Joe Sandbox Cloud Basic Analysis Report
Create Interactive Tour

Windows Analysis Report
btoawpdtjhjawd.exe

Overview

General Information

Sample name:btoawpdtjhjawd.exe
Analysis ID:1643456
MD5:2fb952bb97197ccbefab03689724abf4
SHA1:113fb94edb9b11363c4c1390eda86176767ec76f
SHA256:4cd99a0c6b436ee6423a6e366f67a60fb41d1bb23943b19f354de8d9d0e4be0e
Tags:exeXWormuser-aachum
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected XWorm
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Drops PE files to the startup folder
Joe Sandbox ML detected suspicious sample
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • btoawpdtjhjawd.exe (PID: 6760 cmdline: "C:\Users\user\Desktop\btoawpdtjhjawd.exe" MD5: 2FB952BB97197CCBEFAB03689724ABF4)
  • btoawpdtjhjawd.exe (PID: 4716 cmdline: "C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exe" MD5: 2FB952BB97197CCBEFAB03689724ABF4)
  • btoawpdtjhjawd.exe (PID: 7144 cmdline: "C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exe" MD5: 2FB952BB97197CCBEFAB03689724ABF4)
  • btoawpdtjhjawd.exe (PID: 2840 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe" MD5: 2FB952BB97197CCBEFAB03689724ABF4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{
  "C2 url": [
    "questions-when.gl.at.ply.gg"
  ],
  "Port": 31732,
  "Aes key": "<123456789>",
  "SPL": "<Neptune>",
  "Install file": "USB.exe"
}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
btoawpdtjhjawd.exeJoeSecurity_XWormYara detected XWormJoe Security
    btoawpdtjhjawd.exerat_win_xworm_v2Finds XWorm v2 samples based on characteristic stringsSekoia.io
    • 0x6d24:$str02: ngrok
    • 0x8d96:$str02: ngrok
    • 0x8de0:$str02: ngrok
    • 0x6acb:$str03: Mutexx
    • 0x8eaa:$str04: FileManagerSplitFileManagerSplit
    • 0x8db4:$str05: InstallngC
    • 0x8ad0:$str06: downloadedfile
    • 0x8aa2:$str07: creatfile
    • 0x8a84:$str08: creatnewfolder
    • 0x8a66:$str09: showfolderfile
    • 0x8a48:$str10: hidefolderfile
    • 0x8a1a:$str11: txtttt
    • 0x92c9:$str12: \root\SecurityCenter2
    • 0x8f30:$str13: [USB]
    • 0x8f16:$str14: [Drive]
    • 0x8e98:$str15: [Folder]
    • 0x8d84:$str16: HVNC
    • 0x92f5:$str19: Select * from AntivirusProduct
    • 0x8898:$str20: runnnnnn
    • 0x8738:$str21: RunBotKiller
    btoawpdtjhjawd.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x8f61:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x8ffe:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x9113:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x9359:$cnc4: POST / HTTP/1.1

