZW4IaBAP7r9r/+ppppppppppppp7:8AnAPRo6+pPOnoR8X2W4JBA1q
                                              TLSH:9815ADC0FA156714DD685B30963ACDB552623DBCB434B9AE29CD3F673BFE2526408B02
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....do...............0......T.......+... ...@....@.. ....................................@................................

                                              File Icon

                                              Icon Hash:c5a484988c94a04b

                                              Static PE Info

                                              General

                                              Entrypoint:0x4b2b9a
                                              Entrypoint Section:.text
                                              Digitally signed:true
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0xD86F640D [Wed Jan 24 12:46:05 2085 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Authenticode Signature

                                              Signature Valid:
                                              Signature Issuer:
                                              Signature Validation Error:
                                              Error Number:
                                              Not Before, Not After
                                                Subject Chain
                                                  Version:
                                                  Thumbprint MD5:
                                                  Thumbprint SHA-1:
                                                  Thumbprint SHA-256:
                                                  Serial:

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xb2b470x4f.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xb40000x35064.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0xb18000x3468
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xea0000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0xb143c0x70.text
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000xb0ba00xb0c00b863dca4e4f6e53b15736ce9f775ca49False0.8866814555339463data7.7202729821894875IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rsrc0xb40000x350640x352004789099e72a859ccf83dce526d2b2904False0.20988970588235295data4.455390880468904IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0xea0000xc0x2001349ed80085313af48f2ec1adb901d04False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_ICON0xb44600x668Device independent bitmap graphic, 48 x 96 x 4, image size 11520.3225609756097561
                                                  RT_ICON0xb4ac80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 5120.43951612903225806
                                                  RT_ICON0xb4db00x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 2880.4016393442622951
                                                  RT_ICON0xb4f980x128Device independent bitmap graphic, 16 x 32 x 4, image size 1280.4831081081081081
                                                  RT_ICON0xb50c00x35e0PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9907192575406032
                                                  RT_ICON0xb86a00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors0.4584221748400853
                                                  RT_ICON0xb95480x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.47382671480144406
                                                  RT_ICON0xb9df00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors0.45564516129032256
                                                  RT_ICON0xba4b80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.3504335260115607
                                                  RT_ICON0xbaa200x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.07868508221933042
                                                  RT_ICON0xcb2480x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 380160.15114568005045195
                                                  RT_ICON0xd46f00x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 265600.1543233082706767
                                                  RT_ICON0xdaed80x5488Device independent bitmap graphic, 72 x 144 x 32, image size 216000.175184842883549
                                                  RT_ICON0xe03600x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.15948275862068967
                                                  RT_ICON0xe45880x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.24107883817427386
                                                  RT_ICON0xe6b300x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.2678236397748593
                                                  RT_ICON0xe7bd80x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.37459016393442623
                                                  RT_ICON0xe85600x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.42819148936170215
                                                  RT_GROUP_ICON0xe89c80x102data0.5775193798449613
                                                  RT_VERSION0xe8acc0x3acdata0.4148936170212766
                                                  RT_MANIFEST0xe8e780x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Network Behavior

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Oct 1, 2024 20:03:06.511756897 CEST4973325192.168.2.446.175.148.58
                                                  Oct 1, 2024 20:03:07.600493908 CEST4973325192.168.2.446.175.148.58
                                                  Oct 1, 2024 20:03:09.694318056 CEST4973325192.168.2.446.175.148.58
                                                  Oct 1, 2024 20:03:10.104970932 CEST4973625192.168.2.446.175.148.58
                                                  Oct 1, 2024 20:03:11.194252014 CEST4973625192.168.2.446.175.148.58
                                                  Oct 1, 2024 20:03:13.194278955 CEST4973625192.168.2.446.175.148.58
                                                  Oct 1, 2024 20:03:13.694514990 CEST4973325192.168.2.446.175.148.58
                                                  Oct 1, 2024 20:03:17.209909916 CEST4973625192.168.2.446.175.148.58
                                                  Oct 1, 2024 20:03:21.709995031 CEST4973325192.168.2.446.175.148.58
                                                  Oct 1, 2024 20:03:25.213381052 CEST4973625192.168.2.446.175.148.58

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Oct 1, 2024 20:03:06.469336033 CEST5163253192.168.2.41.1.1.1
                                                  Oct 1, 2024 20:03:06.488112926 CEST53516321.1.1.1192.168.2.4

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Oct 1, 2024 20:03:06.469336033 CEST192.168.2.41.1.1.10xf047Standard query (0)mail.iaa-airferight.comA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Oct 1, 2024 20:03:06.488112926 CEST1.1.1.1192.168.2.40xf047No error (0)mail.iaa-airferight.com46.175.148.58A (IP address)IN (0x0001)false

                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:14:03:01
                                                  Start date:01/10/2024
                                                  Path:C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe"
                                                  Imagebase:0xb80000
                                                  File size:942'592 bytes
                                                  MD5 hash:78EFF09F295AA4B3AAF36AF5245EFE94
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1718618655.00000000048EA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1718618655.00000000048EA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:2
                                                  Start time:14:03:02
                                                  Start date:01/10/2024
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe"
                                                  Imagebase:0x540000
                                                  File size:433'152 bytes
                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:3
                                                  Start time:14:03:02
                                                  Start date:01/10/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:4
                                                  Start time:14:03:03
                                                  Start date:01/10/2024
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zriEHRxkd.exe"
                                                  Imagebase:0x540000
                                                  File size:433'152 bytes
                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:5
                                                  Start time:14:03:03
                                                  Start date:01/10/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:6
                                                  Start time:14:03:03
                                                  Start date:01/10/2024
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zriEHRxkd" /XML "C:\Users\user\AppData\Local\Temp\tmpF74B.tmp"
                                                  Imagebase:0xab0000
                                                  File size:187'904 bytes
                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:7
                                                  Start time:14:03:03
                                                  Start date:01/10/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:8
                                                  Start time:14:03:03
                                                  Start date:01/10/2024
                                                  Path:C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\FYCC new order S460013746-560121121.exe"
                                                  Imagebase:0x7c0000
                                                  File size:942'592 bytes
                                                  MD5 hash:78EFF09F295AA4B3AAF36AF5245EFE94
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2933747926.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2933747926.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2933747926.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low
                                                  Has exited:false

                                                  General

                                                  Target ID:9
                                                  Start time:14:03:04
                                                  Start date:01/10/2024
                                                  Path:C:\Users\user\AppData\Roaming\zriEHRxkd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\AppData\Roaming\zriEHRxkd.exe
                                                  Imagebase:0x600000
                                                  File size:942'592 bytes
                                                  MD5 hash:78EFF09F295AA4B3AAF36AF5245EFE94
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Antivirus matches:
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 63%, ReversingLabs
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:10
                                                  Start time:14:03:06
                                                  Start date:01/10/2024
                                                  Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                  Imagebase:0x7ff693ab0000
                                                  File size:496'640 bytes
                                                  MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                  Has elevated privileges:true
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:11
                                                  Start time:14:03:07
                                                  Start date:01/10/2024
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zriEHRxkd" /XML "C:\Users\user\AppData\Local\Temp\tmp8B0.tmp"
                                                  Imagebase:0xab0000
                                                  File size:187'904 bytes
                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:12
                                                  Start time:14:03:07
                                                  Start date:01/10/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:13
                                                  Start time:14:03:07
                                                  Start date:01/10/2024
                                                  Path:C:\Users\user\AppData\Roaming\zriEHRxkd.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\AppData\Roaming\zriEHRxkd.exe"
                                                  Imagebase:0x280000
                                                  File size:942'592 bytes
                                                  MD5 hash:78EFF09F295AA4B3AAF36AF5245EFE94
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:14
                                                  Start time:14:03:07
                                                  Start date:01/10/2024
                                                  Path:C:\Users\user\AppData\Roaming\zriEHRxkd.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\AppData\Roaming\zriEHRxkd.exe"
                                                  Imagebase:0x120000
                                                  File size:942'592 bytes
                                                  MD5 hash:78EFF09F295AA4B3AAF36AF5245EFE94
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:15
                                                  Start time:14:03:07
                                                  Start date:01/10/2024
                                                  Path:C:\Users\user\AppData\Roaming\zriEHRxkd.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\AppData\Roaming\zriEHRxkd.exe"
                                                  Imagebase:0x2f0000
                                                  File size:942'592 bytes
                                                  MD5 hash:78EFF09F295AA4B3AAF36AF5245EFE94
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:16
                                                  Start time:14:03:07
                                                  Start date:01/10/2024
                                                  Path:C:\Users\user\AppData\Roaming\zriEHRxkd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\zriEHRxkd.exe"
                                                  Imagebase:0xa80000
                                                  File size:942'592 bytes
                                                  MD5 hash:78EFF09F295AA4B3AAF36AF5245EFE94
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.2934757026.000000000309E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.2934757026.0000000003051000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.2934757026.0000000003051000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low
                                                  Has exited:false

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:10.7%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:174
                                                    Total number of Limit Nodes:10
                                                    execution_graph 21532 c234f92 21536 c236ec3 21532->21536 21540 c236ed0 21532->21540 21533 c234fa1 21537 c236eea 21536->21537 21544 c23720b 21537->21544 21541 c236eea 21540->21541 21543 c23720b 12 API calls 21541->21543 21542 c236f0e 21542->21533 21543->21542 21545 c23722d 21544->21545 21564 c237482 21545->21564 21569 c237b3d 21545->21569 21574 c23737e 21545->21574 21578 c2378d5 21545->21578 21586 c2373f7 21545->21586 21591 c2377f7 21545->21591 21596 c2378f7 21545->21596 21602 c237770 21545->21602 21607 c237710 21545->21607 21612 c2376d2 21545->21612 21617 c237af2 21545->21617 21625 c237a4c 21545->21625 21630 c23740e 21545->21630 21635 c23794e 21545->21635 21640 c2377cf 21545->21640 21648 c237688 21545->21648 21653 c23754a 21545->21653 21546 c236f0e 21546->21533 21565 c237424 21564->21565 21566 c237446 21565->21566 21658 c234718 21565->21658 21662 c234720 21565->21662 21566->21546 21570 c237afa 21569->21570 21571 c237b40 21569->21571 21570->21569 21666 c234810 21570->21666 21670 c234808 21570->21670 21674 c2349a8 21574->21674 21678 c23499c 21574->21678 21579 c2378de 21578->21579 21582 c234810 ReadProcessMemory 21579->21582 21583 c234808 ReadProcessMemory 21579->21583 21580 c237afa 21581 c237b40 21580->21581 21584 c234810 ReadProcessMemory 21580->21584 21585 c234808 ReadProcessMemory 21580->21585 21582->21580 21583->21580 21584->21580 21585->21580 21587 c237408 21586->21587 21682 c233c60 21587->21682 21686 c233c68 21587->21686 21588 c237839 21592 c23780c 21591->21592 21594 c233c60 ResumeThread 21592->21594 21595 c233c68 ResumeThread 21592->21595 21593 c237839 21594->21593 21595->21593 21597 c237425 21596->21597 21598 c237d15 21597->21598 21600 c234720 WriteProcessMemory 21597->21600 21601 c234718 WriteProcessMemory 21597->21601 21598->21546 21599 c237446 21599->21546 21600->21599 21601->21599 21603 c2377ae 21602->21603 21605 c234720 WriteProcessMemory 21603->21605 21606 c234718 WriteProcessMemory 21603->21606 21604 c237a2d 21605->21604 21606->21604 21608 c23771d 21607->21608 21610 c233c60 ResumeThread 21608->21610 21611 c233c68 ResumeThread 21608->21611 21609 c237839 21610->21609 21611->21609 21613 c237a63 21612->21613 21690 c233d18 21613->21690 21694 c233d10 21613->21694 21614 c237a7e 21618 c237af8 21617->21618 21619 c237afa 21618->21619 21623 c234810 ReadProcessMemory 21618->21623 21624 c234808 ReadProcessMemory 21618->21624 21620 c237b40 21619->21620 21621 c234810 ReadProcessMemory 21619->21621 21622 c234808 ReadProcessMemory 21619->21622 21621->21619 21622->21619 21623->21619 21624->21619 21626 c237a9d 21625->21626 21698 c234223 21626->21698 21702 c234228 21626->21702 21627 c237abb 21631 c237414 21630->21631 21633 c234720 WriteProcessMemory 21631->21633 21634 c234718 WriteProcessMemory 21631->21634 21632 c237446 21632->21546 21633->21632 21634->21632 21636 c237d45 21635->21636 21638 c233d10 Wow64SetThreadContext 21636->21638 21639 c233d18 Wow64SetThreadContext 21636->21639 21637 c237d60 21638->21637 21639->21637 21641 c2377dc 21640->21641 21646 c234810 ReadProcessMemory 21641->21646 21647 c234808 ReadProcessMemory 21641->21647 21642 c237afa 21643 c237b40 21642->21643 21644 c234810 ReadProcessMemory 21642->21644 21645 c234808 ReadProcessMemory 21642->21645 21644->21642 21645->21642 21646->21642 21647->21642 21649 c2376ab 21648->21649 21651 c234720 WriteProcessMemory 21649->21651 21652 c234718 WriteProcessMemory 21649->21652 21650 c2379d7 21651->21650 21652->21650 21654 c2374fa 21653->21654 21655 c2373dd 21654->21655 21656 c233c60 ResumeThread 21654->21656 21657 c233c68 ResumeThread 21654->21657 21656->21655 21657->21655 21659 c234768 WriteProcessMemory 21658->21659 21661 c2347bf 21659->21661 21661->21566 21663 c234768 WriteProcessMemory 21662->21663 21665 c2347bf 21663->21665 21665->21566 21667 c23485b ReadProcessMemory 21666->21667 21669 c23489f 21667->21669 21669->21570 21671 c234810 ReadProcessMemory 21670->21671 21673 c23489f 21671->21673 21673->21570 21675 c234a31 21674->21675 21675->21675 21676 c234b96 CreateProcessA 21675->21676 21677 c234bf3 21676->21677 21679 c2349a8 21678->21679 21679->21679 21680 c234b96 CreateProcessA 21679->21680 21681 c234bf3 21680->21681 21683 c233c68 ResumeThread 21682->21683 21685 c233cd9 21683->21685 21685->21588 21687 c233ca8 ResumeThread 21686->21687 21689 c233cd9 21687->21689 21689->21588 21691 c233d5d Wow64SetThreadContext 21690->21691 21693 c233da5 21691->21693 21693->21614 21695 c233d18 Wow64SetThreadContext 21694->21695 21697 c233da5 21695->21697 21697->21614 21699 c234228 VirtualAllocEx 21698->21699 21701 c2342a5 21699->21701 21701->21627 21703 c234268 VirtualAllocEx 21702->21703 21705 c2342a5 21703->21705 21705->21627 21501 12b4668 21502 12b467a 21501->21502 21503 12b4686 21502->21503 21505 12b4778 21502->21505 21506 12b479d 21505->21506 21510 12b4879 21506->21510 21514 12b4888 21506->21514 21512 12b48af 21510->21512 21511 12b498c 21512->21511 21518 12b44c4 21512->21518 21516 12b48af 21514->21516 21515 12b498c 21515->21515 21516->21515 21517 12b44c4 CreateActCtxA 21516->21517 21517->21515 21519 12b5918 CreateActCtxA 21518->21519 21521 12b59db 21519->21521 21522 12bd040 21523 12bd086 GetCurrentProcess 21522->21523 21525 12bd0d8 GetCurrentThread 21523->21525 21527 12bd0d1 21523->21527 21526 12bd115 GetCurrentProcess 21525->21526 21528 12bd10e 21525->21528 21531 12bd14b 21526->21531 21527->21525 21528->21526 21529 12bd173 GetCurrentThreadId 21530 12bd1a4 21529->21530 21531->21529 21706 12bacb0 21707 12bacbf 21706->21707 21710 12bada8 21706->21710 21715 12bad97 21706->21715 21711 12baddc 21710->21711 21712 12badb9 21710->21712 21711->21707 21712->21711 21713 12bafe0 GetModuleHandleW 21712->21713 21714 12bb00d 21713->21714 21714->21707 21716 12badb9 21715->21716 21717 12baddc 21715->21717 21716->21717 21718 12bafe0 GetModuleHandleW 21716->21718 21717->21707 21719 12bb00d 21718->21719 21719->21707 21720 12bd690 DuplicateHandle 21721 12bd726 21720->21721 21722 c238098 21723 c238223 21722->21723 21725 c2380be 21722->21725 21725->21723 21726 c232c10 21725->21726 21727 c238720 PostMessageW 21726->21727 21728 c23878c 21727->21728 21728->21725