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exerat_win_xworm_v2Finds XWorm v2 samples based on characteristic stringsSekoia.io
      • 0x6d24:$str02: ngrok
      • 0x8d96:$str02: ngrok
      • 0x8de0:$str02: ngrok
      • 0x6acb:$str03: Mutexx
      • 0x8eaa:$str04: FileManagerSplitFileManagerSplit
      • 0x8db4:$str05: InstallngC
      • 0x8ad0:$str06: downloadedfile
      • 0x8aa2:$str07: creatfile
      • 0x8a84:$str08: creatnewfolder
      • 0x8a66:$str09: showfolderfile
      • 0x8a48:$str10: hidefolderfile
      • 0x8a1a:$str11: txtttt
      • 0x92c9:$str12: \root\SecurityCenter2
      • 0x8f30:$str13: [USB]
      • 0x8f16:$str14: [Drive]
      • 0x8e98:$str15: [Folder]
      • 0x8d84:$str16: HVNC
      • 0x92f5:$str19: Select * from AntivirusProduct
      • 0x8898:$str20: runnnnnn
      • 0x8738:$str21: RunBotKiller
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x8f61:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x8ffe:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x9113:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x9359:$cnc4: POST / HTTP/1.1
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x8f61:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x8ffe:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x9113:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x9359:$cnc4: POST / HTTP/1.1
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x8f61:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x8ffe:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x9113:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x9359:$cnc4: POST / HTTP/1.1
      Click to see the 1 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.863086546.0000000000232000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000000.863086546.0000000000232000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x8d61:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x8dfe:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x8f13:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x9159:$cnc4: POST / HTTP/1.1
        00000000.00000002.2113634911.000000001AF20000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          00000000.00000002.2113634911.000000001AF20000.00000004.08000000.00040000.00000000.sdmprat_win_xworm_v2Finds XWorm v2 samples based on characteristic stringsSekoia.io
          • 0x9bc4:$str02: ngrok
          • 0x9c0e:$str02: ngrok
          • 0x9cd8:$str04: FileManagerSplitFileManagerSplit
          • 0x9be2:$str05: InstallngC
          • 0x98fe:$str06: downloadedfile
          • 0x98d0:$str07: creatfile
          • 0x98b2:$str08: creatnewfolder
          • 0x9894:$str09: showfolderfile
          • 0x9876:$str10: hidefolderfile
          • 0x9848:$str11: txtttt
          • 0xa21f:$str12: \root\SecurityCenter2
          • 0x9d5e:$str13: [USB]
          • 0x9d44:$str14: [Drive]
          • 0x9cc6:$str15: [Folder]
          • 0x9bb2:$str16: HVNC
          • 0xa24b:$str19: Select * from AntivirusProduct
          • 0x9670:$str20: runnnnnn
          • 0x9510:$str21: RunBotKiller
          00000000.00000002.2113634911.000000001AF20000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x9f31:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x9fce:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0xa0e3:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0xa2af:$cnc4: POST / HTTP/1.1
          Click to see the 6 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.btoawpdtjhjawd.exe.276d2c8.0.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.2.btoawpdtjhjawd.exe.276d2c8.0.raw.unpackrat_win_xworm_v2Finds XWorm v2 samples based on characteristic stringsSekoia.io
            • 0x9bc4:$str02: ngrok
            • 0x9c0e:$str02: ngrok
            • 0x9cd8:$str04: FileManagerSplitFileManagerSplit
            • 0x9be2:$str05: InstallngC
            • 0x98fe:$str06: downloadedfile
            • 0x98d0:$str07: creatfile
            • 0x98b2:$str08: creatnewfolder
            • 0x9894:$str09: showfolderfile
            • 0x9876:$str10: hidefolderfile
            • 0x9848:$str11: txtttt
            • 0xa21f:$str12: \root\SecurityCenter2
            • 0x9d5e:$str13: [USB]
            • 0x9d44:$str14: [Drive]
            • 0x9cc6:$str15: [Folder]
            • 0x9bb2:$str16: HVNC
            • 0xa24b:$str19: Select * from AntivirusProduct
            • 0x9670:$str20: runnnnnn
            • 0x9510:$str21: RunBotKiller
            0.2.btoawpdtjhjawd.exe.276d2c8.0.raw.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x9f31:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x9fce:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0xa0e3:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xa2af:$cnc4: POST / HTTP/1.1
            0.2.btoawpdtjhjawd.exe.1af20000.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
              0.2.btoawpdtjhjawd.exe.1af20000.1.unpackrat_win_xworm_v2Finds XWorm v2 samples based on characteristic stringsSekoia.io
              • 0x7dc4:$str02: ngrok
              • 0x7e0e:$str02: ngrok
              • 0x7ed8:$str04: FileManagerSplitFileManagerSplit
              • 0x7de2:$str05: InstallngC
              • 0x7afe:$str06: downloadedfile
              • 0x7ad0:$str07: creatfile
              • 0x7ab2:$str08: creatnewfolder
              • 0x7a94:$str09: showfolderfile
              • 0x7a76:$str10: hidefolderfile
              • 0x7a48:$str11: txtttt
              • 0x841f:$str12: \root\SecurityCenter2
              • 0x7f5e:$str13: [USB]
              • 0x7f44:$str14: [Drive]
              • 0x7ec6:$str15: [Folder]
              • 0x7db2:$str16: HVNC
              • 0x844b:$str19: Select * from AntivirusProduct
              • 0x7870:$str20: runnnnnn
              • 0x7710:$str21: RunBotKiller
              Click to see the 10 entries

              Sigma Signatures

              System Summary

              barindex
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\btoawpdtjhjawd.exe, ProcessId: 6760, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\btoawpdtjhjawd
              Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\btoawpdtjhjawd.exe, ProcessId: 6760, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              • AV Detection
              • Compliance
              • Networking
              • System Summary
              • Data Obfuscation
              • Persistence and Installation Behavior
              • Boot Survival
              • Hooking and other Techniques for Hiding and Protection
              • Malware Analysis System Evasion
              • Anti Debugging
              • Language, Device and Operating System Detection
              • Stealing of Sensitive Information
              • Remote Access Functionality

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: btoawpdtjhjawd.exeAvira: detected
              Source: questions-when.gl.at.ply.ggAvira URL Cloud: Label: phishing
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Source: btoawpdtjhjawd.exeMalware Configuration Extractor: Xworm {"C2 url": ["questions-when.gl.at.ply.gg"], "Port": 31732, "Aes key": "<123456789>", "SPL": "<Neptune>", "Install file": "USB.exe"}
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeReversingLabs: Detection: 75%
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeReversingLabs: Detection: 75%
              Source: btoawpdtjhjawd.exeVirustotal: Detection: 63%Perma Link
              Source: btoawpdtjhjawd.exeReversingLabs: Detection: 75%
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: btoawpdtjhjawd.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.8:49693 version: TLS 1.2
              Source: btoawpdtjhjawd.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Networking

              barindex
              Source: Malware configuration extractorURLs: questions-when.gl.at.ply.gg
              Source: global trafficTCP traffic: 192.168.2.8:49692 -> 147.185.221.25:31732
              Source: global trafficTCP traffic: 192.168.2.8:49694 -> 185.172.175.125:505
              Source: global trafficHTTP traffic detected: GET /76bh/img/main/Imagenep.png HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 185.199.108.133 185.199.108.133
              Source: Joe Sandbox ViewIP Address: 185.199.108.133 185.199.108.133
              Source: Joe Sandbox ViewIP Address: 147.185.221.25 147.185.221.25
              Source: Joe Sandbox ViewIP Address: 185.172.175.125 185.172.175.125
              Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /76bh/img/main/Imagenep.png HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: questions-when.gl.at.ply.gg
              Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
              Source: global trafficDNS traffic detected: DNS query: abolhb.com
              Source: btoawpdtjhjawd.exe, 00000000.00000002.2112230386.00000000025EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
              Source: btoawpdtjhjawd.exe, 00000000.00000002.2112230386.00000000025C5000.00000004.00000800.00020000.00000000.sdmp, btoawpdtjhjawd.exe, 00000000.00000002.2112230386.0000000002541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: btoawpdtjhjawd.exe, 00000000.00000002.2112230386.00000000025C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercont
              Source: btoawpdtjhjawd.exe, 00000000.00000002.2112230386.00000000025C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
              Source: btoawpdtjhjawd.exe, btoawpdtjhjawd.exe.0.dr, btoawpdtjhjawd.exe0.0.drString found in binary or memory: https://raw.githubusercontent.com/76bh/img/main/Imagenep.png
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
              Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
              Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.8:49693 version: TLS 1.2