                                                    Executed Functions

                                                    Function 012BD030 Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 294 12bd030-12bd0cf GetCurrentProcess 298 12bd0d8-12bd10c GetCurrentThread 294->298 299 12bd0d1-12bd0d7 294->299 300 12bd10e-12bd114 298->300 301 12bd115-12bd149 GetCurrentProcess 298->301 299->298 300->301 303 12bd14b-12bd151 301->303 304 12bd152-12bd16d call 12bd618 301->304 303->304 306 12bd173-12bd1a2 GetCurrentThreadId 304->306 308 12bd1ab-12bd20d 306->308 309 12bd1a4-12bd1aa 306->309 309->308
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 012BD0BE
                                                    • GetCurrentThread.KERNEL32 ref: 012BD0FB
                                                    • GetCurrentProcess.KERNEL32 ref: 012BD138
                                                    • GetCurrentThreadId.KERNEL32 ref: 012BD191
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1716920960.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_12b0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: 70b276413536e9921c16e2d48a92b0159fc49fbad56fc84ea9d8207e20b2a03c
                                                    • Instruction ID: c55071d13201bd2eab6ca0eb5a600545fda704c7843cdefe79a516ec8877076c
                                                    • Opcode Fuzzy Hash: 70b276413536e9921c16e2d48a92b0159fc49fbad56fc84ea9d8207e20b2a03c
                                                    • Instruction Fuzzy Hash: CA5165B09113498FDB14CFA9D588BDEBFF1EF49348F208469D118A7261C7349888CB65
                                                    Function 012BD040 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 316 12bd040-12bd0cf GetCurrentProcess 320 12bd0d8-12bd10c GetCurrentThread 316->320 321 12bd0d1-12bd0d7 316->321 322 12bd10e-12bd114 320->322 323 12bd115-12bd149 GetCurrentProcess 320->323 321->320 322->323 325 12bd14b-12bd151 323->325 326 12bd152-12bd16d call 12bd618 323->326 325->326 328 12bd173-12bd1a2 GetCurrentThreadId 326->328 330 12bd1ab-12bd20d 328->330 331 12bd1a4-12bd1aa 328->331 331->330
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 012BD0BE
                                                    • GetCurrentThread.KERNEL32 ref: 012BD0FB
                                                    • GetCurrentProcess.KERNEL32 ref: 012BD138
                                                    • GetCurrentThreadId.KERNEL32 ref: 012BD191
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1716920960.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_12b0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: d8085b3d03201b7532e6720026004299b7d0e733f8ce60c3fb600a9f9ed56600
                                                    • Instruction ID: 23b5f181b36ab4c72a1c659c7e7b6fc0ded627b27731484a7ac5b814f3794e2d
                                                    • Opcode Fuzzy Hash: d8085b3d03201b7532e6720026004299b7d0e733f8ce60c3fb600a9f9ed56600
                                                    • Instruction Fuzzy Hash: 815156B09102098FDB18DFA9C588BDEBBF1FF48354F208469D519A7360D7349988CF65
                                                    Function 0C23499C Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 360 c23499c-c234a3d 363 c234a76-c234a96 360->363 364 c234a3f-c234a49 360->364 371 c234a98-c234aa2 363->371 372 c234acf-c234afe 363->372 364->363 365 c234a4b-c234a4d 364->365 366 c234a70-c234a73 365->366 367 c234a4f-c234a59 365->367 366->363 369 c234a5b 367->369 370 c234a5d-c234a6c 367->370 369->370 370->370 373 c234a6e 370->373 371->372 374 c234aa4-c234aa6 371->374 378 c234b00-c234b0a 372->378 379 c234b37-c234bf1 CreateProcessA 372->379 373->366 376 c234ac9-c234acc 374->376 377 c234aa8-c234ab2 374->377 376->372 380 c234ab6-c234ac5 377->380 381 c234ab4 377->381 378->379 383 c234b0c-c234b0e 378->383 392 c234bf3-c234bf9 379->392 393 c234bfa-c234c80 379->393 380->380 382 c234ac7 380->382 381->380 382->376 384 c234b31-c234b34 383->384 385 c234b10-c234b1a 383->385 384->379 387 c234b1e-c234b2d 385->387 388 c234b1c 385->388 387->387 390 c234b2f 387->390 388->387 390->384 392->393 403 c234c82-c234c86 393->403 404 c234c90-c234c94 393->404 403->404 405 c234c88 403->405 406 c234c96-c234c9a 404->406 407 c234ca4-c234ca8 404->407 405->404 406->407 408 c234c9c 406->408 409 c234caa-c234cae 407->409 410 c234cb8-c234cbc 407->410 408->407 409->410 413 c234cb0 409->413 411 c234cce-c234cd5 410->411 412 c234cbe-c234cc4 410->412 414 c234cd7-c234ce6 411->414 415 c234cec 411->415 412->411 413->410 414->415 417 c234ced 415->417 417->417
                                                    APIs
                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0C234BDE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1731503675.000000000C230000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_c230000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID: CreateProcess
                                                    • String ID:
                                                    • API String ID: 963392458-0
                                                    • Opcode ID: 46c99e01c098909b2b47f491c1f9235d745cec1bcaf5e27e5fe8fc3f61964fdc
                                                    • Instruction ID: a1e005b4d1102f9dfe7961c6a4fa52ee4dbf385e3f4ec4953044512c810aa41d
                                                    • Opcode Fuzzy Hash: 46c99e01c098909b2b47f491c1f9235d745cec1bcaf5e27e5fe8fc3f61964fdc
                                                    • Instruction Fuzzy Hash: EDA17EB1E1021ADFDB14DF68C8407EDBBB2BF48314F1485A9E809A7650DB749985CF91
                                                    Function 0C2349A8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 418 c2349a8-c234a3d 420 c234a76-c234a96 418->420 421 c234a3f-c234a49 418->421 428 c234a98-c234aa2 420->428 429 c234acf-c234afe 420->429 421->420 422 c234a4b-c234a4d 421->422 423 c234a70-c234a73 422->423 424 c234a4f-c234a59 422->424 423->420 426 c234a5b 424->426 427 c234a5d-c234a6c 424->427 426->427 427->427 430 c234a6e 427->430 428->429 431 c234aa4-c234aa6 428->431 435 c234b00-c234b0a 429->435 436 c234b37-c234bf1 CreateProcessA 429->436 430->423 433 c234ac9-c234acc 431->433 434 c234aa8-c234ab2 431->434 433->429 437 c234ab6-c234ac5 434->437 438 c234ab4 434->438 435->436 440 c234b0c-c234b0e 435->440 449 c234bf3-c234bf9 436->449 450 c234bfa-c234c80 436->450 437->437 439 c234ac7 437->439 438->437 439->433 441 c234b31-c234b34 440->441 442 c234b10-c234b1a 440->442 441->436 444 c234b1e-c234b2d 442->444 445 c234b1c 442->445 444->444 447 c234b2f 444->447 445->444 447->441 449->450 460 c234c82-c234c86 450->460 461 c234c90-c234c94 450->461 460->461 462 c234c88 460->462 463 c234c96-c234c9a 461->463 464 c234ca4-c234ca8 461->464 462->461 463->464 465 c234c9c 463->465 466 c234caa-c234cae 464->466 467 c234cb8-c234cbc 464->467 465->464 466->467 470 c234cb0 466->470 468 c234cce-c234cd5 467->468 469 c234cbe-c234cc4 467->469 471 c234cd7-c234ce6 468->471 472 c234cec 468->472 469->468 470->467 471->472 474 c234ced 472->474 474->474
                                                    APIs
                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0C234BDE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1731503675.000000000C230000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_c230000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID: CreateProcess
                                                    • String ID:
                                                    • API String ID: 963392458-0
                                                    • Opcode ID: 2503800e2d5c0b45bef2571e0223d7a19cd88b1f432fccaf036405f703f67536
                                                    • Instruction ID: c787e68dd9653b3b065226653a0317ed7f9967b9f9da283d27ec53f4f12e4d8f
                                                    • Opcode Fuzzy Hash: 2503800e2d5c0b45bef2571e0223d7a19cd88b1f432fccaf036405f703f67536
                                                    • Instruction Fuzzy Hash: DF917DB1E1021ADFDB14DFA8C840BEDBBB2BF48314F1485A9E809A7650DB749985CF91
                                                    Function 012BADA8 Relevance: 1.7, APIs: 1, Instructions: 210COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 475 12bada8-12badb7 476 12badb9-12badc6 call 12ba0cc 475->476 477 12bade3-12bade7 475->477 482 12badc8 476->482 483 12baddc 476->483 478 12badfb-12bae3c 477->478 479 12bade9-12badf3 477->479 486 12bae49-12bae57 478->486 487 12bae3e-12bae46 478->487 479->478 532 12badce call 12bb031 482->532 533 12badce call 12bb040 482->533 483->477 489 12bae7b-12bae7d 486->489 490 12bae59-12bae5e 486->490 487->486 488 12badd4-12badd6 488->483 493 12baf18-12baf94 488->493 494 12bae80-12bae87 489->494 491 12bae69 490->491 492 12bae60-12bae67 call 12ba0d8 490->492 496 12bae6b-12bae79 491->496 492->496 525 12bafc0-12bafd8 493->525 526 12baf96-12bafbe 493->526 497 12bae89-12bae91 494->497 498 12bae94-12bae9b 494->498 496->494 497->498 500 12baea8-12baeaa call 12ba0e8 498->500 501 12bae9d-12baea5 498->501 504 12baeaf-12baeb1 500->504 501->500 506 12baebe-12baec3 504->506 507 12baeb3-12baebb 504->507 509 12baee1-12baeee 506->509 510 12baec5-12baecc 506->510 507->506 516 12baf11-12baf17 509->516 517 12baef0-12baf0e 509->517 510->509 511 12baece-12baede call 12ba0f8 call 12ba108 510->511 511->509 517->516 527 12bafda-12bafdd 525->527 528 12bafe0-12bb00b GetModuleHandleW 525->528 526->525 527->528 529 12bb00d-12bb013 528->529 530 12bb014-12bb028 528->530 529->530 532->488 533->488
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 012BAFFE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1716920960.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_12b0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: fd2f76dac56dc8887117aefa2fd32b6afe25d1f7d4cde4d46b5f45092bf9ba65
                                                    • Instruction ID: 9026e8d26e9c553f9a6b4d030511cabb1cd3b0d4267fa77d58cbaf043047fdaa
                                                    • Opcode Fuzzy Hash: fd2f76dac56dc8887117aefa2fd32b6afe25d1f7d4cde4d46b5f45092bf9ba65
                                                    • Instruction Fuzzy Hash: 87815B70A10B068FD724DF29D4847AABBF1FF48344F108A2DD58AD7651D775E849CB90
                                                    Function 012B590C Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 534 12b590c-12b59d9 CreateActCtxA 536 12b59db-12b59e1 534->536 537 12b59e2-12b5a3c 534->537 536->537 544 12b5a4b-12b5a4f 537->544 545 12b5a3e-12b5a41 537->545 546 12b5a51-12b5a5d 544->546 547 12b5a60 544->547 545->544 546->547 549 12b5a61 547->549 549->549
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 012B59C9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1716920960.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_12b0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: 238c883f0e0cdc0dfee5cae616424d71b6bff7f57124132441b41a332ff6c869
                                                    • Instruction ID: 6db5977d0a6cc07556d0c6ed65a23c1cf36023ab909f179807dd0655b2b70328
                                                    • Opcode Fuzzy Hash: 238c883f0e0cdc0dfee5cae616424d71b6bff7f57124132441b41a332ff6c869
                                                    • Instruction Fuzzy Hash: 1441D2B0C0171DCEDB24CFA9C884BDEBBB5BF49304F24805AD509AB255DB75598ACF90
                                                    Function 012B44C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 550 12b44c4-12b59d9 CreateActCtxA 553 12b59db-12b59e1 550->553 554 12b59e2-12b5a3c 550->554 553->554 561 12b5a4b-12b5a4f 554->561 562 12b5a3e-12b5a41 554->562 563 12b5a51-12b5a5d 561->563 564 12b5a60 561->564 562->561 563->564 566 12b5a61 564->566 566->566
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 012B59C9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1716920960.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_12b0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: bcd5c16d257e3a57f2ab2309e8898a19d92c5bdacd187b4ee36ab6f2544d16dd
                                                    • Instruction ID: a08ecce32d7d89d1de5cf4332e073b0ddcc3f288d3cb9c4fdca5531453aa15bf
                                                    • Opcode Fuzzy Hash: bcd5c16d257e3a57f2ab2309e8898a19d92c5bdacd187b4ee36ab6f2544d16dd
                                                    • Instruction Fuzzy Hash: 1341F2B0C0071DCBDB24DFA9C8847CEBBB5BF49304F24805AD509AB251DB755949CF90
                                                    Function 0C234718 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 567 c234718-c23476e 569 c234770-c23477c 567->569 570 c23477e-c2347bd WriteProcessMemory 567->570 569->570 572 c2347c6-c2347f6 570->572 573 c2347bf-c2347c5 570->573 573->572
                                                    APIs
                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0C2347B0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1731503675.000000000C230000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_c230000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID:
                                                    • API String ID: 3559483778-0
                                                    • Opcode ID: a14ee42b1f3bef51daec098de4c367142611dca2eac4b321f30d55862a9b605d
                                                    • Instruction ID: 81563e88204e3f340ec2a9481370522b35648b48c30619e8c2c506524c609b19
                                                    • Opcode Fuzzy Hash: a14ee42b1f3bef51daec098de4c367142611dca2eac4b321f30d55862a9b605d
                                                    • Instruction Fuzzy Hash: F72144B19012499FDB10DFA9C885BEEBFF0FF48310F10842AE958A7250C7789944CFA0
                                                    Function 0C233D10 Relevance: 1.6, APIs: 1, Instructions: 70threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 577 c233d10-c233d63 580 c233d73-c233da3 Wow64SetThreadContext 577->580 581 c233d65-c233d71 577->581 583 c233da5-c233dab 580->583 584 c233dac-c233ddc 580->584 581->580 583->584
                                                    APIs
                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0C233D96
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1731503675.000000000C230000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_c230000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID: ContextThreadWow64
                                                    • String ID:
                                                    • API String ID: 983334009-0
                                                    • Opcode ID: ec325ed1a9d6a3603614bfafdc995ccfa3197a8b8b056c4fcea0fb41f5774d28
                                                    • Instruction ID: 83675cfab7ee28ffbfba1c879e85034cf466752cfb6030fc381d4ca45bc57a82
                                                    • Opcode Fuzzy Hash: ec325ed1a9d6a3603614bfafdc995ccfa3197a8b8b056c4fcea0fb41f5774d28
                                                    • Instruction Fuzzy Hash: 362159B59002098FCB10DFAAC4857EEFFF4EF48320F10842AD459A7651C7789685CFA5
                                                    Function 0C234720 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 588 c234720-c23476e 590 c234770-c23477c 588->590 591 c23477e-c2347bd WriteProcessMemory 588->591 590->591 593 c2347c6-c2347f6 591->593 594 c2347bf-c2347c5 591->594 594->593
                                                    APIs
                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0C2347B0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1731503675.000000000C230000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_c230000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID:
                                                    • API String ID: 3559483778-0
                                                    • Opcode ID: 9c9f2ccde60070ed6ea29ff93420e8a90790d01396a415a73c0d172358d9a14f
                                                    • Instruction ID: 8aa8768a56863f58140a072af82f0605f4ea066344035ac481d1b05a05809e0b
                                                    • Opcode Fuzzy Hash: 9c9f2ccde60070ed6ea29ff93420e8a90790d01396a415a73c0d172358d9a14f
                                                    • Instruction Fuzzy Hash: 1B2144B19003199FCB10DFA9C884BEEBBF5FF48310F10842AE958A7250C7789944CFA4
                                                    Function 0C234808 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 598 c234808-c23489d ReadProcessMemory 602 c2348a6-c2348d6 598->602 603 c23489f-c2348a5 598->603 603->602
                                                    APIs
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0C234890
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1731503675.000000000C230000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_c230000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessRead
                                                    • String ID:
                                                    • API String ID: 1726664587-0
                                                    • Opcode ID: cd164a580f60af860e9e9c4fe955d54c4d5c0ecdb01147c440964302fbbb79b2
                                                    • Instruction ID: f47c0c6f6a4f9bb126a09de32074f0404bfe904bec6f557f951ea5a13ccaaf7f
                                                    • Opcode Fuzzy Hash: cd164a580f60af860e9e9c4fe955d54c4d5c0ecdb01147c440964302fbbb79b2
                                                    • Instruction Fuzzy Hash: CB2127B18002599FCB10DFAAC880BDEFBF5FF48320F10842AE559A7650C7789544CBA5
                                                    Function 012BD689 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 607 12bd689-12bd724 DuplicateHandle 608 12bd72d-12bd74a 607->608 609 12bd726-12bd72c 607->609 609->608
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012BD717
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1716920960.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_12b0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 89687ec6d70c25a7f0c2cbc7e1d2e182edcafed5b583f8f048e4ddb08711620a
                                                    • Instruction ID: a10f8cc9cdbefe157fdc49ebebb60e8a1cb59f10541bc6770013ec72f364ccd7
                                                    • Opcode Fuzzy Hash: 89687ec6d70c25a7f0c2cbc7e1d2e182edcafed5b583f8f048e4ddb08711620a
                                                    • Instruction Fuzzy Hash: C521E2B5D00259DFDB10CFAAD584AEEBFF5EB48324F14801AE958A3310C378A945CFA4
                                                    Function 0C233D18 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 612 c233d18-c233d63 614 c233d73-c233da3 Wow64SetThreadContext 612->614 615 c233d65-c233d71 612->615 617 c233da5-c233dab 614->617 618 c233dac-c233ddc 614->618 615->614 617->618
                                                    APIs
                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0C233D96
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1731503675.000000000C230000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_c230000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID: ContextThreadWow64
                                                    • String ID:
                                                    • API String ID: 983334009-0
                                                    • Opcode ID: 0099f3e8c675bdc2694dc7eb1b75d218d2fd82583578c99aeccf33d6d62f1bb1
                                                    • Instruction ID: a7646d4bc7183579f252aeb86bf2b63d218a305c57a8d1363914484edbb5aa4c
                                                    • Opcode Fuzzy Hash: 0099f3e8c675bdc2694dc7eb1b75d218d2fd82583578c99aeccf33d6d62f1bb1
                                                    • Instruction Fuzzy Hash: D82149B5D003098FDB10DFAAC4857EEBBF4EF88324F108429D459A7251C7789945CFA5
                                                    Function 0C234810 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0C234890
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1731503675.000000000C230000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_c230000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessRead
                                                    • String ID:
                                                    • API String ID: 1726664587-0
                                                    • Opcode ID: 79e532be5e73879132ed68057bc1b9f3db49c1168050da9d588a2f84e4d61783
                                                    • Instruction ID: 409e81a1e2568a42c7526bba472221ce7b430994ec3036232f9af64680a65f02
                                                    • Opcode Fuzzy Hash: 79e532be5e73879132ed68057bc1b9f3db49c1168050da9d588a2f84e4d61783
                                                    • Instruction Fuzzy Hash: 902128B1D002599FCB10DFAAC884ADEFBF5FF48310F10842AE959A7250C7789544CBA5
                                                    Function 012BD690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012BD717
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1716920960.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_12b0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 66aac65a86fcf2e1d6d1c185c0313289817de8ec32b809f1862191900dd83153
                                                    • Instruction ID: 3367206b0a14e774b30863ffdffe52d47739e672f8f7c4be78c9427f8af2dfe0
                                                    • Opcode Fuzzy Hash: 66aac65a86fcf2e1d6d1c185c0313289817de8ec32b809f1862191900dd83153
                                                    • Instruction Fuzzy Hash: 0821E4B59002489FDB10CFAAD584ADEBFF4EB48314F14801AE958A3310C374A944CFA5
                                                    Function 0C234223 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0C234296
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1731503675.000000000C230000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_c230000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: e165af7c67017b772b5fae917ffcef4f7e0abffbe25268d6587fc6d48b2682ac
                                                    • Instruction ID: 5b89e617442f98bca0ec7ece11c643c221ee936aca005b0b9c8d41e6b5ec4d07
                                                    • Opcode Fuzzy Hash: e165af7c67017b772b5fae917ffcef4f7e0abffbe25268d6587fc6d48b2682ac
                                                    • Instruction Fuzzy Hash: B61167B18002488FCB10DFAAC845ADFBFF5EB88320F208419E559A7210C7359544CFA4
                                                    Function 0C233C60 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1731503675.000000000C230000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_c230000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID: ResumeThread
                                                    • String ID:
                                                    • API String ID: 947044025-0
                                                    • Opcode ID: 0d21694c616503df91aabbc409b979e1a2275470749bce171e4ff74c2e388a73
                                                    • Instruction ID: 74aa844a1d231e552667ad96123277240a400ed331d1a0e87adf3b877209850c
                                                    • Opcode Fuzzy Hash: 0d21694c616503df91aabbc409b979e1a2275470749bce171e4ff74c2e388a73
                                                    • Instruction Fuzzy Hash: 9E1116B19003598FCB20DFAAC4457AEFFF5AB88324F208819D459A7250C779A985CBA5
                                                    Function 0C234228 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0C234296
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1731503675.000000000C230000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_c230000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: 5666703c4755add6ae5bb484d0f7723b3f60f3ecd72cf26ed9def9faa68e0a80
                                                    • Instruction ID: 31e1a714ad546045e8526c2ec6f1bb5d1705d6f790f070280fb907492ba17503
                                                    • Opcode Fuzzy Hash: 5666703c4755add6ae5bb484d0f7723b3f60f3ecd72cf26ed9def9faa68e0a80
                                                    • Instruction Fuzzy Hash: 1E1167B19002498FCB10DFAAC844BDEBFF5EF88320F208419E519A7250C735A540CFA4
                                                    Function 0C233C68 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1731503675.000000000C230000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_c230000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID: ResumeThread
                                                    • String ID:
                                                    • API String ID: 947044025-0
                                                    • Opcode ID: 715e1f3def58d38609a2708d0312ca782496fa9e69ebbf10b760ae0966e1e6ad
                                                    • Instruction ID: c24787b5438c233acfb32b3ac1cbf367faaff91f98b3235bad0ce0bdb06fbffb
                                                    • Opcode Fuzzy Hash: 715e1f3def58d38609a2708d0312ca782496fa9e69ebbf10b760ae0966e1e6ad
                                                    • Instruction Fuzzy Hash: 271136B1D003498FCB20DFAAC4457DEFBF5EB88324F208829D459A7250CB79A945CFA5
                                                    Function 0C232C10 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 0C23877D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1731503675.000000000C230000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_c230000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: 20fe3a4bc1e717e14f4a8e7afa7ae38165fb464c0261192ee1605521cfddd10b
                                                    • Instruction ID: b602e24212703ea87202aadf88f545f294f97bf7e91c6aab88aea55594a94629
                                                    • Opcode Fuzzy Hash: 20fe3a4bc1e717e14f4a8e7afa7ae38165fb464c0261192ee1605521cfddd10b
                                                    • Instruction Fuzzy Hash: 4F1115B5800349DFCB10DF9AC588BDEFBF8EB48360F20841AE958A7650C375A944CFA5
                                                    Function 012BAF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 012BAFFE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1716920960.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_12b0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: 92fc094ba797e72f01a18a91351a1cd4108b88c3a8536ea9e715cbd01f0f3631
                                                    • Instruction ID: df3759097ab031591dfc0faa5172900d062ac5d57f329fa949d7cd6d291c17bb
                                                    • Opcode Fuzzy Hash: 92fc094ba797e72f01a18a91351a1cd4108b88c3a8536ea9e715cbd01f0f3631
                                                    • Instruction Fuzzy Hash: A511E0B5C002498FDB14CF9AC484BDEFBF4EB88364F10842AD569A7210D379A545CFA5
                                                    Function 0C238718 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 0C23877D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1731503675.000000000C230000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_c230000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: 842c1a73e06d8db22f27e5edd582a40cb5983ddd1b8f79c4ce4cee2123a6fe63
                                                    • Instruction ID: f1a51aa6fa23f3ce5ed4b7e0f93b848c6bec5a2eeb2b23bb8bd585a6c6b5fcb5
                                                    • Opcode Fuzzy Hash: 842c1a73e06d8db22f27e5edd582a40cb5983ddd1b8f79c4ce4cee2123a6fe63
                                                    • Instruction Fuzzy Hash: E41106B5800349DFCB10DF9AD884BDEFBF8EB48310F10841AE558A7650C375AA44CFA5
                                                    Function 0124D4C4 Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1716665479.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_124d000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c5b5397b078d0b36ac077f8b28df767fb37af45e373bdd847a98920277cbdc87
                                                    • Instruction ID: 6248fd5e8f48b4430ec179027c29c7c0e4515cc3c2bced5b5af115298c478197
                                                    • Opcode Fuzzy Hash: c5b5397b078d0b36ac077f8b28df767fb37af45e373bdd847a98920277cbdc87
                                                    • Instruction Fuzzy Hash: 62214571610208DFCB09DF58E9C0B2ABF65FBA8318F20C169E9090B256C736D456CAE1
                                                    Function 0124D3D8 Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1716665479.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_124d000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e0664dfad50e803fc7b7739f08ea385498d865ecc20ed54475f42146644d835a
                                                    • Instruction ID: 529452a76a2cde2b72231801586ed2341c54ed5309e346fd1f384a9868e2b244
                                                    • Opcode Fuzzy Hash: e0664dfad50e803fc7b7739f08ea385498d865ecc20ed54475f42146644d835a
                                                    • Instruction Fuzzy Hash: EB216775510208DFDB09DF58C9C0B66BF65FBA8324F20C16DE90A0F256C33AE456CBA1
                                                    Function 0125D01C Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1716707255.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_125d000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a91c7cc28511680063751f0f6c207ae6e52534a81925dfc59c76696b876efaba
                                                    • Instruction ID: b19b12d9ab0989d6be67036f02f1cbc906a246f81b5d0416aa32da94d0db8090
                                                    • Opcode Fuzzy Hash: a91c7cc28511680063751f0f6c207ae6e52534a81925dfc59c76696b876efaba
                                                    • Instruction Fuzzy Hash: 43214270214208DFCB51DF68D9C0B26BFA1EB84314F20C56DDD0A4B256C37AD407CA61
                                                    Function 0125D006 Relevance: .1, Instructions: 60COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1716707255.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_125d000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e563794630f549067dcb6a8c441a60529d20a9fd6f4cf1a62ac90ef3231477e2
                                                    • Instruction ID: d72c03bd0912ecfb5b9a86a252578b4bd197306b213ac2107cc62bb2812eb1d6
                                                    • Opcode Fuzzy Hash: e563794630f549067dcb6a8c441a60529d20a9fd6f4cf1a62ac90ef3231477e2
                                                    • Instruction Fuzzy Hash: 52219A755093848FDB03CF24D9D4B15BF71EB46314F28C5EAD9498B2A7C33A980ACB62
                                                    Function 0124D4BF Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1716665479.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_124d000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                    • Instruction ID: 4649855a50f3e73c96bdc158402cdeb308e4fd472b85c8a28bc1f5eca8b958d6
                                                    • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                    • Instruction Fuzzy Hash: 64110376504284CFCB16CF54E5C4B16BF71FB94318F24C6A9D9090B257C336D45ACBA1
                                                    Function 0124D3D3 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1716665479.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_124d000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                    • Instruction ID: 4520886249f707fbca24c253f13acc6847ed113ee145402ee38af4bd44c6df04
                                                    • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                    • Instruction Fuzzy Hash: B5110376404284CFDB06CF54D5C4B56BF71FB94324F24C2A9D9090B257C33AE45ACBA1