              System Summary

              barindex
              Source: btoawpdtjhjawd.exe, type: SAMPLEMatched rule: Finds XWorm v2 samples based on characteristic strings Author: Sekoia.io
              Source: btoawpdtjhjawd.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.2.btoawpdtjhjawd.exe.276d2c8.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm v2 samples based on characteristic strings Author: Sekoia.io
              Source: 0.2.btoawpdtjhjawd.exe.276d2c8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.2.btoawpdtjhjawd.exe.1af20000.1.unpack, type: UNPACKEDPEMatched rule: Finds XWorm v2 samples based on characteristic strings Author: Sekoia.io
              Source: 0.2.btoawpdtjhjawd.exe.1af20000.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.0.btoawpdtjhjawd.exe.230000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm v2 samples based on characteristic strings Author: Sekoia.io
              Source: 0.0.btoawpdtjhjawd.exe.230000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.2.btoawpdtjhjawd.exe.1af20000.1.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm v2 samples based on characteristic strings Author: Sekoia.io
              Source: 0.2.btoawpdtjhjawd.exe.1af20000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.2.btoawpdtjhjawd.exe.276d2c8.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm v2 samples based on characteristic strings Author: Sekoia.io
              Source: 0.2.btoawpdtjhjawd.exe.276d2c8.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000000.00000000.863086546.0000000000232000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000000.00000002.2113634911.000000001AF20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Finds XWorm v2 samples based on characteristic strings Author: Sekoia.io
              Source: 00000000.00000002.2113634911.000000001AF20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000000.00000002.2112230386.0000000002718000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000000.00000002.2112230386.0000000002610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: Process Memory Space: btoawpdtjhjawd.exe PID: 6760, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe, type: DROPPEDMatched rule: Finds XWorm v2 samples based on characteristic strings Author: Sekoia.io
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: btoawpdtjhjawd.exe, 00000000.00000000.863086546.0000000000232000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameMasonClient.exe4 vs btoawpdtjhjawd.exe
              Source: btoawpdtjhjawd.exe, 00000000.00000002.2112230386.0000000002718000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameimage.exe4 vs btoawpdtjhjawd.exe
              Source: btoawpdtjhjawd.exe, 00000000.00000002.2113634911.000000001AF20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameimage.exe4 vs btoawpdtjhjawd.exe
              Source: btoawpdtjhjawd.exe, 00000000.00000002.2112230386.0000000002610000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameimage.exe4 vs btoawpdtjhjawd.exe
              Source: btoawpdtjhjawd.exeBinary or memory string: OriginalFilenameMasonClient.exe4 vs btoawpdtjhjawd.exe
              Source: btoawpdtjhjawd.exe.0.drBinary or memory string: OriginalFilenameMasonClient.exe4 vs btoawpdtjhjawd.exe
              Source: btoawpdtjhjawd.exe0.0.drBinary or memory string: OriginalFilenameMasonClient.exe4 vs btoawpdtjhjawd.exe
              Source: btoawpdtjhjawd.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: btoawpdtjhjawd.exe, type: SAMPLEMatched rule: rat_win_xworm_v2 author = Sekoia.io, description = Finds XWorm v2 samples based on characteristic strings, creation_date = 2022-11-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/, id = 6cf06f52-0337-415d-8f29-f63d67e228f8
              Source: btoawpdtjhjawd.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.btoawpdtjhjawd.exe.276d2c8.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v2 author = Sekoia.io, description = Finds XWorm v2 samples based on characteristic strings, creation_date = 2022-11-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/, id = 6cf06f52-0337-415d-8f29-f63d67e228f8
              Source: 0.2.btoawpdtjhjawd.exe.276d2c8.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.btoawpdtjhjawd.exe.1af20000.1.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v2 author = Sekoia.io, description = Finds XWorm v2 samples based on characteristic strings, creation_date = 2022-11-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/, id = 6cf06f52-0337-415d-8f29-f63d67e228f8
              Source: 0.2.btoawpdtjhjawd.exe.1af20000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.0.btoawpdtjhjawd.exe.230000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v2 author = Sekoia.io, description = Finds XWorm v2 samples based on characteristic strings, creation_date = 2022-11-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/, id = 6cf06f52-0337-415d-8f29-f63d67e228f8
              Source: 0.0.btoawpdtjhjawd.exe.230000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.btoawpdtjhjawd.exe.1af20000.1.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v2 author = Sekoia.io, description = Finds XWorm v2 samples based on characteristic strings, creation_date = 2022-11-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/, id = 6cf06f52-0337-415d-8f29-f63d67e228f8
              Source: 0.2.btoawpdtjhjawd.exe.1af20000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.btoawpdtjhjawd.exe.276d2c8.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v2 author = Sekoia.io, description = Finds XWorm v2 samples based on characteristic strings, creation_date = 2022-11-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/, id = 6cf06f52-0337-415d-8f29-f63d67e228f8
              Source: 0.2.btoawpdtjhjawd.exe.276d2c8.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000000.00000000.863086546.0000000000232000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000000.00000002.2113634911.000000001AF20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: rat_win_xworm_v2 author = Sekoia.io, description = Finds XWorm v2 samples based on characteristic strings, creation_date = 2022-11-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/, id = 6cf06f52-0337-415d-8f29-f63d67e228f8
              Source: 00000000.00000002.2113634911.000000001AF20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000000.00000002.2112230386.0000000002718000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000000.00000002.2112230386.0000000002610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: Process Memory Space: btoawpdtjhjawd.exe PID: 6760, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe, type: DROPPEDMatched rule: rat_win_xworm_v2 author = Sekoia.io, description = Finds XWorm v2 samples based on characteristic strings, creation_date = 2022-11-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/, id = 6cf06f52-0337-415d-8f29-f63d67e228f8
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: btoawpdtjhjawd.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: btoawpdtjhjawd.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: btoawpdtjhjawd.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: btoawpdtjhjawd.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: btoawpdtjhjawd.exe0.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: btoawpdtjhjawd.exe0.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.btoawpdtjhjawd.exe.276d2c8.0.raw.unpack, Conviction.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.btoawpdtjhjawd.exe.276d2c8.0.raw.unpack, Conviction.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.btoawpdtjhjawd.exe.1af20000.1.raw.unpack, Conviction.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.btoawpdtjhjawd.exe.1af20000.1.raw.unpack, Conviction.csCryptographic APIs: 'TransformFinalBlock'
              Source: btoawpdtjhjawd.exe, Helper.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: btoawpdtjhjawd.exe, Helper.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.btoawpdtjhjawd.exe.1af20000.1.raw.unpack, Conviction.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 0.2.btoawpdtjhjawd.exe.1af20000.1.raw.unpack, Conviction.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: btoawpdtjhjawd.exe.0.dr, Helper.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: btoawpdtjhjawd.exe.0.dr, Helper.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: btoawpdtjhjawd.exe0.0.dr, Helper.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: btoawpdtjhjawd.exe0.0.dr, Helper.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.btoawpdtjhjawd.exe.276d2c8.0.raw.unpack, Conviction.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 0.2.btoawpdtjhjawd.exe.276d2c8.0.raw.unpack, Conviction.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: classification engineClassification label: mal100.troj.adwa.evad.winEXE@4/5@3/3
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeMutant created: NULL
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeMutant created: \Sessions\1\BaseNamedObjects\o7XUq2cmNHm9TSOr
              Source: btoawpdtjhjawd.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: btoawpdtjhjawd.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: btoawpdtjhjawd.exeVirustotal: Detection: 63%
              Source: btoawpdtjhjawd.exeReversingLabs: Detection: 75%
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeFile read: C:\Users\user\Desktop\btoawpdtjhjawd.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\btoawpdtjhjawd.exe "C:\Users\user\Desktop\btoawpdtjhjawd.exe"
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exe "C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exe"
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exe "C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exe"
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe"
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: btoawpdtjhjawd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: btoawpdtjhjawd.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Data Obfuscation