                                                    Non-executed Functions

                                                    Function 0C231C38 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1731503675.000000000C230000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_c230000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: .I;
                                                    • API String ID: 0-2046373455
                                                    • Opcode ID: c51cd9027ddb6c159fbe5ef3ffc83ada12d3555dacb8169882fea274a8fd81e4
                                                    • Instruction ID: 512d5ec7cb4c70bf6e6c0a6809385e127a4871a87d18e9864eeddf1cbd3cbbaf
                                                    • Opcode Fuzzy Hash: c51cd9027ddb6c159fbe5ef3ffc83ada12d3555dacb8169882fea274a8fd81e4
                                                    • Instruction Fuzzy Hash: 74E10BB4E102198FCB14DFA9C5809AEFBB2FF89304F249169E415A7356DB35AD41CF60
                                                    Function 0C233440 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1731503675.000000000C230000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_c230000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 47b67d8acccfe4c1d62f9d4eb823370e3d455b207a0eaf3e28ddc4aba8c7c1d3
                                                    • Instruction ID: 874cc4f2d025e8c15c9f4f68355c4cbeb11fbff4615b6b8f60799734cddc6f26
                                                    • Opcode Fuzzy Hash: 47b67d8acccfe4c1d62f9d4eb823370e3d455b207a0eaf3e28ddc4aba8c7c1d3
                                                    • Instruction Fuzzy Hash: 38E11BB4E101598FCB14DFA9C5809AEFBB2FF89304F249169E415AB356DB34AD42CF60
                                                    Function 0C233DF0 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1731503675.000000000C230000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_c230000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ef51a1b6d4c4c1dc2c01f2f27a2e063fd129be79d434231c954b17fbc07731f2
                                                    • Instruction ID: 3b8bf19bd6dad7685498e3acaa47dd05e4dbc633e8719621c7393775b635e4c3
                                                    • Opcode Fuzzy Hash: ef51a1b6d4c4c1dc2c01f2f27a2e063fd129be79d434231c954b17fbc07731f2
                                                    • Instruction Fuzzy Hash: CBE11BB4E101598FCB14DFA9C5809AEFBB2FF49304F249169E415AB355DB34AD42CF60
                                                    Function 0C231800 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1731503675.000000000C230000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_c230000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f4e81bad8e062e795dcf2a77deb7674d60a5429deec3bc0508f7935328694fee
                                                    • Instruction ID: 32796325bb1b3aa588390fecdc162c28bc661062911fa0b0ea1029a9bd809b1a
                                                    • Opcode Fuzzy Hash: f4e81bad8e062e795dcf2a77deb7674d60a5429deec3bc0508f7935328694fee
                                                    • Instruction Fuzzy Hash: EFE11BB4E102198FCB14DFA9C5809AEFBB2FF89304F249169E415AB355DB34AD41CF61
                                                    Function 0C2342E8 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1731503675.000000000C230000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_c230000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ae999aba4df506f76b94511dcc43814c904955c12086faf852421d9af0024418
                                                    • Instruction ID: 7c36ee62ee875457f6417f92d408bdeaa1f04106e5ac717ba7de27a7a2b5e054
                                                    • Opcode Fuzzy Hash: ae999aba4df506f76b94511dcc43814c904955c12086faf852421d9af0024418
                                                    • Instruction Fuzzy Hash: 65E12BB4E101598FCB14DFA9C5809AEFBB2FF89304F249169E405AB356DB74AD41CF60
                                                    Function 012BD5BC Relevance: .3, Instructions: 264COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1716920960.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_12b0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b4e634fa89524bbfd68db81abb9a5356dae9b130643769441bfa8a37a2e3d417
                                                    • Instruction ID: 6acbab3fb5524ef40667d1bf769b678039c05c44a60b9ccce7124005187f63a7
                                                    • Opcode Fuzzy Hash: b4e634fa89524bbfd68db81abb9a5356dae9b130643769441bfa8a37a2e3d417
                                                    • Instruction Fuzzy Hash: A1A1A132E2021A8FCF15DFB8C9845EEB7B2FF85340B15456AE901BB265DB71E916CB40

                                                    Execution Graph

                                                    Execution Coverage:11.3%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:147
                                                    Total number of Limit Nodes:16
                                                    execution_graph 26451 590c8d0 26452 590c938 CreateWindowExW 26451->26452 26454 590c9f4 26452->26454 26454->26454 26518 590a420 26520 590a451 26518->26520 26522 590a551 26518->26522 26519 590a45d 26520->26519 26528 590a698 26520->26528 26532 590a688 26520->26532 26521 590a49d 26536 590b998 26521->26536 26543 590b989 26521->26543 26550 590b950 26521->26550 26558 590a6d8 26528->26558 26567 590a6e8 26528->26567 26529 590a6a2 26529->26521 26533 590a6a2 26532->26533 26534 590a6d8 2 API calls 26532->26534 26535 590a6e8 2 API calls 26532->26535 26533->26521 26534->26533 26535->26533 26537 590b9c3 26536->26537 26583 590bf00 26537->26583 26589 590bef0 26537->26589 26538 590ba46 26539 590964c GetModuleHandleW 26538->26539 26540 590ba72 26538->26540 26539->26540 26544 590b998 26543->26544 26548 590bf00 GetModuleHandleW 26544->26548 26549 590bef0 GetModuleHandleW 26544->26549 26545 590ba46 26546 590964c GetModuleHandleW 26545->26546 26547 590ba72 26545->26547 26546->26547 26548->26545 26549->26545 26551 590b95f 26550->26551 26552 590b98e 26550->26552 26551->26522 26556 590bf00 GetModuleHandleW 26552->26556 26557 590bef0 GetModuleHandleW 26552->26557 26553 590ba46 26554 590964c GetModuleHandleW 26553->26554 26555 590ba72 26553->26555 26554->26555 26556->26553 26557->26553 26559 590a6dd 26558->26559 26562 590a71c 26559->26562 26576 590964c 26559->26576 26562->26529 26563 590a714 26563->26562 26564 590a920 GetModuleHandleW 26563->26564 26565 590a94d 26564->26565 26565->26529 26568 590a6f9 26567->26568 26571 590a71c 26567->26571 26569 590964c GetModuleHandleW 26568->26569 26570 590a704 26569->26570 26570->26571 26575 590a973 GetModuleHandleW 26570->26575 26571->26529 26572 590a714 26572->26571 26573 590a920 GetModuleHandleW 26572->26573 26574 590a94d 26573->26574 26574->26529 26575->26572 26577 590a8d8 GetModuleHandleW 26576->26577 26579 590a704 26577->26579 26579->26562 26580 590a973 26579->26580 26581 590964c GetModuleHandleW 26580->26581 26582 590a994 26581->26582 26582->26563 26584 590bf2d 26583->26584 26585 590bfae 26584->26585 26595 590c070 26584->26595 26605 590c016 26584->26605 26616 590c060 26584->26616 26590 590bf00 26589->26590 26591 590bfae 26590->26591 26592 590c070 GetModuleHandleW 26590->26592 26593 590c060 GetModuleHandleW 26590->26593 26594 590c016 GetModuleHandleW 26590->26594 26592->26591 26593->26591 26594->26591 26596 590c085 26595->26596 26597 590964c GetModuleHandleW 26596->26597 26598 590c0a9 26596->26598 26597->26598 26599 590964c GetModuleHandleW 26598->26599 26604 590c265 26598->26604 26600 590c1eb 26599->26600 26601 590964c GetModuleHandleW 26600->26601 26600->26604 26602 590c239 26601->26602 26603 590964c GetModuleHandleW 26602->26603 26602->26604 26603->26604 26604->26585 26606 590c026 26605->26606 26607 590c067 26605->26607 26606->26585 26608 590964c GetModuleHandleW 26607->26608 26609 590c0a9 26607->26609 26608->26609 26610 590964c GetModuleHandleW 26609->26610 26615 590c265 26609->26615 26611 590c1eb 26610->26611 26612 590964c GetModuleHandleW 26611->26612 26611->26615 26613 590c239 26612->26613 26614 590964c GetModuleHandleW 26613->26614 26613->26615 26614->26615 26615->26585 26617 590c070 26616->26617 26618 590964c GetModuleHandleW 26617->26618 26620 590c0a9 26617->26620 26618->26620 26619 590c265 26619->26585 26620->26619 26621 590964c GetModuleHandleW 26620->26621 26622 590c1eb 26621->26622 26622->26619 26623 590964c GetModuleHandleW 26622->26623 26624 590c239 26623->26624 26624->26619 26625 590964c GetModuleHandleW 26624->26625 26625->26619 26455 fad01c 26456 fad034 26455->26456 26457 fad08e 26456->26457 26462 590ca77 26456->26462 26466 590982c 26456->26466 26475 590ca88 26456->26475 26479 590dbd8 26456->26479 26463 590ca85 26462->26463 26464 590982c CallWindowProcW 26463->26464 26465 590cacf 26464->26465 26465->26457 26467 5909837 26466->26467 26468 590dc49 26467->26468 26470 590dc39 26467->26470 26504 590d85c 26468->26504 26488 590dd70 26470->26488 26493 590de3c 26470->26493 26499 590dd60 26470->26499 26471 590dc47 26476 590caae 26475->26476 26477 590982c CallWindowProcW 26476->26477 26478 590cacf 26477->26478 26478->26457 26480 590dbe8 26479->26480 26481 590dc49 26480->26481 26483 590dc39 26480->26483 26482 590d85c CallWindowProcW 26481->26482 26484 590dc47 26482->26484 26485 590dd70 CallWindowProcW 26483->26485 26486 590dd60 CallWindowProcW 26483->26486 26487 590de3c CallWindowProcW 26483->26487 26485->26484 26486->26484 26487->26484 26490 590dd84 26488->26490 26489 590de10 26489->26471 26508 590de18 26490->26508 26512 590de28 26490->26512 26494 590ddfa 26493->26494 26495 590de4a 26493->26495 26497 590de18 CallWindowProcW 26494->26497 26498 590de28 CallWindowProcW 26494->26498 26496 590de10 26496->26471 26497->26496 26498->26496 26501 590dd70 26499->26501 26500 590de10 26500->26471 26502 590de18 CallWindowProcW 26501->26502 26503 590de28 CallWindowProcW 26501->26503 26502->26500 26503->26500 26505 590d867 26504->26505 26506 590f0aa CallWindowProcW 26505->26506 26507 590f059 26505->26507 26506->26507 26507->26471 26509 590de28 26508->26509 26510 590de39 26509->26510 26515 590efed 26509->26515 26510->26489 26513 590de39 26512->26513 26514 590efed CallWindowProcW 26512->26514 26513->26489 26514->26513 26516 590d85c CallWindowProcW 26515->26516 26517 590effa 26516->26517 26517->26510