              barindex
              Source: btoawpdtjhjawd.exe, Helper.cs.Net Code: img System.AppDomain.Load(byte[])
              Source: btoawpdtjhjawd.exe, Helper.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
              Source: btoawpdtjhjawd.exe.0.dr, Helper.cs.Net Code: img System.AppDomain.Load(byte[])
              Source: btoawpdtjhjawd.exe.0.dr, Helper.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
              Source: btoawpdtjhjawd.exe0.0.dr, Helper.cs.Net Code: img System.AppDomain.Load(byte[])
              Source: btoawpdtjhjawd.exe0.0.dr, Helper.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
              Source: 0.2.btoawpdtjhjawd.exe.276d2c8.0.raw.unpack, Conviction.cs.Net Code: Surveillance System.Reflection.Assembly.Load(byte[])
              Source: 0.2.btoawpdtjhjawd.exe.1af20000.1.raw.unpack, Conviction.cs.Net Code: Surveillance System.Reflection.Assembly.Load(byte[])
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeJump to dropped file
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeFile created: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeJump to dropped file

              Boot Survival

              barindex
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeJump to dropped file
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe\:Zone.Identifier:$DATAJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run btoawpdtjhjawdJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run btoawpdtjhjawdJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeMemory allocated: A70000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeMemory allocated: 1A540000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeMemory allocated: DF0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeMemory allocated: 1AB10000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeMemory allocated: 1170000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeMemory allocated: 1AFA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeMemory allocated: 1540000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeMemory allocated: 1B030000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exe TID: 5568Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exe TID: 2036Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe TID: 5568Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: btoawpdtjhjawd.exe, 00000000.00000002.2110794327.0000000000764000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlly
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeMemory allocated: page read and write | page guardJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeQueries volume information: C:\Users\user\Desktop\btoawpdtjhjawd.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeQueries volume information: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exeQueries volume information: C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\btoawpdtjhjawd.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: btoawpdtjhjawd.exe, type: SAMPLE
              Source: Yara matchFile source: 0.2.btoawpdtjhjawd.exe.276d2c8.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.btoawpdtjhjawd.exe.1af20000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.btoawpdtjhjawd.exe.230000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.btoawpdtjhjawd.exe.1af20000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.btoawpdtjhjawd.exe.276d2c8.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.863086546.0000000000232000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2113634911.000000001AF20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2112230386.0000000002718000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2112230386.0000000002610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: btoawpdtjhjawd.exe PID: 6760, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe, type: DROPPED

              Remote Access Functionality

              barindex
              Source: Yara matchFile source: btoawpdtjhjawd.exe, type: SAMPLE
              Source: Yara matchFile source: 0.2.btoawpdtjhjawd.exe.276d2c8.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.btoawpdtjhjawd.exe.1af20000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.btoawpdtjhjawd.exe.230000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.btoawpdtjhjawd.exe.1af20000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.btoawpdtjhjawd.exe.276d2c8.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.863086546.0000000000232000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2113634911.000000001AF20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2112230386.0000000002718000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2112230386.0000000002610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: btoawpdtjhjawd.exe PID: 6760, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation121
              Registry Run Keys / Startup Folder              		1
              Process Injection              		1
              Masquerading              		OS Credential Dumping11
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/Job1
              DLL Side-Loading              		121
              Registry Run Keys / Startup Folder              		1
              Disable or Modify Tools              		LSASS Memory31
              Virtualization/Sandbox Evasion              		Remote Desktop ProtocolData from Removable Media1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
              DLL Side-Loading              		31
              Virtualization/Sandbox Evasion              		Security Account Manager12
              System Information Discovery              		SMB/Windows Admin SharesData from Network Shared Drive1
              Ingress Tool Transfer              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              Process Injection              		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA SecretsInternet Connection DiscoverySSHKeylogging13
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Software Packing              		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1643456 Sample: btoawpdtjhjawd.exe Startdate: 19/03/2025 Architecture: WINDOWS Score: 100 27 questions-when.gl.at.ply.gg 2->27 29 raw.githubusercontent.com 2->29 31 abolhb.com 2->31 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 45 8 other signatures 2->45 6 btoawpdtjhjawd.exe 15 6 2->6         started        11 btoawpdtjhjawd.exe 1 2->11         started        13 btoawpdtjhjawd.exe 2->13         started        15 btoawpdtjhjawd.exe 2->15         started        signatures3 process4 dnsIp5 33 questions-when.gl.at.ply.gg 147.185.221.25, 31732 SALSGIVERUS United States 6->33 35 abolhb.com 185.172.175.125, 505 HUGESERVER-NETWORKSUS Lithuania 6->35 37 raw.githubusercontent.com 185.199.108.133, 443, 49693 FASTLYUS Netherlands 6->37 17 C:\Users\user\AppData\...\btoawpdtjhjawd.exe, PE32 6->17 dropped 19 C:\Users\user\AppData\...\btoawpdtjhjawd.exe, PE32 6->19 dropped 21 C:\...\btoawpdtjhjawd.exe:Zone.Identifier, ASCII 6->21 dropped 23 C:\...\btoawpdtjhjawd.exe:Zone.Identifier, ASCII 6->23 dropped 47 Drops PE files to the startup folder 6->47 25 C:\Users\user\...\btoawpdtjhjawd.exe.log, CSV 11->25 dropped 49 Multi AV Scanner detection for dropped file 11->49 file6 signatures7

              Screenshots

              Download Video

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              btoawpdtjhjawd.exe63%VirustotalBrowse
              btoawpdtjhjawd.exe75%ReversingLabsWin32.Trojan.Jalapeno
              btoawpdtjhjawd.exe100%AviraTR/Dropper.Gen

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe100%AviraTR/Dropper.Gen
              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe100%AviraTR/Dropper.Gen
              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe75%ReversingLabsWin32.Trojan.Jalapeno
              C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exe75%ReversingLabsWin32.Trojan.Jalapeno

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://raw.githubusercont0%Avira URL Cloudsafe
              questions-when.gl.at.ply.gg100%Avira URL Cloudphishing

              Domains and IPs

              Download Network PCAP: filteredfull

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              abolhb.com
              		185.172.175.125
              		truefalse
                		high
                questions-when.gl.at.ply.gg
                		147.185.221.25
                		truetrue
                  		unknown
                  raw.githubusercontent.com
                  		185.199.108.133
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://raw.githubusercontent.com/76bh/img/main/Imagenep.pngfalse
                      		high
                      questions-when.gl.at.ply.ggtrue
                      • Avira URL Cloud: phishing
                      		unknown
                      NameSourceMaliciousAntivirus DetectionReputation
                      https://raw.githubusercontbtoawpdtjhjawd.exe, 00000000.00000002.2112230386.00000000025C5000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://raw.githubusercontent.combtoawpdtjhjawd.exe, 00000000.00000002.2112230386.00000000025C5000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namebtoawpdtjhjawd.exe, 00000000.00000002.2112230386.00000000025C5000.00000004.00000800.00020000.00000000.sdmp, btoawpdtjhjawd.exe, 00000000.00000002.2112230386.0000000002541000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://raw.githubusercontent.combtoawpdtjhjawd.exe, 00000000.00000002.2112230386.00000000025EC000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            185.199.108.133
                            		raw.githubusercontent.comNetherlands
                            		54113FASTLYUSfalse
                            147.185.221.25
                            		questions-when.gl.at.ply.ggUnited States
                            		12087SALSGIVERUStrue
                            185.172.175.125
                            		abolhb.comLithuania
                            		25780HUGESERVER-NETWORKSUSfalse

                            General Information

                            Joe Sandbox version:42.0.0 Malachite
                            Analysis ID:1643456
                            Start date and time:2025-03-19 20:32:39 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 5m 30s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:16
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:btoawpdtjhjawd.exe
                            Detection:MAL
                            Classification:mal100.troj.adwa.evad.winEXE@4/5@3/3
                            EGA Information:Failed
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 36
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, TextInputHost.exe, svchost.exe
                            • Excluded IPs from analysis (whitelisted): 52.149.20.212, 23.204.23.20
                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, otelrules.svc.static.microsoft, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
                            • Execution Graph export aborted for target btoawpdtjhjawd.exe, PID 2840 because it is empty
                            • Execution Graph export aborted for target btoawpdtjhjawd.exe, PID 4716 because it is empty
                            • Execution Graph export aborted for target btoawpdtjhjawd.exe, PID 6760 because it is empty
                            • Execution Graph export aborted for target btoawpdtjhjawd.exe, PID 7144 because it is empty
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            20:33:38AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run btoawpdtjhjawd C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exe
                            20:33:46AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run btoawpdtjhjawd C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exe
                            20:33:54AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            185.199.108.133cr_asm.ps1Get hashmaliciousUnknownBrowse
                            • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                            vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                            • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                            VvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                            • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                            OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                            • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                            gaber.ps1Get hashmaliciousUnknownBrowse
                            • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                            cr_asm.ps1Get hashmaliciousUnknownBrowse
                            • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                            147.185.221.25MEMESENSE.exeGet hashmaliciousXWormBrowse
                              SecuriteInfo.com.Win32.RATX-gen.28955.11907.exeGet hashmaliciousXWormBrowse
                                SecuriteInfo.com.Win32.RATX-gen.23694.15705.exeGet hashmaliciousXWormBrowse
                                  bakacigan.exeGet hashmaliciousXWormBrowse
                                    sigmica.exeGet hashmaliciousXWormBrowse
                                      QWhGRzId8H.exeGet hashmaliciousDCRat, SheetRatBrowse
                                        baka prase raddi.exeGet hashmaliciousXWormBrowse
                                          KoaguarLoader.exeGet hashmaliciousSalat Stealer, XWormBrowse
                                            neverlosecrackbywaite.exeGet hashmaliciousXWormBrowse
                                              safe.exeGet hashmaliciousXWormBrowse
                                                185.172.175.125Output.exeGet hashmaliciousXWormBrowse
                                                  SolaraExecutor.exe.bin.exeGet hashmaliciousXWormBrowse
                                                    Output.exeGet hashmaliciousXWormBrowse
                                                      COMSurrogate.exe.bin.exeGet hashmaliciousXWormBrowse
                                                        mBBBgvD.exeGet hashmaliciousAsyncRAT, BitCoin Miner, XWorm, XmrigBrowse
                                                          XWorm RAT V2.1.exeGet hashmaliciousNjrat, XWormBrowse
                                                            23khy505ab.exeGet hashmaliciousNjratBrowse