                                                    Executed Functions

                                                    Function 00FF9B38 Relevance: 2.8, Instructions: 2811COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4c92976ac15e2295bd97d8cbdcfbaeb557f9473ee9a298da9449df20db7a51ad
                                                    • Instruction ID: f26ba16b31d91f6ca48f92dde3c1394bbbe604f6f9cb7b38c331a54d85a16493
                                                    • Opcode Fuzzy Hash: 4c92976ac15e2295bd97d8cbdcfbaeb557f9473ee9a298da9449df20db7a51ad
                                                    • Instruction Fuzzy Hash: 2C53FA31C10B1A8ACB51EF68C8905A9F7B1FF99310F11D79AE45877221FB70AAD5CB81
                                                    Function 00FFCDB0 Relevance: 2.3, Instructions: 2307COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2cf039157f2e68ca6c5c0cfcea6ce06afee8740ecdd925c7e024ae910a122e79
                                                    • Instruction ID: ecc6d4cec3029c98939e030ce1117e08dca8fbf1b3b180a184627c150050d9de
                                                    • Opcode Fuzzy Hash: 2cf039157f2e68ca6c5c0cfcea6ce06afee8740ecdd925c7e024ae910a122e79
                                                    • Instruction Fuzzy Hash: 40333D31D107198EDB11EF68C8806ADF7B1FF99310F15C79AE459A7221EB70AAC5CB81
                                                    Function 00FF3E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1732 ff3e80-ff3ee6 1734 ff3ee8-ff3ef3 1732->1734 1735 ff3f30-ff3f32 1732->1735 1734->1735 1737 ff3ef5-ff3f01 1734->1737 1736 ff3f34-ff3f8c 1735->1736 1746 ff3f8e-ff3f99 1736->1746 1747 ff3fd6-ff3fd8 1736->1747 1738 ff3f24-ff3f2e 1737->1738 1739 ff3f03-ff3f0d 1737->1739 1738->1736 1740 ff3f0f 1739->1740 1741 ff3f11-ff3f20 1739->1741 1740->1741 1741->1741 1743 ff3f22 1741->1743 1743->1738 1746->1747 1749 ff3f9b-ff3fa7 1746->1749 1748 ff3fda-ff3ff2 1747->1748 1756 ff403c-ff403e 1748->1756 1757 ff3ff4-ff3fff 1748->1757 1750 ff3fca-ff3fd4 1749->1750 1751 ff3fa9-ff3fb3 1749->1751 1750->1748 1753 ff3fb7-ff3fc6 1751->1753 1754 ff3fb5 1751->1754 1753->1753 1755 ff3fc8 1753->1755 1754->1753 1755->1750 1759 ff4040-ff408e 1756->1759 1757->1756 1758 ff4001-ff400d 1757->1758 1760 ff400f-ff4019 1758->1760 1761 ff4030-ff403a 1758->1761 1767 ff4094-ff40a2 1759->1767 1763 ff401d-ff402c 1760->1763 1764 ff401b 1760->1764 1761->1759 1763->1763 1765 ff402e 1763->1765 1764->1763 1765->1761 1768 ff40ab-ff410b 1767->1768 1769 ff40a4-ff40aa 1767->1769 1776 ff410d-ff4111 1768->1776 1777 ff411b-ff411f 1768->1777 1769->1768 1776->1777 1778 ff4113 1776->1778 1779 ff412f-ff4133 1777->1779 1780 ff4121-ff4125 1777->1780 1778->1777 1782 ff4135-ff4139 1779->1782 1783 ff4143-ff4147 1779->1783 1780->1779 1781 ff4127-ff412a call ff0ab8 1780->1781 1781->1779 1782->1783 1785 ff413b-ff413e call ff0ab8 1782->1785 1786 ff4149-ff414d 1783->1786 1787 ff4157-ff415b 1783->1787 1785->1783 1786->1787 1791 ff414f-ff4152 call ff0ab8 1786->1791 1788 ff415d-ff4161 1787->1788 1789 ff416b-ff416f 1787->1789 1788->1789 1792 ff4163 1788->1792 1793 ff417f 1789->1793 1794 ff4171-ff4175 1789->1794 1791->1787 1792->1789 1797 ff4180 1793->1797 1794->1793 1796 ff4177 1794->1796 1796->1793 1797->1797
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: \V j
                                                    • API String ID: 0-4031615456
                                                    • Opcode ID: 907b67e064e21f66f30b2cdc712bc1fc2b21ee06c6f0086720e77a3fe125e55c
                                                    • Instruction ID: d54441aceb421606831fb0db15a57560dfb3c95b98b8d17e8abba16e26a7b407
                                                    • Opcode Fuzzy Hash: 907b67e064e21f66f30b2cdc712bc1fc2b21ee06c6f0086720e77a3fe125e55c
                                                    • Instruction Fuzzy Hash: BB915E70E0020DDFDF14CFA9C9857EEBBF2AF88314F148129E515A72A4EB749985DB81
                                                    Function 00FF4A98 Relevance: .3, Instructions: 266COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c21635422a770df8868056ca261ea0642c145ee9dee8770a44523c85cbce2dee
                                                    • Instruction ID: ebb4f8dd024fe68e8ebc84c6225e6f4d11df8c63fc47cc1868a07d79c52d4673
                                                    • Opcode Fuzzy Hash: c21635422a770df8868056ca261ea0642c145ee9dee8770a44523c85cbce2dee
                                                    • Instruction Fuzzy Hash: F2B15071E0020D8FDF14CFA9D8957AEBBF2BF88314F148129D915E7264EB74A885DB81
                                                    Function 00FF4810 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1094 ff4810-ff489c 1097 ff489e-ff48a9 1094->1097 1098 ff48e6-ff48e8 1094->1098 1097->1098 1099 ff48ab-ff48b7 1097->1099 1100 ff48ea-ff4902 1098->1100 1101 ff48da-ff48e4 1099->1101 1102 ff48b9-ff48c3 1099->1102 1107 ff494c-ff494e 1100->1107 1108 ff4904-ff490f 1100->1108 1101->1100 1103 ff48c7-ff48d6 1102->1103 1104 ff48c5 1102->1104 1103->1103 1106 ff48d8 1103->1106 1104->1103 1106->1101 1109 ff4950-ff4995 1107->1109 1108->1107 1110 ff4911-ff491d 1108->1110 1118 ff499b-ff49a9 1109->1118 1111 ff491f-ff4929 1110->1111 1112 ff4940-ff494a 1110->1112 1114 ff492d-ff493c 1111->1114 1115 ff492b 1111->1115 1112->1109 1114->1114 1116 ff493e 1114->1116 1115->1114 1116->1112 1119 ff49ab-ff49b1 1118->1119 1120 ff49b2-ff4a0f 1118->1120 1119->1120 1127 ff4a1f-ff4a23 1120->1127 1128 ff4a11-ff4a15 1120->1128 1130 ff4a25-ff4a29 1127->1130 1131 ff4a33-ff4a37 1127->1131 1128->1127 1129 ff4a17-ff4a1a call ff0ab8 1128->1129 1129->1127 1130->1131 1133 ff4a2b-ff4a2e call ff0ab8 1130->1133 1134 ff4a39-ff4a3d 1131->1134 1135 ff4a47-ff4a4b 1131->1135 1133->1131 1134->1135 1136 ff4a3f 1134->1136 1137 ff4a4d-ff4a51 1135->1137 1138 ff4a5b 1135->1138 1136->1135 1137->1138 1140 ff4a53 1137->1140 1141 ff4a5c 1138->1141 1140->1138 1141->1141
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: \V j$\V j
                                                    • API String ID: 0-1656524309
                                                    • Opcode ID: 2d09f6194d3cbe4cc1ca5e30409dc3c01a17b55f1a9fe24067b30d0e85fd8cf9
                                                    • Instruction ID: dd967667d70010ad7dc8180b5d0c72c38e0961aee7f617f4b83f957775625125
                                                    • Opcode Fuzzy Hash: 2d09f6194d3cbe4cc1ca5e30409dc3c01a17b55f1a9fe24067b30d0e85fd8cf9
                                                    • Instruction Fuzzy Hash: 25715E70E0024DCFDF14CFA9C8817AEBBF2BF88314F148129E515A7264EB74A845DB95
                                                    Function 00FF4804 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1046 ff4804-ff489c 1049 ff489e-ff48a9 1046->1049 1050 ff48e6-ff48e8 1046->1050 1049->1050 1051 ff48ab-ff48b7 1049->1051 1052 ff48ea-ff4902 1050->1052 1053 ff48da-ff48e4 1051->1053 1054 ff48b9-ff48c3 1051->1054 1059 ff494c-ff494e 1052->1059 1060 ff4904-ff490f 1052->1060 1053->1052 1055 ff48c7-ff48d6 1054->1055 1056 ff48c5 1054->1056 1055->1055 1058 ff48d8 1055->1058 1056->1055 1058->1053 1061 ff4950-ff4962 1059->1061 1060->1059 1062 ff4911-ff491d 1060->1062 1069 ff4969-ff4995 1061->1069 1063 ff491f-ff4929 1062->1063 1064 ff4940-ff494a 1062->1064 1066 ff492d-ff493c 1063->1066 1067 ff492b 1063->1067 1064->1061 1066->1066 1068 ff493e 1066->1068 1067->1066 1068->1064 1070 ff499b-ff49a9 1069->1070 1071 ff49ab-ff49b1 1070->1071 1072 ff49b2-ff4a0f 1070->1072 1071->1072 1079 ff4a1f-ff4a23 1072->1079 1080 ff4a11-ff4a15 1072->1080 1082 ff4a25-ff4a29 1079->1082 1083 ff4a33-ff4a37 1079->1083 1080->1079 1081 ff4a17-ff4a1a call ff0ab8 1080->1081 1081->1079 1082->1083 1085 ff4a2b-ff4a2e call ff0ab8 1082->1085 1086 ff4a39-ff4a3d 1083->1086 1087 ff4a47-ff4a4b 1083->1087 1085->1083 1086->1087 1088 ff4a3f 1086->1088 1089 ff4a4d-ff4a51 1087->1089 1090 ff4a5b 1087->1090 1088->1087 1089->1090 1092 ff4a53 1089->1092 1093 ff4a5c 1090->1093 1092->1090 1093->1093
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: \V j$\V j
                                                    • API String ID: 0-1656524309
                                                    • Opcode ID: d5fc3f39bad406d9afac8fbf27a8f08b22893c400f93a37f08314f8f147a1c9a
                                                    • Instruction ID: fa105e69902b709b807320fb7424ae52f88d10d82338ffa22887a5711a2a979a
                                                    • Opcode Fuzzy Hash: d5fc3f39bad406d9afac8fbf27a8f08b22893c400f93a37f08314f8f147a1c9a
                                                    • Instruction Fuzzy Hash: 57714BB0E0024D8FDB14CFA9C8857EEBBF1AF48314F148129E515A7264EB78A845DF95
                                                    Function 00FF6ED8 Relevance: 2.6, Strings: 2, Instructions: 145COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1142 ff6ed8-ff6f42 call ff6c40 1151 ff6f5e-ff6f8c 1142->1151 1152 ff6f44-ff6f5d call ff6764 1142->1152 1156 ff6f8e-ff6f91 1151->1156 1157 ff6fcd-ff6fd0 1156->1157 1158 ff6f93-ff6fc8 1156->1158 1160 ff6fd2 1157->1160 1161 ff6fe0-ff6fe3 1157->1161 1158->1157 1185 ff6fd2 call ff7908 1160->1185 1186 ff6fd2 call ff80f1 1160->1186 1162 ff7016-ff7019 1161->1162 1163 ff6fe5-ff6ff9 1161->1163 1164 ff702d-ff702f 1162->1164 1165 ff701b-ff7022 1162->1165 1173 ff6fff 1163->1173 1174 ff6ffb-ff6ffd 1163->1174 1169 ff7036-ff7039 1164->1169 1170 ff7031 1164->1170 1167 ff70eb-ff70f1 1165->1167 1168 ff7028 1165->1168 1166 ff6fd8-ff6fdb 1166->1161 1168->1164 1169->1156 1172 ff703f-ff704e 1169->1172 1170->1169 1177 ff7078-ff708e 1172->1177 1178 ff7050-ff7053 1172->1178 1175 ff7002-ff7011 1173->1175 1174->1175 1175->1162 1177->1167 1181 ff705b-ff7076 1178->1181 1181->1177 1181->1178 1185->1166 1186->1166
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LR^q$LR^q
                                                    • API String ID: 0-4089051495
                                                    • Opcode ID: 2c554cc86aa1c453a2d9be989e3a45c37665bc7f1d6a874222a7c29d2ed033ba
                                                    • Instruction ID: da76ef03838c1908037d8cac2e61b237ede903b622e8f7264626226dc5e0603c
                                                    • Opcode Fuzzy Hash: 2c554cc86aa1c453a2d9be989e3a45c37665bc7f1d6a874222a7c29d2ed033ba
                                                    • Instruction Fuzzy Hash: 0B51B030E002099FDB15DF78D4547AEBBB2EF85310F20852AE505EB2A0EF759C42CB91
                                                    Function 0590A6E8 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1621 590a6e8-590a6f7 1622 590a723-590a727 1621->1622 1623 590a6f9-590a706 call 590964c 1621->1623 1624 590a729-590a733 1622->1624 1625 590a73b-590a77c 1622->1625 1628 590a708-590a716 call 590a973 1623->1628 1629 590a71c 1623->1629 1624->1625 1632 590a789-590a797 1625->1632 1633 590a77e-590a786 1625->1633 1628->1629 1638 590a858-590a918 1628->1638 1629->1622 1635 590a799-590a79e 1632->1635 1636 590a7bb-590a7bd 1632->1636 1633->1632 1639 590a7a0-590a7a7 call 5909658 1635->1639 1640 590a7a9 1635->1640 1637 590a7c0-590a7c7 1636->1637 1642 590a7d4-590a7db 1637->1642 1643 590a7c9-590a7d1 1637->1643 1671 590a920-590a94b GetModuleHandleW 1638->1671 1672 590a91a-590a91d 1638->1672 1644 590a7ab-590a7b9 1639->1644 1640->1644 1646 590a7e8-590a7f1 call 5902d1c 1642->1646 1647 590a7dd-590a7e5 1642->1647 1643->1642 1644->1637 1652 590a7f3-590a7fb 1646->1652 1653 590a7fe-590a803 1646->1653 1647->1646 1652->1653 1655 590a821-590a825 1653->1655 1656 590a805-590a80c 1653->1656 1676 590a828 call 590ac30 1655->1676 1677 590a828 call 590ac40 1655->1677 1656->1655 1657 590a80e-590a81e call 59075c4 call 5909668 1656->1657 1657->1655 1658 590a82b-590a82e 1661 590a830-590a84e 1658->1661 1662 590a851-590a857 1658->1662 1661->1662 1673 590a954-590a968 1671->1673 1674 590a94d-590a953 1671->1674 1672->1671 1674->1673 1676->1658 1677->1658
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2942239474.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_5900000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: d082e261afd869e537a6dd4227f4f09bd94ba4ec9031f2842d833f092aeee771
                                                    • Instruction ID: 3bddef7e4f834b1072fcd04ec46dffb57a575a072363798039ac56a3924ef02f
                                                    • Opcode Fuzzy Hash: d082e261afd869e537a6dd4227f4f09bd94ba4ec9031f2842d833f092aeee771
                                                    • Instruction Fuzzy Hash: 10713670A00B058FDB24DF29D44576ABBF6FF88304F148A2DD48AD7A90DB75E945CB90
                                                    Function 0590C8C4 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1679 590c8c4-590c936 1681 590c941-590c948 1679->1681 1682 590c938-590c93e 1679->1682 1683 590c953-590c98b 1681->1683 1684 590c94a-590c950 1681->1684 1682->1681 1685 590c993-590c9f2 CreateWindowExW 1683->1685 1684->1683 1686 590c9f4-590c9fa 1685->1686 1687 590c9fb-590ca33 1685->1687 1686->1687 1691 590ca40 1687->1691 1692 590ca35-590ca38 1687->1692 1693 590ca41 1691->1693 1692->1691 1693->1693
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0590C9E2
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2942239474.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_5900000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID:
                                                    • API String ID: 716092398-0
                                                    • Opcode ID: fdf930481db783b6a567d3ac07ef9f125791427b20acc91b95073733c1e7e51a
                                                    • Instruction ID: aa8755d5b843e6e74caef0783e35b62f5655d5915fcb8c369620c4a27b795ed5
                                                    • Opcode Fuzzy Hash: fdf930481db783b6a567d3ac07ef9f125791427b20acc91b95073733c1e7e51a
                                                    • Instruction Fuzzy Hash: 1E51C2B1D10359AFDB14CFA9C884ADEFFB5BF48310F24862AE819AB250D7709845CF91
                                                    Function 0590C8D0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1694 590c8d0-590c936 1695 590c941-590c948 1694->1695 1696 590c938-590c93e 1694->1696 1697 590c953-590c9f2 CreateWindowExW 1695->1697 1698 590c94a-590c950 1695->1698 1696->1695 1700 590c9f4-590c9fa 1697->1700 1701 590c9fb-590ca33 1697->1701 1698->1697 1700->1701 1705 590ca40 1701->1705 1706 590ca35-590ca38 1701->1706 1707 590ca41 1705->1707 1706->1705 1707->1707
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0590C9E2
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2942239474.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_5900000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID:
                                                    • API String ID: 716092398-0
                                                    • Opcode ID: ae50608bb6a270f1044104e2ee59c5eb927ac900c1ce8fe25711a6ee46304c64
                                                    • Instruction ID: be2d4612ef7be39d43fa1b2c073e959b3cdb0c6079501997828e03dc9bd153c8
                                                    • Opcode Fuzzy Hash: ae50608bb6a270f1044104e2ee59c5eb927ac900c1ce8fe25711a6ee46304c64
                                                    • Instruction Fuzzy Hash: 5141C0B1D103199FDF14CF9AC984ADEFBB5BF48310F24862AE819AB250D7709885CF90
                                                    Function 0590D85C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1708 590d85c-590f04c 1711 590f052-590f057 1708->1711 1712 590f0fc-590f11c call 590982c 1708->1712 1714 590f059-590f090 1711->1714 1715 590f0aa-590f0e2 CallWindowProcW 1711->1715 1719 590f11f-590f12c 1712->1719 1721 590f092-590f098 1714->1721 1722 590f099-590f0a8 1714->1722 1716 590f0e4-590f0ea 1715->1716 1717 590f0eb-590f0fa 1715->1717 1716->1717 1717->1719 1721->1722 1722->1719
                                                    APIs
                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 0590F0D1
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2942239474.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_5900000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID: CallProcWindow
                                                    • String ID:
                                                    • API String ID: 2714655100-0
                                                    • Opcode ID: 299f94e845abfd2691089b12099bb4de508c0b135c370017b5727e38ec012dd8
                                                    • Instruction ID: d75ef9cacf56a38054624d0cd6d9d91e7280fc96f9e9cd6e08bbb42910519003
                                                    • Opcode Fuzzy Hash: 299f94e845abfd2691089b12099bb4de508c0b135c370017b5727e38ec012dd8
                                                    • Instruction Fuzzy Hash: 60411BB5A00309CFCB14CF59C448AABBBF5FB88314F24C859D559AB361D775A941CFA0
                                                    Function 0590964C Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1725 590964c-590a918 1727 590a920-590a94b GetModuleHandleW 1725->1727 1728 590a91a-590a91d 1725->1728 1729 590a954-590a968 1727->1729 1730 590a94d-590a953 1727->1730 1728->1727 1730->1729
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0590A704), ref: 0590A93E
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2942239474.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_5900000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: 99cb15b5d29e7693589fd52a8972af43a8b0f3e4806c8ebbbf8a73139494d376
                                                    • Instruction ID: a860e39454003dbeeb6ac9cfda189ca5137ab66bf80b9f25675d58cc6ec4de43
                                                    • Opcode Fuzzy Hash: 99cb15b5d29e7693589fd52a8972af43a8b0f3e4806c8ebbbf8a73139494d376
                                                    • Instruction Fuzzy Hash: 2F1102B5D003498FCB10CF9AC444ADEFBF5EB88224F10886AD969A7250C379A545CFA5
                                                    Function 00FF3E74 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1798 ff3e74-ff3ee6 1800 ff3ee8-ff3ef3 1798->1800 1801 ff3f30-ff3f32 1798->1801 1800->1801 1803 ff3ef5-ff3f01 1800->1803 1802 ff3f34-ff3f8c 1801->1802 1812 ff3f8e-ff3f99 1802->1812 1813 ff3fd6-ff3fd8 1802->1813 1804 ff3f24-ff3f2e 1803->1804 1805 ff3f03-ff3f0d 1803->1805 1804->1802 1806 ff3f0f 1805->1806 1807 ff3f11-ff3f20 1805->1807 1806->1807 1807->1807 1809 ff3f22 1807->1809 1809->1804 1812->1813 1815 ff3f9b-ff3fa7 1812->1815 1814 ff3fda-ff3ff2 1813->1814 1822 ff403c-ff403e 1814->1822 1823 ff3ff4-ff3fff 1814->1823 1816 ff3fca-ff3fd4 1815->1816 1817 ff3fa9-ff3fb3 1815->1817 1816->1814 1819 ff3fb7-ff3fc6 1817->1819 1820 ff3fb5 1817->1820 1819->1819 1821 ff3fc8 1819->1821 1820->1819 1821->1816 1825 ff4040-ff4052 1822->1825 1823->1822 1824 ff4001-ff400d 1823->1824 1826 ff400f-ff4019 1824->1826 1827 ff4030-ff403a 1824->1827 1832 ff4059-ff408e 1825->1832 1829 ff401d-ff402c 1826->1829 1830 ff401b 1826->1830 1827->1825 1829->1829 1831 ff402e 1829->1831 1830->1829 1831->1827 1833 ff4094-ff40a2 1832->1833 1834 ff40ab-ff410b 1833->1834 1835 ff40a4-ff40aa 1833->1835 1842 ff410d-ff4111 1834->1842 1843 ff411b-ff411f 1834->1843 1835->1834 1842->1843 1844 ff4113 1842->1844 1845 ff412f-ff4133 1843->1845 1846 ff4121-ff4125 1843->1846 1844->1843 1848 ff4135-ff4139 1845->1848 1849 ff4143-ff4147 1845->1849 1846->1845 1847 ff4127-ff412a call ff0ab8 1846->1847 1847->1845 1848->1849 1851 ff413b-ff413e call ff0ab8 1848->1851 1852 ff4149-ff414d 1849->1852 1853 ff4157-ff415b 1849->1853 1851->1849 1852->1853 1857 ff414f-ff4152 call ff0ab8 1852->1857 1854 ff415d-ff4161 1853->1854 1855 ff416b-ff416f 1853->1855 1854->1855 1858 ff4163 1854->1858 1859 ff417f 1855->1859 1860 ff4171-ff4175 1855->1860 1857->1853 1858->1855 1863 ff4180 1859->1863 1860->1859 1862 ff4177 1860->1862 1862->1859 1863->1863
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: \V j
                                                    • API String ID: 0-4031615456
                                                    • Opcode ID: ca8b426bc52532a24c4ca29069f08fc6592d51809c70bb4248c1b169078a2869
                                                    • Instruction ID: 584454351018f1d93fa2f3e854ff00f53bd16719e37b726b69d5b0eaeb06fa3a
                                                    • Opcode Fuzzy Hash: ca8b426bc52532a24c4ca29069f08fc6592d51809c70bb4248c1b169078a2869
                                                    • Instruction Fuzzy Hash: 0DA16E70E0020DDFDF14CFA8D9857EEBBF1AF48314F148129E515A72A4EB749986DB81
                                                    Function 00FFF2ED Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2003 fff2ed-fff31b 2004 fff31d-fff320 2003->2004 2005 fff343-fff345 2004->2005 2006 fff322-fff33e 2004->2006 2007 fff34c-fff34f 2005->2007 2008 fff347 2005->2008 2006->2005 2007->2004 2010 fff351-fff377 2007->2010 2008->2007 2015 fff37e-fff3ac 2010->2015 2020 fff3ae-fff3b8 2015->2020 2021 fff423-fff447 2015->2021 2024 fff3ba-fff3c0 2020->2024 2025 fff3d0-fff421 2020->2025 2029 fff449 2021->2029 2030 fff451 2021->2030 2027 fff3c4-fff3c6 2024->2027 2028 fff3c2 2024->2028 2025->2020 2025->2021 2027->2025 2028->2025 2029->2030
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: PH^q
                                                    • API String ID: 0-2549759414
                                                    • Opcode ID: 260274408a0601ca6036949801d43d2292ec96b9c4847f92c14f2175f07e7168
                                                    • Instruction ID: df8df5f7734eb232c1eb586f6cbd6319714a7fa40e6756c7e758ca6a3e638986
                                                    • Opcode Fuzzy Hash: 260274408a0601ca6036949801d43d2292ec96b9c4847f92c14f2175f07e7168
                                                    • Instruction Fuzzy Hash: 00411F30B002098FCB06AB74C56476F7BE2AFC9350F144478D406EB3A5EE79CC4AAB91
                                                    Function 00FF6F78 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LR^q
                                                    • API String ID: 0-2625958711
                                                    • Opcode ID: 80a56f6a3ef10ee3dec1064c1257b18012ab67f556054a994005eed46b65cd91
                                                    • Instruction ID: 12575ba3a7d8f82093542d153423d87505ce71ffd30a977c1b0e6e1a8a56d77e
                                                    • Opcode Fuzzy Hash: 80a56f6a3ef10ee3dec1064c1257b18012ab67f556054a994005eed46b65cd91
                                                    • Instruction Fuzzy Hash: D0316C31E102098BDB14DFA5D4447AEF7B2FF89320F208525E916EB290EF71AD46DB51
                                                    Function 00FF6B9F Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LR^q
                                                    • API String ID: 0-2625958711
                                                    • Opcode ID: 66cc4ec8d3e6f534a52551b90c09c6bce0e88996500117cf0adf20da744f4b19
                                                    • Instruction ID: 9d1d1ca65582d2b996267bf5eaa2106afa9bf169ebeb5dc2acf80a18842fb1ee
                                                    • Opcode Fuzzy Hash: 66cc4ec8d3e6f534a52551b90c09c6bce0e88996500117cf0adf20da744f4b19
                                                    • Instruction Fuzzy Hash: 73210131704210AFC715EB3DD4513AE7BA2EF86704B0085AAD049CB7A6EFB59C068B91
                                                    Function 00FF7908 Relevance: .6, Instructions: 554COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c88e934dcf99b6a6e1603f794f703c310f69a989650d966ba9b54b2742bb8067
                                                    • Instruction ID: ae3ddf7b5a97015e936e6d2b3712ccc0018a0b804733993dc40a1295521789fe
                                                    • Opcode Fuzzy Hash: c88e934dcf99b6a6e1603f794f703c310f69a989650d966ba9b54b2742bb8067
                                                    • Instruction Fuzzy Hash: 67126E30B10205CFDB15AB38F999228B7A2FF89314F904939E106CB366DFB5DD469B90
                                                    Function 00FF9364 Relevance: .4, Instructions: 387COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 53fdab658bf405547948c0f69101dd775942c0ca8e2c1b8585a5db9c480f3ade
                                                    • Instruction ID: f008b5b85d3afff21a763b6f35df964238bb6d03986abc3a67f74db84cb6fbfe
                                                    • Opcode Fuzzy Hash: 53fdab658bf405547948c0f69101dd775942c0ca8e2c1b8585a5db9c480f3ade
                                                    • Instruction Fuzzy Hash: D1E17035B142089FCB14DF64D994BADBBB2EF89320F248429E506E73A4DB75DC42DB81
                                                    Function 00FF96E0 Relevance: .4, Instructions: 352COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5489e89c4e5a6b6c17e7dbe79cdda953164934abe1062d2c3d86f97f85bf3657
                                                    • Instruction ID: e659cb763ee6441ff969e8546e1eb025a95401e6d342a1577ed67819053b0b0d
                                                    • Opcode Fuzzy Hash: 5489e89c4e5a6b6c17e7dbe79cdda953164934abe1062d2c3d86f97f85bf3657
                                                    • Instruction Fuzzy Hash: 3BC19D31E042098FDB14DF69D8807AEB7B1EF89320F208569E609DB3A5D7B4DC45CB91
                                                    Function 00FF4A8E Relevance: .3, Instructions: 260COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a4d9641a524b22349b430b43f734e0da2133dd694d5648946f9d5ad163fc9161
                                                    • Instruction ID: 919e81743cc8f1fc0ad94ecbe900ceb6d318283f4ac4a28f383a212a626b2945
                                                    • Opcode Fuzzy Hash: a4d9641a524b22349b430b43f734e0da2133dd694d5648946f9d5ad163fc9161
                                                    • Instruction Fuzzy Hash: CFA13D70E0020D8FDB10CFA9D9857EEBBF1AF88314F148129D919E7265EB74A885DB91
                                                    Function 00FF1128 Relevance: .1, Instructions: 147COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5a9d9e73c8cf9c24589bef5b376cdd285d45dbf88b009b992e312b0f570bb7ae
                                                    • Instruction ID: 8c4caa8b9b0dfef80b96c8363ab2a71a8bcec0600f22f4178108087591fc8d0b
                                                    • Opcode Fuzzy Hash: 5a9d9e73c8cf9c24589bef5b376cdd285d45dbf88b009b992e312b0f570bb7ae
                                                    • Instruction Fuzzy Hash: 67511C71145145CFCB06FB68FBA095A7FB1FB963087048A69D1044BA3EEFE07A49DB60
                                                    Function 00FF6CDE Relevance: .1, Instructions: 142COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: def3fdf6e50b24a0eae499778855390108e8acf1e7e2b1275d8b89053f31a1f2
                                                    • Instruction ID: 917d7426c8ccc24d9780e925e016d3858eae6c80ca86a7508aaca7b28a291874
                                                    • Opcode Fuzzy Hash: def3fdf6e50b24a0eae499778855390108e8acf1e7e2b1275d8b89053f31a1f2
                                                    • Instruction Fuzzy Hash: 0B513575E002188FDB18CFA9C845BEEBBB1BF48314F148129E819BB361DB74A844DF95
                                                    Function 00FF6CE8 Relevance: .1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 30bee78ee7cbc8c763a5f72efb37197eded10a789769f0e006d7e551fe19e8c7
                                                    • Instruction ID: 54bde34ffac6c766261f9248a242b91936157fa1da91517cacc9dcc20afbe246
                                                    • Opcode Fuzzy Hash: 30bee78ee7cbc8c763a5f72efb37197eded10a789769f0e006d7e551fe19e8c7
                                                    • Instruction Fuzzy Hash: 86510475E002188FDB18CFA9C884BEDBBB1BF48714F148129E819BB361DB74A845DF95
                                                    Function 00FF1138 Relevance: .1, Instructions: 112COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 81a3ae03fd987cb97ed98b3022e2cbd393c1364515e1a7f554b295bf123aca0e
                                                    • Instruction ID: b875ed3d6c8528d8fd47cb2da52e2f3bf0faf3c67f4b7738cbf4183b129ff910
                                                    • Opcode Fuzzy Hash: 81a3ae03fd987cb97ed98b3022e2cbd393c1364515e1a7f554b295bf123aca0e
                                                    • Instruction Fuzzy Hash: 3451B7702411458FCB06EB68FB9094A7BB1E7963087448A69D0144BB3EFFF07A49DBA0
                                                    Function 00FFF1B0 Relevance: .1, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2e67f72e9dd7421ab8e6e53c6d49113230b1ea2a1275e1e19b63238917553d98
                                                    • Instruction ID: d256c0995a91698060b7874c776876d970c145abe0f345847252ebfc5684e5cd
                                                    • Opcode Fuzzy Hash: 2e67f72e9dd7421ab8e6e53c6d49113230b1ea2a1275e1e19b63238917553d98
                                                    • Instruction Fuzzy Hash: 13319035E10209DFCB15CFA4D8956AEB7B2BF89310F148929E906E7790EB70EC46CB50
                                                    Function 00FF26DC Relevance: .1, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1d48f4d8ad498073b681777ffe774e38c36b293b6d792bfdc448f191ad94ce70
                                                    • Instruction ID: eeef80261ee1cf9ac09e26d68f6f6242fb872900438a0d7ee4d1201f42c5359d
                                                    • Opcode Fuzzy Hash: 1d48f4d8ad498073b681777ffe774e38c36b293b6d792bfdc448f191ad94ce70
                                                    • Instruction Fuzzy Hash: AB41EFB1D0024DDFDB10DFA9C884AEEBFF5BF48310F14802AE419AB264DB74A945CB90
                                                    Function 00FFF1C0 Relevance: .1, Instructions: 91COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4fecafbf25ffeceb571c6044528a9c52a0c1ebd3588a75a68942ffc7949680d8
                                                    • Instruction ID: 43052fba9dde87f6b3bb85a0a4078066fa7ad5ffa29ae476ec14ff17379a02d1
                                                    • Opcode Fuzzy Hash: 4fecafbf25ffeceb571c6044528a9c52a0c1ebd3588a75a68942ffc7949680d8
                                                    • Instruction Fuzzy Hash: DA319435E102099BCB05CFA5D4946AEB7B2FF89310F148529E906E7750EF70EC46CB50
                                                    Function 00FF26E8 Relevance: .1, Instructions: 90COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: da30223956a7110587a04f904a52eecb479bb9c975ebc019006c6e5affadc014
                                                    • Instruction ID: d26662d4c3b884fb2870f55c7994976ace66e0e3883d520ea3de9d8a6923e80a
                                                    • Opcode Fuzzy Hash: da30223956a7110587a04f904a52eecb479bb9c975ebc019006c6e5affadc014
                                                    • Instruction Fuzzy Hash: C941EEB1D0024DDFDB10DFA9C484ADEBFB5FF48310F20802AE809AB264DB75A945CB90
                                                    Function 00FF9250 Relevance: .1, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ffb33d7d395a32d619806d2a486cca7a629a4355226f39f72d3ffde48f0db182
                                                    • Instruction ID: 4b7864ddc85e12851df4f8cdde859e3279d3d3285e54547457bf0a60b66180e2
                                                    • Opcode Fuzzy Hash: ffb33d7d395a32d619806d2a486cca7a629a4355226f39f72d3ffde48f0db182
                                                    • Instruction Fuzzy Hash: 9031B135E1020A9BCF05CFA4D5907AEF7B2BF4A310F148519E505EB350EBB19C46CB50
                                                    Function 00FF16A0 Relevance: .1, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f6bc2055a808e229d7c6757d543fb7334972488cddd6202725e366fa834cd46d
                                                    • Instruction ID: 5273525214f2b8cdb24a0111df0ca1706c9f5a216099a5483f99364e569a1fda
                                                    • Opcode Fuzzy Hash: f6bc2055a808e229d7c6757d543fb7334972488cddd6202725e366fa834cd46d
                                                    • Instruction Fuzzy Hash: 17312634A001458FDF22EB38E94876A3761FF61328F044665D14ECB679FBA4DC45CB91
                                                    Function 00FF9260 Relevance: .1, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d1f8ed59b979268e69e3405544fbdb828264538392f9f6ddeab1ef3b3601d749
                                                    • Instruction ID: f9562f9b5e0e94229e46627c45b41790185723bb487e32be0f308517143d8b29
                                                    • Opcode Fuzzy Hash: d1f8ed59b979268e69e3405544fbdb828264538392f9f6ddeab1ef3b3601d749
                                                    • Instruction Fuzzy Hash: F2218E31E1020A9BCF05CFA4D8807AEF7B6BF8A314F148529E905EB250DBB09C46CB90
                                                    Function 00FF148A Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b3db2da37ab99a8081a0bb273602ff28d4c6f742c53ae01d374dccf5bd86999e
                                                    • Instruction ID: 16ede6ddb4cd70568228b40c49fc5e0054a426a75da978a0abb1349937c97ea2
                                                    • Opcode Fuzzy Hash: b3db2da37ab99a8081a0bb273602ff28d4c6f742c53ae01d374dccf5bd86999e
                                                    • Instruction Fuzzy Hash: 85219231F00219CFCB31EBB898552BD77A5FF85324F14047AD905E7366EA39C8419B91
                                                    Function 00FF9150 Relevance: .1, Instructions: 74COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a3b9122b80b450d34ff51f4d89965e81759161272655cf341c31c0582eefe343
                                                    • Instruction ID: 681eab4f28eb49a2ac2e3b431a8f9b9d5b420808c0dd43c4ca7125857ffe06b8
                                                    • Opcode Fuzzy Hash: a3b9122b80b450d34ff51f4d89965e81759161272655cf341c31c0582eefe343
                                                    • Instruction Fuzzy Hash: 9521B531E0420ADBCB19CFA4D8446EEF7B2AF89314F14862AE905FB350DBB09846DB41
                                                    Function 00FF1380 Relevance: .1, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a3269772c1788d8e9891c544d17eb7913027da09e62392273d1e9ab3fdb72a29
                                                    • Instruction ID: 8c50027ec4e5659f920f86f7cb3515e94ed4dabbedff3aff43af4cf9b0a57604
                                                    • Opcode Fuzzy Hash: a3269772c1788d8e9891c544d17eb7913027da09e62392273d1e9ab3fdb72a29
                                                    • Instruction Fuzzy Hash: CE21B770E00208CFEB359764D55877D3761FF93339F10442AE58AD77A4DA6A8C84E741
                                                    Function 00FAD01C Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2932869451.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_fad000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 45bb50fb3f3a27cafbcae93119f20ab3a397a3682fd567b28d42519896b29cdd
                                                    • Instruction ID: d6bb3a9840f6e7c51b2b14d6a4d5a30bf316e6a760d95d39c74d528b8c9983ff
                                                    • Opcode Fuzzy Hash: 45bb50fb3f3a27cafbcae93119f20ab3a397a3682fd567b28d42519896b29cdd
                                                    • Instruction Fuzzy Hash: FB2104B5604200DFCB14DF24D9C4B26BFA5FB89324F20C56DD84B4B69AC33AD847DA61
                                                    Function 00FF4F88 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e0bab74dbda397a0dc1cf16358d407955158c2e5d01ea945a2f71aef7acc5293
                                                    • Instruction ID: 376af9cb5a1424a348a2711e96e514ef27fe1d637c1a91bdb7a885229a83b095
                                                    • Opcode Fuzzy Hash: e0bab74dbda397a0dc1cf16358d407955158c2e5d01ea945a2f71aef7acc5293
                                                    • Instruction Fuzzy Hash: A5212B30A0060ACFCB54EB78D958BAE7BF1AF89754B100568E506EB3B5DF369D00DB90
                                                    Function 00FF9160 Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: de49c920e78235671c0f4b2eb46582ccbdfd934fd37307a474c8232e24b2a4c0
                                                    • Instruction ID: a674bcffc7db19d055ef9b2a0c99c97425883d01e62ac0496a8962205f765c40
                                                    • Opcode Fuzzy Hash: de49c920e78235671c0f4b2eb46582ccbdfd934fd37307a474c8232e24b2a4c0
                                                    • Instruction Fuzzy Hash: 79218331E0420A9BCB19CFA4D8446EEF7B2AF89314F10862AE915F7350DBB09C46DB51
                                                    Function 00FF1888 Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1826f2a64a11c8dfbe667e856466d1e9b21462454f86f2a9b4993426111f36bc
                                                    • Instruction ID: 7d42ef407531ccc204feb3b53556c805b00a8f917757255d23d2ccb5789f3ead
                                                    • Opcode Fuzzy Hash: 1826f2a64a11c8dfbe667e856466d1e9b21462454f86f2a9b4993426111f36bc
                                                    • Instruction Fuzzy Hash: 97211930B40209CFDB24EB64C6647AE77F2BF49355F200568D506EB2A4EF769D40DBA1
                                                    Function 00FF16B0 Relevance: .1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 15c9c885af32305feddf40bacbe6c76df7b78ff505cc6fbf6639b04f1ccd3b28
                                                    • Instruction ID: 92c0d2fd1110edb9494663878a803b6678e69a1112b99692853c41700e0b7de9
                                                    • Opcode Fuzzy Hash: 15c9c885af32305feddf40bacbe6c76df7b78ff505cc6fbf6639b04f1ccd3b28
                                                    • Instruction Fuzzy Hash: 6E218134A001058FDF22FB28E984B6977A5FB55328F104A25D10EC7779FBB4EC458B91
                                                    Function 00FF187A Relevance: .1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4bfc83df5481a4d190773a8ee957427db4d990634e69d938288afe6adf89a52e
                                                    • Instruction ID: 07156027a0830b2a12deae6e7b6a0687248d40eae4e8c1e1ac586dec8c40142c
                                                    • Opcode Fuzzy Hash: 4bfc83df5481a4d190773a8ee957427db4d990634e69d938288afe6adf89a52e
                                                    • Instruction Fuzzy Hash: 0D213B30A00209CFDB24EB64C6647AEB7F1BF49354F100568D606EB3A4DF769D40DBA1
                                                    Function 00FF4F98 Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5633c3fa4c27a24572288a49aa5063054273fceef82a5fa7c335e289a9eb4556
                                                    • Instruction ID: 0127d9979742c89a41ac1f453bf92e614cb7df960aade4c9dca230f084144aa1
                                                    • Opcode Fuzzy Hash: 5633c3fa4c27a24572288a49aa5063054273fceef82a5fa7c335e289a9eb4556
                                                    • Instruction Fuzzy Hash: 7921E930A00209CFCB14EB78D958BAE77F1AF49754B104568E506EB3B4EF769D00DBA1
                                                    Function 00FF80F1 Relevance: .1, Instructions: 64COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5c513f783f27fa080a50d4fdc8cfe7d26a7c1c80f812d3de0afd51a70d5b0960
                                                    • Instruction ID: d11b8440a85e7df6c481c459357b0e6ae19c37578eb3a6bdb0b0bccfa1f60fb2
                                                    • Opcode Fuzzy Hash: 5c513f783f27fa080a50d4fdc8cfe7d26a7c1c80f812d3de0afd51a70d5b0960
                                                    • Instruction Fuzzy Hash: 4621D534A00109DFDF11EB68FA4169DBBA1EF81318F104679D509CB365EF719D469B41
                                                    Function 00FF0838 Relevance: .1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e586b57ef5291f7c78f0c4e06a733e9bfbb0946fb9b31b78bbb7dc26a21ca975
                                                    • Instruction ID: 56134ee7d072e186cb06fa649f16bb3e5a477363c8792ec6919a08e9d9595e38
                                                    • Opcode Fuzzy Hash: e586b57ef5291f7c78f0c4e06a733e9bfbb0946fb9b31b78bbb7dc26a21ca975
                                                    • Instruction Fuzzy Hash: A0110130F042088FEF215A74895037D37A1EF523A4F14897AD146DB2A3EEA5CC85EBC1
                                                    Function 00FAD005 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2932869451.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_fad000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: baa3bab302329c41ffab3214e8f404f5b42cb36eec6e4217953055590b243cea
                                                    • Instruction ID: cc694cf735005a457c48f99736984fbd5303bb1f6ee4e47c7ee5049cdfc0026b
                                                    • Opcode Fuzzy Hash: baa3bab302329c41ffab3214e8f404f5b42cb36eec6e4217953055590b243cea
                                                    • Instruction Fuzzy Hash: E62150755093808FDB12CF24D994715BF71EB46314F28C5EAD8498F6A7C33A980ADB62
                                                    Function 00FF0848 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 94addfbaf73034289b28865e006bbd2a5e2414aeef5895c7b6da434705cc477f
                                                    • Instruction ID: d4c96ebd61ca5e3a6568a09d71bff185292b2d5a0b4a758131e9cd1505bf34c6
                                                    • Opcode Fuzzy Hash: 94addfbaf73034289b28865e006bbd2a5e2414aeef5895c7b6da434705cc477f
                                                    • Instruction Fuzzy Hash: A3118F31F0020C8FEF645A78D94477A72A1EF41364F208939D106DB366EEA5CC85ABC1
                                                    Function 00FF17C2 Relevance: .1, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1136b01c3a32e3802ab029c0fe770ae9fee8d0d1d37c1c573a927baf67015e98
                                                    • Instruction ID: 4fe198677af3f305203d1b725d2b07d73d523d3e4d66d68f2b7530bdfe9814a2
                                                    • Opcode Fuzzy Hash: 1136b01c3a32e3802ab029c0fe770ae9fee8d0d1d37c1c573a927baf67015e98
                                                    • Instruction Fuzzy Hash: 4911A076F00215DFCF51AB78991866F7BE5BB88264F100525DA4AE3354EA35CD02CBD1
                                                    Function 00FF1498 Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3a4321759ee5b49c4a152fe455b73d6c375ee54cd446bce84be8e7f9c95716cb
                                                    • Instruction ID: fa5e82af458f5121c1add0905afca522f59dc8a5796edbbb4668451d2040a3d5
                                                    • Opcode Fuzzy Hash: 3a4321759ee5b49c4a152fe455b73d6c375ee54cd446bce84be8e7f9c95716cb
                                                    • Instruction Fuzzy Hash: B1011E31E00219DFCB21EFB888511BEB6A5FF89320B24047AD905E7356EA35D9419BA1
                                                    Function 00FF1524 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0db9116881d192282a75487b17311d0eda94fae0c658ec820fcf70c513566dee
                                                    • Instruction ID: 0160c39916313304fb5f35d78f9ba40f8205583f038a6a1267473790cb688b1b
                                                    • Opcode Fuzzy Hash: 0db9116881d192282a75487b17311d0eda94fae0c658ec820fcf70c513566dee
                                                    • Instruction Fuzzy Hash: 14F0F677E04118CFD7228BA488911BCBB61FED532172C0097D506DB266D725D842E711
                                                    Function 00FF7090 Relevance: .0, Instructions: 34COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c0a09cf29ba7425d7b715e9456a1275258444489f39ca43773021458d1e0de1d
                                                    • Instruction ID: 3bbf2baac7ea921b6e8c3ee9507a042aa73be4b73d8327492a3d25cf08e6da3c
                                                    • Opcode Fuzzy Hash: c0a09cf29ba7425d7b715e9456a1275258444489f39ca43773021458d1e0de1d
                                                    • Instruction Fuzzy Hash: BEF0E739B00108CFC714EB74D598B6D77B2EF88729F1140A9E6069B3A4DF35AD42CB41
                                                    Function 00FF8100 Relevance: .0, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2933153013.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_ff0000_FYCC new order S460013746-560121121.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 23aa3435914b4f2a6d43c7b8961b0a680c3f03462752d2ba167098f8a9cbfd6b
                                                    • Instruction ID: 6261613b1e32a23c0978741fdc803c2f29324a0086681c86186634f46e161a55
                                                    • Opcode Fuzzy Hash: 23aa3435914b4f2a6d43c7b8961b0a680c3f03462752d2ba167098f8a9cbfd6b
                                                    • Instruction Fuzzy Hash: 3AF04F34900109EFDF05FBA8FE8199DBBB5EF40308F504678C5089B268EF716E498B91

                                                    Execution Graph

                                                    Execution Coverage:7.8%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:77
                                                    Total number of Limit Nodes:4
                                                    execution_graph 33909 101d040 33910 101d086 33909->33910 33914 101d618 33910->33914 33917 101d628 33910->33917 33911 101d173 33920 101d27c 33914->33920 33918 101d656 33917->33918 33919 101d27c DuplicateHandle 33917->33919 33918->33911 33919->33918 33921 101d690 DuplicateHandle 33920->33921 33922 101d656 33921->33922 33922->33911 33951 101acb0 33952 101acbf 33951->33952 33955 101ad97 33951->33955 33960 101ada8 33951->33960 33956 101addc 33955->33956 33957 101adb9 33955->33957 33956->33952 33957->33956 33958 101afe0 GetModuleHandleW 33957->33958 33959 101b00d 33958->33959 33959->33952 33961 101adb9 33960->33961 33962 101addc 33960->33962 33961->33962 33963 101afe0 GetModuleHandleW 33961->33963 33962->33952 33964 101b00d 33963->33964 33964->33952 33923 5567890 33924 5567a1b 33923->33924 33926 55678b6 33923->33926 33926->33924 33927 5567398 33926->33927 33928 5567b10 PostMessageW 33927->33928 33929 5567b7c 33928->33929 33929->33926 33965 ebd01c 33966 ebd034 33965->33966 33967 ebd08e 33966->33967 33970 4f52809 33966->33970 33975 4f52818 33966->33975 33971 4f52845 33970->33971 33972 4f52877 33971->33972 33980 4f529a0 33971->33980 33985 4f52990 33971->33985 33972->33972 33977 4f52845 33975->33977 33976 4f52877 33977->33976 33978 4f529a0 2 API calls 33977->33978 33979 4f52990 2 API calls 33977->33979 33978->33976 33979->33976 33982 4f529b4 33980->33982 33981 4f52a40 33981->33972 33990 4f52a48 33982->33990 33993 4f52a58 33982->33993 33987 4f529b4 33985->33987 33986 4f52a40 33986->33972 33988 4f52a58 2 API calls 33987->33988 33989 4f52a48 2 API calls 33987->33989 33988->33986 33989->33986 33991 4f52a69 33990->33991 33996 4f5401e 33990->33996 33991->33981 33994 4f52a69 33993->33994 33995 4f5401e 2 API calls 33993->33995 33994->33981 33995->33994 34000 4f54040 33996->34000 34004 4f54030 33996->34004 33997 4f5402a 33997->33991 34001 4f54082 34000->34001 34003 4f54089 34000->34003 34002 4f540da CallWindowProcW 34001->34002 34001->34003 34002->34003 34003->33997 34005 4f54082 34004->34005 34007 4f54089 34004->34007 34006 4f540da CallWindowProcW 34005->34006 34005->34007 34006->34007 34007->33997 33930 1014668 33931 101467a 33930->33931 33932 1014686 33931->33932 33934 1014778 33931->33934 33935 101479d 33934->33935 33939 1014879 33935->33939 33943 1014888 33935->33943 33941 10148af 33939->33941 33940 101498c 33941->33940 33947 10144c4 33941->33947 33944 10148af 33943->33944 33945 101498c 33944->33945 33946 10144c4 CreateActCtxA 33944->33946 33946->33945 33948 1015918 CreateActCtxA 33947->33948 33950 10159db 33948->33950

                                                    Executed Functions

                                                    Function 0101ADA8 Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 744 101ada8-101adb7 745 101ade3-101ade7 744->745 746 101adb9-101adc6 call 101a0cc 744->746 747 101ade9-101adf3 745->747 748 101adfb-101ae3c 745->748 753 101adc8 746->753 754 101addc 746->754 747->748 755 101ae49-101ae57 748->755 756 101ae3e-101ae46 748->756 799 101adce call 101b031 753->799 800 101adce call 101b040 753->800 754->745 757 101ae59-101ae5e 755->757 758 101ae7b-101ae7d 755->758 756->755 761 101ae60-101ae67 call 101a0d8 757->761 762 101ae69 757->762 760 101ae80-101ae87 758->760 759 101add4-101add6 759->754 763 101af18-101afd8 759->763 766 101ae94-101ae9b 760->766 767 101ae89-101ae91 760->767 764 101ae6b-101ae79 761->764 762->764 794 101afe0-101b00b GetModuleHandleW 763->794 795 101afda-101afdd 763->795 764->760 768 101aea8-101aeaa call 101a0e8 766->768 769 101ae9d-101aea5 766->769 767->766 773 101aeaf-101aeb1 768->773 769->768 775 101aeb3-101aebb 773->775 776 101aebe-101aec3 773->776 775->776 778 101aee1-101aeee 776->778 779 101aec5-101aecc 776->779 784 101af11-101af17 778->784 785 101aef0-101af0e 778->785 779->778 780 101aece-101aede call 101a0f8 call 101a108 779->780 780->778 785->784 796 101b014-101b028 794->796 797 101b00d-101b013 794->797 795->794 797->796 799->759 800->759
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0101AFFE
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1761797490.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_1010000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: 0bc77165d990e70c51352e2d0cb11d8d721688dbc0ac924b8d6dc6a67a65dd01
                                                    • Instruction ID: e568f46da7461a793af3574526ac1a50d615e4a35c46163696c9acdf52329abd
                                                    • Opcode Fuzzy Hash: 0bc77165d990e70c51352e2d0cb11d8d721688dbc0ac924b8d6dc6a67a65dd01
                                                    • Instruction Fuzzy Hash: 75713270A01B45CFD765DF69D44179ABBF1BF88300F008A2DE48ADBA54D739E949CB90
                                                    Function 0101590C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 801 101590c-10159d9 CreateActCtxA 803 10159e2-1015a3c 801->803 804 10159db-10159e1 801->804 811 1015a4b-1015a4f 803->811 812 1015a3e-1015a41 803->812 804->803 813 1015a51-1015a5d 811->813 814 1015a60 811->814 812->811 813->814 816 1015a61 814->816 816->816
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 010159C9
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1761797490.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_1010000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: d5885b7365317f96383d6e4fd9098b56f6b6a2e800065d9896288af7ec071cae
                                                    • Instruction ID: 500dba7c3c03187cef05f834312d53e14f023a8c5c5306046b785a4d5b56f1dd
                                                    • Opcode Fuzzy Hash: d5885b7365317f96383d6e4fd9098b56f6b6a2e800065d9896288af7ec071cae
                                                    • Instruction Fuzzy Hash: E941E2B1C00719DBDB24DFA9C8847CDBBF5BF89304F24806AD448AB254DB796946CF90
                                                    Function 010144C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 817 10144c4-10159d9 CreateActCtxA 820 10159e2-1015a3c 817->820 821 10159db-10159e1 817->821 828 1015a4b-1015a4f 820->828 829 1015a3e-1015a41 820->829 821->820 830 1015a51-1015a5d 828->830 831 1015a60 828->831 829->828 830->831 833 1015a61 831->833 833->833
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 010159C9
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1761797490.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_1010000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: 52d079a5200097e47c7d60e66551b9e6f275699cc44835a060ffda05cf19c0e2
                                                    • Instruction ID: 5cac6538278a1b6883cb9e7e2c71dd82214a8a5bd1949f49e0809745d5d787d7
                                                    • Opcode Fuzzy Hash: 52d079a5200097e47c7d60e66551b9e6f275699cc44835a060ffda05cf19c0e2
                                                    • Instruction Fuzzy Hash: BB41F1B0C0071DCBDB24DFA9C884B8DBBF5BF89304F2480AAD448AB255DB756946CF90
                                                    Function 04F54040 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 834 4f54040-4f5407c 835 4f54082-4f54087 834->835 836 4f5412c-4f5414c 834->836 837 4f54089-4f540c0 835->837 838 4f540da-4f54112 CallWindowProcW 835->838 842 4f5414f-4f5415c 836->842 844 4f540c2-4f540c8 837->844 845 4f540c9-4f540d8 837->845 840 4f54114-4f5411a 838->840 841 4f5411b-4f5412a 838->841 840->841 841->842 844->845 845->842
                                                    APIs
                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 04F54101
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1765012727.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_4f50000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID: CallProcWindow
                                                    • String ID:
                                                    • API String ID: 2714655100-0
                                                    • Opcode ID: 400bc9672cb1dc6b7e50a3712b31e36ea666f832a9dd4bb9cd7100ab64d58637
                                                    • Instruction ID: 8c4dad326af6260bd006b57a5ec3e5bf1959a17c36d32585b680d1dad7cec520
                                                    • Opcode Fuzzy Hash: 400bc9672cb1dc6b7e50a3712b31e36ea666f832a9dd4bb9cd7100ab64d58637
                                                    • Instruction Fuzzy Hash: 3E4147B5A00209DFDB15CF99C848BAABBF5FF88314F24C459D519AB325D374A881CFA0
                                                    Function 0101D27C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 848 101d27c-101d724 DuplicateHandle 850 101d726-101d72c 848->850 851 101d72d-101d74a 848->851 850->851
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0101D656,?,?,?,?,?), ref: 0101D717
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1761797490.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_1010000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: d320309678ad0ae1be918d2c8282e472e987c0d9376c74fdda19838cbb3842ea
                                                    • Instruction ID: 866db9e4e29a4ced071a194f5acfc945e6af31b06677af98c684a8957c50d0ba
                                                    • Opcode Fuzzy Hash: d320309678ad0ae1be918d2c8282e472e987c0d9376c74fdda19838cbb3842ea
                                                    • Instruction Fuzzy Hash: 9E2103B5900248EFDB10CFAAD484ADEBBF4FB48310F10841AE958A7310D378A940CFA5
                                                    Function 0101D689 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 854 101d689-101d724 DuplicateHandle 855 101d726-101d72c 854->855 856 101d72d-101d74a 854->856 855->856
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0101D656,?,?,?,?,?), ref: 0101D717
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1761797490.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_1010000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: c8d0da65071cffbb7069fa212b9b19d4ffea3cc85ad569c3887370e9e7705c0b
                                                    • Instruction ID: 09c4bbf44d701d5ba674cf070d14358e423808728bce42e299879254c7040041
                                                    • Opcode Fuzzy Hash: c8d0da65071cffbb7069fa212b9b19d4ffea3cc85ad569c3887370e9e7705c0b
                                                    • Instruction Fuzzy Hash: C92116B5900249DFDB10CFAAD484ADEBFF4FB48310F10801AE954A7310D378A941CFA0
                                                    Function 0101AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 859 101af98-101afd8 860 101afe0-101b00b GetModuleHandleW 859->860 861 101afda-101afdd 859->861 862 101b014-101b028 860->862 863 101b00d-101b013 860->863 861->860 863->862
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0101AFFE
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1761797490.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_1010000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: cf15f36f0dcd9270d7a80d34726580f5d9b89d21670f96c22ef774640fa4df49
                                                    • Instruction ID: c3a82608aefaa270b08840982c1a373c80d76d757bbd5dc34b86ae17bc1aaf78
                                                    • Opcode Fuzzy Hash: cf15f36f0dcd9270d7a80d34726580f5d9b89d21670f96c22ef774640fa4df49
                                                    • Instruction Fuzzy Hash: 521110B5C00249CFDB20CF9AC444BDEFBF4AB88324F10846AD568A7214C379A545CFA1
                                                    Function 05567B08 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 05567B6D
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1765930227.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_5560000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: 0b557841375d641cd2dbab6499c39eb5a43e346f4d9c864c0f097a911ce1dbc1
                                                    • Instruction ID: 4f4d6b47b08f97a3441896215f876b375e7b1594361792c0204044714c8e0573
                                                    • Opcode Fuzzy Hash: 0b557841375d641cd2dbab6499c39eb5a43e346f4d9c864c0f097a911ce1dbc1
                                                    • Instruction Fuzzy Hash: 591115B5800348DFDB10DF9AD485BDEBBF4FB48324F10841AE568A7250D379A984CFA5
                                                    Function 05567398 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 865 5567398-5567b7a PostMessageW 867 5567b83-5567b97 865->867 868 5567b7c-5567b82 865->868 868->867
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 05567B6D
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1765930227.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_5560000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: 5dc385399236c270b47d1b4d2f7381af81c15fdf7d09c7aed4ea1146024036d9
                                                    • Instruction ID: fd72c4c93b187c9170bf95d65bcdb9d2ef91247d3ababdaf683df65f1aa1fc98
                                                    • Opcode Fuzzy Hash: 5dc385399236c270b47d1b4d2f7381af81c15fdf7d09c7aed4ea1146024036d9
                                                    • Instruction Fuzzy Hash: FE1103B5800348DFDB20DF9AC445BDEBBF8FB48324F108819E568A7251D375A994CFA5
                                                    Function 00EAD4C4 Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1758891635.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_ead000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2b7a23868ed9c591f942098a985b1f412bf18564dda24968f2eb51f72d16ab09
                                                    • Instruction ID: 145e85cf5498d59beada81f2d235691d9ff64337e66f55962b394b3cecd90237
                                                    • Opcode Fuzzy Hash: 2b7a23868ed9c591f942098a985b1f412bf18564dda24968f2eb51f72d16ab09
                                                    • Instruction Fuzzy Hash: 82213371908200DFCB01DF14D9C0B2ABFA5FB9C318F20C569E80A1F656C336E856CAA1
                                                    Function 00EAD3D8 Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1758891635.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_ead000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 892bbd30bc6ecfc21fb0406200538ccae9f5a447d54c0461861b58ca82ca5d1b
                                                    • Instruction ID: 147e9adf33d01a9aaece2141089f53b425481c9ab4f425fedd02db590f39822f
                                                    • Opcode Fuzzy Hash: 892bbd30bc6ecfc21fb0406200538ccae9f5a447d54c0461861b58ca82ca5d1b
                                                    • Instruction Fuzzy Hash: 45213671108204DFDB00DF04C9C0B1ABF65FB9C324F20C169D80A5F656C336F856C6A1
                                                    Function 00EBD01C Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1761513729.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_ebd000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d0ddea6f4141cf8f14ebd7d4d82199d9aa5b7866ddcaf642442919db2ca04a66
                                                    • Instruction ID: 624c97ea8905650674b5a68d6290c8e1a430d1aa06d561822802413e93c4ee0e
                                                    • Opcode Fuzzy Hash: d0ddea6f4141cf8f14ebd7d4d82199d9aa5b7866ddcaf642442919db2ca04a66
                                                    • Instruction Fuzzy Hash: 6D210475608200DFCB14EF14D9C4B67BFA6FB88318F24C56DD84A5B296D33AD847CA61
                                                    Function 00EBD005 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1761513729.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_ebd000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 14acfc0da0d8d3aa18ad883a48d7669a389db2a4b5da51fe537475ac27c6d9b4
                                                    • Instruction ID: 4f1cb432e4cf66e8658b757a8bd1b0f1aa87acc53dfe0690c4172bb2b4ff3e85
                                                    • Opcode Fuzzy Hash: 14acfc0da0d8d3aa18ad883a48d7669a389db2a4b5da51fe537475ac27c6d9b4
                                                    • Instruction Fuzzy Hash: 5521837550D3808FCB02DF24D994756BF71EB46314F28C5DAD8498F2A7C33A980ACB62
                                                    Function 00EAD4BF Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1758891635.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_ead000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                    • Instruction ID: 0c472fd4683b1baa01656824ec21cec94073bd40d2e19a09d5aca97a2bc3d5d3
                                                    • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                    • Instruction Fuzzy Hash: FF11D676904240CFCB15CF14D9C4B16BF71FB98318F24C5A9D8454F656C336E456CB91
                                                    Function 00EAD3D3 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1758891635.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_ead000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                    • Instruction ID: c153858c3fdcf4bd11069e470debd0401b4b94b8770fa7ce82a40f5f225332ad
                                                    • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                    • Instruction Fuzzy Hash: 2D110376404240CFDB12CF00D9C4B16BF71FB98328F24C2A9D80A0F656C33AE85ACBA1

                                                    Executed Functions

                                                    Function 015B9B38 Relevance: 2.8, Instructions: 2818COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 510754f8329a71c60ebdeb6a872df48ea25bfe4cedcefda0595789e4f3849056
                                                    • Instruction ID: f4e1301c7275fb68a4bffb0f838b095e37250b63021aeb8592703c183b0828c0
                                                    • Opcode Fuzzy Hash: 510754f8329a71c60ebdeb6a872df48ea25bfe4cedcefda0595789e4f3849056
                                                    • Instruction Fuzzy Hash: CE53E931C10B1A8ADB51EF68C8805E9F7B1FF99300F55D79AE4587B121EB70AAD4CB81
                                                    Function 015BCDB0 Relevance: 2.3, Instructions: 2309COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fbffd15733e87efad3355502fcecbac7d2bc1d67611fdd62f0fbda57d2fc0d2b
                                                    • Instruction ID: 2ecc0506c95b08203115bcde504dd0c14b3aa557a3d98231a23d47f31ffa94ae
                                                    • Opcode Fuzzy Hash: fbffd15733e87efad3355502fcecbac7d2bc1d67611fdd62f0fbda57d2fc0d2b
                                                    • Instruction Fuzzy Hash: A0331D31D107198EDB11EF68C8906EDF7B1FF99300F15C69AE459AB211EB70AAC5CB81
                                                    Function 015B3E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: \V j
                                                    • API String ID: 0-4031615456
                                                    • Opcode ID: 2a97ad9006c6c7b189e158d13cc4f44380abf0fd387b332be0db585f4ce1ff90
                                                    • Instruction ID: 46b4121875a20d653cec64ba6f0636168d524da672986ce47c92ac2cef0bc140
                                                    • Opcode Fuzzy Hash: 2a97ad9006c6c7b189e158d13cc4f44380abf0fd387b332be0db585f4ce1ff90
                                                    • Instruction Fuzzy Hash: B0915E70E00209DFDF24CFA9C9857DEBBF2BF88314F148529E455AB294EB749845CB91
                                                    Function 015B4A98 Relevance: .3, Instructions: 266COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dfe184418897364cd832d099ea63e8d8f7d9bcef49dacd7dbef0b9b3cf34a24b
                                                    • Instruction ID: 7985a984abf859542c8dbe9cb68af076ea809ec193755ce0b84937d62d9c37d1
                                                    • Opcode Fuzzy Hash: dfe184418897364cd832d099ea63e8d8f7d9bcef49dacd7dbef0b9b3cf34a24b
                                                    • Instruction Fuzzy Hash: C0B13D70E002098FDF24CFA9D8857EDBBF2BF88714F148529D916AB295EB749845CB81
                                                    Function 015B4810 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: \V j$\V j
                                                    • API String ID: 0-1656524309
                                                    • Opcode ID: 0e7951d3d26827a300c30b7d84ddbe0e274f8a7a84aea7601fc9a4e315d05b40
                                                    • Instruction ID: 3e8d72c377c4a7a9cf155209c968f70616243ef66767d167524b8cc929d81590
                                                    • Opcode Fuzzy Hash: 0e7951d3d26827a300c30b7d84ddbe0e274f8a7a84aea7601fc9a4e315d05b40
                                                    • Instruction Fuzzy Hash: 8E717F70E00249CFDF20DFA9C8807DEBBF2BF88314F148129E415AB255EB749845CB95
                                                    Function 015B4804 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: \V j$\V j
                                                    • API String ID: 0-1656524309
                                                    • Opcode ID: 3188619033940cc4943fa17ec1f058e37a910bbd0ca25ce2c609affbc4fdbbf3
                                                    • Instruction ID: 748db8f3f328c6f375efbf528794dd7eccbbf0a7aac500e73b30560e99cdb2d6
                                                    • Opcode Fuzzy Hash: 3188619033940cc4943fa17ec1f058e37a910bbd0ca25ce2c609affbc4fdbbf3
                                                    • Instruction Fuzzy Hash: B8715CB0D00249CFDF20CFA9C9847DEBBF2BF88314F148529E416AB295EB749845CB95
                                                    Function 015B6ED8 Relevance: 2.6, Strings: 2, Instructions: 145COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LR^q$LR^q
                                                    • API String ID: 0-4089051495
                                                    • Opcode ID: 0a08b75a09df9db2a105c9857170bcdc6304f35c374c3f37777d073f1330f2ae
                                                    • Instruction ID: 402c4ed17ab8dd2507a02496da1ff1b3fb76cb2f6cf442dda53de0f96ceb9ff4
                                                    • Opcode Fuzzy Hash: 0a08b75a09df9db2a105c9857170bcdc6304f35c374c3f37777d073f1330f2ae
                                                    • Instruction Fuzzy Hash: 5051B234A102199FDB16DF78C8906EEB7B2FF89300F10896AE415EB291DB759C468B91
                                                    Function 015B3E74 Relevance: 1.5, Strings: 1, Instructions: 235COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: \V j
                                                    • API String ID: 0-4031615456
                                                    • Opcode ID: 02cd39588a8dfd2f74fd32ddbb95cd98e9f7323a1c521a9e92eed4c14370dac3
                                                    • Instruction ID: 0d2a0bcb800ffa6efd1bfe81aeef797729443c06d06cde3de219a77183858d5b
                                                    • Opcode Fuzzy Hash: 02cd39588a8dfd2f74fd32ddbb95cd98e9f7323a1c521a9e92eed4c14370dac3
                                                    • Instruction Fuzzy Hash: CEA15D70E00209DFDF20CFA8D9857DEBBF2BF48314F248529E455AB255EB749885CB91
                                                    Function 015BF2ED Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: PH^q
                                                    • API String ID: 0-2549759414
                                                    • Opcode ID: 3e51a47e57bc48f3eb8b0ff3db0661929a436e29fe060813efabb9c79e521ce2
                                                    • Instruction ID: a17f8c3af0b13d396df00e7936666f6049989ccbdf9e0f4341864e9e3e731df4
                                                    • Opcode Fuzzy Hash: 3e51a47e57bc48f3eb8b0ff3db0661929a436e29fe060813efabb9c79e521ce2
                                                    • Instruction Fuzzy Hash: AC41F1307002018FCB1AAB78C9942AE7BE2BFC9600F14483AD406DF395DE79DD46CBA5
                                                    Function 015B6F78 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LR^q
                                                    • API String ID: 0-2625958711
                                                    • Opcode ID: c27222bceb0b398a60890eafd77622ce1eed8c2e57be991a5431e82f5ea1ff9d
                                                    • Instruction ID: 6f49db1882caca7a5ada593b12da78bee8335ea6e52f30deaed2d469802b0d8f
                                                    • Opcode Fuzzy Hash: c27222bceb0b398a60890eafd77622ce1eed8c2e57be991a5431e82f5ea1ff9d
                                                    • Instruction Fuzzy Hash: F4317034E102198BDF15CFA9D8947DEB7B5FF89300F10856AE816EB280EB71A946CB51
                                                    Function 015B6BA0 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LR^q
                                                    • API String ID: 0-2625958711
                                                    • Opcode ID: 14900afeea46d8d84da855bf0dd0d3be568d3d286f99318235e847fc238bc41d
                                                    • Instruction ID: 52b2d3a1aad320368eea111c55d78894706e7fe20cb283588be0850788743659
                                                    • Opcode Fuzzy Hash: 14900afeea46d8d84da855bf0dd0d3be568d3d286f99318235e847fc238bc41d
                                                    • Instruction Fuzzy Hash: 012107307143529FC316AF3CD0506AE7BB5FF8A314B0049BAC449CB296EB398C45CB92
                                                    Function 015B7908 Relevance: .6, Instructions: 555COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d23ce1109c08eddd6a0bb598eca9775f834d259dd825f8ffa78a1a137a807fe8
                                                    • Instruction ID: 7e188d68ae8716b46e1205cc2cf86c190521746c1a01560f18e81e8a493a30f8
                                                    • Opcode Fuzzy Hash: d23ce1109c08eddd6a0bb598eca9775f834d259dd825f8ffa78a1a137a807fe8
                                                    • Instruction Fuzzy Hash: D2123D307022068FCB19AB38E49466E76AAFFCE244B108979D006DB355DF7EDC468F95
                                                    Function 015B9364 Relevance: .4, Instructions: 387COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 48e2c508ad83bc4e66955d8e1bb1899a3a8ef9cf61860785e197483c04ff7bdf
                                                    • Instruction ID: 00dca345d92caf61301f0893f189ef73ed72d121aaf3d492e82ce3f5e25f4b88
                                                    • Opcode Fuzzy Hash: 48e2c508ad83bc4e66955d8e1bb1899a3a8ef9cf61860785e197483c04ff7bdf
                                                    • Instruction Fuzzy Hash: 26E19174A002058FDB15DF68D9C4AAEB7B6FF89314F104829E606EB395DB39DC42CB91
                                                    Function 015B96E0 Relevance: .4, Instructions: 357COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f88550f8cb97cd7175768cf6185c574484dc5800e42c36a88340fc540a4ec3d6
                                                    • Instruction ID: 6bcaa67af7b1e0519cb60b515e7a1947c2757cd61b8aedc67d9f5aa901b9e8ce
                                                    • Opcode Fuzzy Hash: f88550f8cb97cd7175768cf6185c574484dc5800e42c36a88340fc540a4ec3d6
                                                    • Instruction Fuzzy Hash: 18D1CDB0A002058FDB14CF69D8C47AEBBB6FB89314F208469E609EF395D774D845CB91
                                                    Function 015B4A90 Relevance: .3, Instructions: 259COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 39193d6fe1ba05b36039f84735e8c4efb075df14e4874e65da54f20d740d628b
                                                    • Instruction ID: 8a1a1c206ffc50237148170eb3f1538daa908c3e81acf62a1432ae1655a62479
                                                    • Opcode Fuzzy Hash: 39193d6fe1ba05b36039f84735e8c4efb075df14e4874e65da54f20d740d628b
                                                    • Instruction Fuzzy Hash: 0CA14C70E002098FDF20CFA9D8857EDBBF1BF48714F248529D91AEB255EB749885CB81
                                                    Function 015B6CE2 Relevance: .1, Instructions: 133COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 71cab5612c387746cc2820e51575faa70d1f6f3350bd68c6b840dc96df3e0919
                                                    • Instruction ID: f62a973312e1d1917eab0afe5bd880657a1e386535bc775cdaab33e67280c727
                                                    • Opcode Fuzzy Hash: 71cab5612c387746cc2820e51575faa70d1f6f3350bd68c6b840dc96df3e0919
                                                    • Instruction Fuzzy Hash: F251F274E102188FDB18CFA9C884BEEBBB1BF48314F148529E819BB391D774A845CF95
                                                    Function 015B6CE8 Relevance: .1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1590593eaa2c839724a93222c095c3b8219d5723463255ea2216bc7d57cb04a5
                                                    • Instruction ID: e1cf3febdd59e717a993494d3051f11c6457c092b12f4a0dbae16d624b42a41a
                                                    • Opcode Fuzzy Hash: 1590593eaa2c839724a93222c095c3b8219d5723463255ea2216bc7d57cb04a5
                                                    • Instruction Fuzzy Hash: F651F171E002188FDB18CFA9C884BDEBBB1BF48714F148529E819BB391DB74A845CF95
                                                    Function 015B1128 Relevance: .1, Instructions: 125COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6dc011cc5706def8fc2e55715d2b5e168ac1aec346f36c54718b377b0917ff99
                                                    • Instruction ID: 18c6261ba33543b6893c1485b73024d707d10f7d4e5a08e4daa217b53fdec025
                                                    • Opcode Fuzzy Hash: 6dc011cc5706def8fc2e55715d2b5e168ac1aec346f36c54718b377b0917ff99
                                                    • Instruction Fuzzy Hash: 2251D8312013458FCB1AEF68F9949567BB9EB95304344A1BDD0006B63AEB3C6D89CF91
                                                    Function 015B1138 Relevance: .1, Instructions: 112COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8b1ff8fb6bf4a8c56eab0c0b87ae3f559cd52d6fe24fa4fcfc30330124f68bca
                                                    • Instruction ID: 89e81ff1cfcf773858e98af725a039a9c1e7a1c0f322ffdc7e2cef5818b0faca
                                                    • Opcode Fuzzy Hash: 8b1ff8fb6bf4a8c56eab0c0b87ae3f559cd52d6fe24fa4fcfc30330124f68bca
                                                    • Instruction Fuzzy Hash: DA51B531201345CFCB19EF68F99494A7BA9EB95304344A1BDD0046B73AEB3C6D89CF92
                                                    Function 015BF1B0 Relevance: .1, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6215b43c466ee63653e50b169e1c8448151736ca36bfc59ce221583b37a390bf
                                                    • Instruction ID: 671539310761414dffd2625a51ca79528f21bab617b8ea3d3bf1db59a7eceb32
                                                    • Opcode Fuzzy Hash: 6215b43c466ee63653e50b169e1c8448151736ca36bfc59ce221583b37a390bf
                                                    • Instruction Fuzzy Hash: 8C316F35E006099BCB05DFA9D89469EF7B6FF89300F10892AE806EB754DB74ED42CB50
                                                    Function 015B26DC Relevance: .1, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5b1c62e49260a073935d2227da354c7f248f81f46bf3de1e10b2fe1b5fdced31
                                                    • Instruction ID: b5761598c4b37c1d5c0ff284eaf7d21be1ca14bce9b4e8041fe74aabf9bb98cd
                                                    • Opcode Fuzzy Hash: 5b1c62e49260a073935d2227da354c7f248f81f46bf3de1e10b2fe1b5fdced31
                                                    • Instruction Fuzzy Hash: E941EFB1D00349DFDB10CFA9C884ADEBFF5BF48314F248429E419AB264DB75A949CB91
                                                    Function 015BF1C0 Relevance: .1, Instructions: 91COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a3aad0c1cda43cd1daa1fd81fb13227ce3b734be4c32cfecff2cde30a9e2711d
                                                    • Instruction ID: 4f12c30ecfd9343c80c4223be6953c4d7ad126dec8ec3fcf8d78a1318e5b8993
                                                    • Opcode Fuzzy Hash: a3aad0c1cda43cd1daa1fd81fb13227ce3b734be4c32cfecff2cde30a9e2711d
                                                    • Instruction Fuzzy Hash: 78315E35E006099BCB15DFA8D89469EF7B6FF89300F14892AE806EB754DB74AC428B50
                                                    Function 015B26E8 Relevance: .1, Instructions: 90COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a2612305cbfabaced6e25583fb898d4c4c9dc7b6dcb6cb88ec7a9452b98a8c2e
                                                    • Instruction ID: 0c7682b3d83b157d97a76df4e170e56ed0cef9331a353a67f0d3c441d7cda9ab
                                                    • Opcode Fuzzy Hash: a2612305cbfabaced6e25583fb898d4c4c9dc7b6dcb6cb88ec7a9452b98a8c2e
                                                    • Instruction Fuzzy Hash: E641DEB0D003499FDB10DFA9C484ADEBFB5BF48310F208429E819AB254DB75A945CBA4
                                                    Function 015B9250 Relevance: .1, Instructions: 82COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5f7f72bbc427c6fbee69ce53f660974384e9bd3dca9fba8d85db585db749ed89
                                                    • Instruction ID: 931147380f4fe8b23a13a32d4bc51e9fc73dcac7bd6c5130018452391139f553
                                                    • Opcode Fuzzy Hash: 5f7f72bbc427c6fbee69ce53f660974384e9bd3dca9fba8d85db585db749ed89
                                                    • Instruction Fuzzy Hash: B131BF71E0120A9BCF09CFA8D4806DEF7B6FF8A304F148529E905EB351DB759846CB81
                                                    Function 015B9260 Relevance: .1, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 93d87db7bab39a425fa629f4acb19d554d01b469f635b4651fd24f23294af4fd
                                                    • Instruction ID: 5caf799b3cc30c666c756fb71eadff8086dd930f90a200f8022b8adedf732aa6
                                                    • Opcode Fuzzy Hash: 93d87db7bab39a425fa629f4acb19d554d01b469f635b4651fd24f23294af4fd
                                                    • Instruction Fuzzy Hash: DE218D71E0120A9BDF05CFA8D4806DEF7B6FF8A304F148629E905EB351DB759886CB90
                                                    Function 015B9150 Relevance: .1, Instructions: 74COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0c27a68b4ca8f933eddf68f19e48ea4b29e1e9eef0ea6a4f40db286a93765521
                                                    • Instruction ID: 33ec7dc56b92b9089f6c545b735a06fa2144a61f3186443abd103c75ef303be3
                                                    • Opcode Fuzzy Hash: 0c27a68b4ca8f933eddf68f19e48ea4b29e1e9eef0ea6a4f40db286a93765521
                                                    • Instruction Fuzzy Hash: DC21C171E0020A8BCF19CFA9D8946DEF7B2BF89304F24861AE915FB340DB709846CB50
                                                    Function 015B16A0 Relevance: .1, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f95e859ba7edafe11dc8e026e82faea7fdae770bc57b8ab09eabaef3bdbba331
                                                    • Instruction ID: 4983019198b1ea89f51b9547cf75403bcb89a590ca2b7c50c96de50ec7651acd
                                                    • Opcode Fuzzy Hash: f95e859ba7edafe11dc8e026e82faea7fdae770bc57b8ab09eabaef3bdbba331
                                                    • Instruction Fuzzy Hash: C3215E341002018FDB62AF68F8E479E7769FB45344F106A75D806DB666E73CDC858B92
                                                    Function 015B4F88 Relevance: .1, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4725bc42ae6a6e04968fa049e9e75a1c09104aed3697a1b0a6f5248e964ea104
                                                    • Instruction ID: 3d0ae922eea33f10cb32de67839ba7607411509ae7a8551e88c87bb5add8b97e
                                                    • Opcode Fuzzy Hash: 4725bc42ae6a6e04968fa049e9e75a1c09104aed3697a1b0a6f5248e964ea104
                                                    • Instruction Fuzzy Hash: FC212934610609CFCB68DF39C598AEE7BF1BF89600B1044A8E506EB361EB369D40CB91
                                                    Function 0113D01C Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2931828445.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_113d000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 72919902a4039382739ae442dc3a0513e46ca84445196632ebd2123643b20f5b
                                                    • Instruction ID: 371a953e31d8834cc6ce5a8d57b5c7a5d274e0c573ea7cafb35ad99f9264e3ed
                                                    • Opcode Fuzzy Hash: 72919902a4039382739ae442dc3a0513e46ca84445196632ebd2123643b20f5b
                                                    • Instruction Fuzzy Hash: A5210071604200DFDF19DF68E984B26FBA5EB84B14F60C569E84A4B25AC33AD446CA62
                                                    Function 015B1380 Relevance: .1, Instructions: 71COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 49ca5550a517ab1ba3265a316166ee21455f2fff437776b578c96b6c202130ba
                                                    • Instruction ID: 1d8d6aa0f2d634206ace3970ea89b93e022157b07e700815abe85cc3e42a136c
                                                    • Opcode Fuzzy Hash: 49ca5550a517ab1ba3265a316166ee21455f2fff437776b578c96b6c202130ba
                                                    • Instruction Fuzzy Hash: D821AE746016008FDB766A68E9E83AE3765F746319F10183AD446CF685E62D8C908741
                                                    Function 015B9160 Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1ecce1e6455b9121862ff350c03b812b7534620ea4e1ed137d53327fd7967ae3
                                                    • Instruction ID: e4e8b28cfc086c97bc41fb66d93d197b202421ebd96fd97c75d57f036b42929d
                                                    • Opcode Fuzzy Hash: 1ecce1e6455b9121862ff350c03b812b7534620ea4e1ed137d53327fd7967ae3
                                                    • Instruction Fuzzy Hash: B521A770E0020A9BCF19CFA9D4845DEF7B6BF89304F10851AE915FB341DB71A846CB51
                                                    Function 015B1888 Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b21f0749ff66e533967ec6decc1d2fc6d1734543327324908a81c9db2cde81ef
                                                    • Instruction ID: 68cb676ed8b045a36f82744b56b684708a6105a39a1cf75970da16fd5e851433
                                                    • Opcode Fuzzy Hash: b21f0749ff66e533967ec6decc1d2fc6d1734543327324908a81c9db2cde81ef
                                                    • Instruction Fuzzy Hash: 5D212A30B40649CFDB94EB68D5A86EE77F6BF89244F200468D506EB250DB369D40CBA1
                                                    Function 015B16B0 Relevance: .1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 84241c8e01ace65c8317d388bd89ce373a1d38c6174da5c90f5437b2001ddeab
                                                    • Instruction ID: 4689b29e8f72f4eed90a65d61c860daf93a0406e839b2d4a5029772b523cb698
                                                    • Opcode Fuzzy Hash: 84241c8e01ace65c8317d388bd89ce373a1d38c6174da5c90f5437b2001ddeab
                                                    • Instruction Fuzzy Hash: 7B213E342002018FDB62AE28F9D4B9E7759FB45344F106A35D806DB656EB38DC858B91
                                                    Function 015B187C Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dfa8ea6c39b0bc248aa6b5547cc0710fa395f1d08a4a9801dd6b4aa7439af392
                                                    • Instruction ID: 9bde03ed2a58f51fecf42ce155e5692ae2babedef638ccd0521b40c44b63414d
                                                    • Opcode Fuzzy Hash: dfa8ea6c39b0bc248aa6b5547cc0710fa395f1d08a4a9801dd6b4aa7439af392
                                                    • Instruction Fuzzy Hash: E3217C30B00645CFDB64EB78D5E42EE77F2BF89204F204568D116EB2A1DB369D40CB51
                                                    Function 015B4F98 Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2c11cb992df25cc6fb4e377f03776cacd3b04fc0e2a3d09f66b3a38ad375c550
                                                    • Instruction ID: 2c0eebf37f2859300b6b5f3fff644b18a91e0c85b289676663a3eab0d1303d01
                                                    • Opcode Fuzzy Hash: 2c11cb992df25cc6fb4e377f03776cacd3b04fc0e2a3d09f66b3a38ad375c550
                                                    • Instruction Fuzzy Hash: 62212434600209CFCB28DB79C598AAE77F1FF8D600B1004A8E506EB3A1EB369D00CB91
                                                    Function 0113D006 Relevance: .1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2931828445.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_113d000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7cd426597b914e083d5773e8a9328bd5cf767d6a3f342608f66503ec106a9273
                                                    • Instruction ID: 36280203bbeeeeef746db5b60ae79940a0f532020520eff9ccfc907fa8665d8e
                                                    • Opcode Fuzzy Hash: 7cd426597b914e083d5773e8a9328bd5cf767d6a3f342608f66503ec106a9273
                                                    • Instruction Fuzzy Hash: 8F2180755083809FCB06CF64D994B11BF71EB86214F28C5DAD8498F2A7C33A981ACB62
                                                    Function 015B0848 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 68ea6ee41d2d473f5c1fd88a9ca2ab3e2a7dfc063d353e81e73ddb717d7fd0c3
                                                    • Instruction ID: 7647f7570fe4db7e5c3a41caa170990fa31d434642cc1428f81221e3fb130af5
                                                    • Opcode Fuzzy Hash: 68ea6ee41d2d473f5c1fd88a9ca2ab3e2a7dfc063d353e81e73ddb717d7fd0c3
                                                    • Instruction Fuzzy Hash: 3F118230B102048FDF655A7CD9803AF72B6FB45250F204939F006DF392DA65CE824BD5
                                                    Function 015B0838 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f30e0125c45738b05453fbd668a1baa90827aa5031fcfc59f3a7b92d50df79ce
                                                    • Instruction ID: 71ea33ab6e5ffc20b190c92a7bd1ff5970a496647cd3f430fed94b7b4461fda8
                                                    • Opcode Fuzzy Hash: f30e0125c45738b05453fbd668a1baa90827aa5031fcfc59f3a7b92d50df79ce
                                                    • Instruction Fuzzy Hash: 0A119130A003059FDF265BB8D9803AF77B5FB42254F14497AF402DF2D2DA69CA828BD1
                                                    Function 015B80F1 Relevance: .1, Instructions: 60COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 49ef791d4388b2180c3fcffcadc8313a5e238f8f5694d91507311629013221f1
                                                    • Instruction ID: 3b969892806d6cba5e0baf58351fcfd93312db7da40f3b7391f59bfc66335e44
                                                    • Opcode Fuzzy Hash: 49ef791d4388b2180c3fcffcadc8313a5e238f8f5694d91507311629013221f1
                                                    • Instruction Fuzzy Hash: 3F115E30A0120A9FDF11EB68E9806DEBBA9EB84344F1055B9C409DB264DB39AE458B91
                                                    Function 015B148C Relevance: .1, Instructions: 58COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3268000590d31c00fe31b73b2d79512ee86876397368cdfb7469147d8d247abe
                                                    • Instruction ID: b2dc299fc0789d9ec1ce6cdf461c482039182300f7ab7e6c804e3d012414139f
                                                    • Opcode Fuzzy Hash: 3268000590d31c00fe31b73b2d79512ee86876397368cdfb7469147d8d247abe
                                                    • Instruction Fuzzy Hash: A1112131A007169FCB61EFB894D41EEB7F5FF98260F24047AD805EB345E639D9428BA1
                                                    Function 015B17C4 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4e40c6270434e1a2d765989f25722cbde3258684a9ca6942b2bb6e286eb0a8e9
                                                    • Instruction ID: 15b026b52e44cf1a8a2db9eea8650f22dfed2c3bb1f2025e7d68de7205491610
                                                    • Opcode Fuzzy Hash: 4e40c6270434e1a2d765989f25722cbde3258684a9ca6942b2bb6e286eb0a8e9
                                                    • Instruction Fuzzy Hash: B711E57AF006118BCF519F78AC9829F7BE9FB88214F140569E909E7344E738C911CBC2
                                                    Function 015B1498 Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4f53788cb1aa1c788bf1e2caa5b6a000220ff067777d8511e53e7a898b4e02ad
                                                    • Instruction ID: 5c446f33ce675a33ae599add29cb9d74f830d14661503d0696f3c8508a535f5c
                                                    • Opcode Fuzzy Hash: 4f53788cb1aa1c788bf1e2caa5b6a000220ff067777d8511e53e7a898b4e02ad
                                                    • Instruction Fuzzy Hash: 28012131B006159FCF61EFB994D01DEBBF5FB48210B24047AD805EB345E635D9418B91
                                                    Function 015B1524 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2f943fb5876dc45afaa13050d41f18e992ef833d8428037dffe05a5edcc266a5
                                                    • Instruction ID: e1749a3d18dc2ef1736fc62a43ea9df6dd8c4fc638fb80254a8f4e7d2030d5dd
                                                    • Opcode Fuzzy Hash: 2f943fb5876dc45afaa13050d41f18e992ef833d8428037dffe05a5edcc266a5
                                                    • Instruction Fuzzy Hash: 95F02433A04911CFDB228BB8A8E01EDBFB1FEA821172C00A7D806DF295D635D442CB11
                                                    Function 015B7090 Relevance: .0, Instructions: 34COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2e681394e5e32770071da830ad8982f6612ce93e4b81cbc44775ffe1c4b40061
                                                    • Instruction ID: 14c71aaebad52c8d2068c2505846d402e71de9faaacb5855bd281e22a7d5efc2
                                                    • Opcode Fuzzy Hash: 2e681394e5e32770071da830ad8982f6612ce93e4b81cbc44775ffe1c4b40061
                                                    • Instruction Fuzzy Hash: E3F0E739B40108CFC714DB74D998BAD77B6EF89719F1040A9E5069B3A4DB35AD42CF41
                                                    Function 015B8100 Relevance: .0, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2933184048.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_15b0000_zriEHRxkd.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a2c238b7b1ad3ecd640b289ee0134d7860d15274a798f15e449475a4d60bf91a
                                                    • Instruction ID: 5068324e8920a11c7d65cc4625692994ad426a66a366e1eca1624f6def99113e
                                                    • Opcode Fuzzy Hash: a2c238b7b1ad3ecd640b289ee0134d7860d15274a798f15e449475a4d60bf91a
                                                    • Instruction Fuzzy Hash: D2F0F430910209EFCB04FFA8F94099DB7BDEB44304F105AB8C405A7254DF396F599B96