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              raw.githubusercontent.comImageG.exe.bin.exeGet hashmaliciousNovaSentinelBrowse
                                                              • 185.199.111.133
                                                              ImageG.exe.bin.exeGet hashmaliciousNovaSentinelBrowse
                                                              • 185.199.111.133
                                                              https://inkton.xyzGet hashmaliciousUnknownBrowse
                                                              • 185.199.111.133
                                                              Invio Ordine accompagnatorio n. 20250319-70611 del 03192025 - C.E.F. Srl.jsGet hashmaliciousAgentTeslaBrowse
                                                              • 185.199.111.133
                                                              https://remix.etihreum.orgGet hashmaliciousUnknownBrowse
                                                              • 185.199.110.133
                                                              511511625.exeGet hashmaliciousXmrigBrowse
                                                              • 185.199.109.133
                                                              SecuriteInfo.com.W64.ABApplication.JMPI-0911.12846.7735.exeGet hashmaliciousUnknownBrowse
                                                              • 185.199.108.133
                                                              SecuriteInfo.com.W64.ABApplication.JMPI-0911.12846.7735.exeGet hashmaliciousUnknownBrowse
                                                              • 185.199.110.133
                                                              Install.batGet hashmaliciousXWormBrowse
                                                              • 185.199.109.133
                                                              Datanew.ps1Get hashmaliciousXWormBrowse
                                                              • 185.199.110.133
                                                              abolhb.comOutput.exeGet hashmaliciousXWormBrowse
                                                              • 185.172.175.125
                                                              SolaraExecutor.exe.bin.exeGet hashmaliciousXWormBrowse
                                                              • 185.172.175.125
                                                              Output.exeGet hashmaliciousXWormBrowse
                                                              • 185.172.175.125
                                                              COMSurrogate.exe.bin.exeGet hashmaliciousXWormBrowse
                                                              • 185.172.175.125
                                                              mBBBgvD.exeGet hashmaliciousAsyncRAT, BitCoin Miner, XWorm, XmrigBrowse
                                                              • 185.172.175.125
                                                              XWorm RAT V2.1.exeGet hashmaliciousNjrat, XWormBrowse
                                                              • 185.172.175.125
                                                              23khy505ab.exeGet hashmaliciousNjratBrowse
                                                              • 185.172.175.125

                                                              ASNs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              SALSGIVERUSjkse.ppc.elfGet hashmaliciousUnknownBrowse
                                                              • 147.185.65.227
                                                              remover.exeGet hashmaliciousUnknownBrowse
                                                              • 147.185.221.27
                                                              45.exe.bin.exeGet hashmaliciousNjratBrowse
                                                              • 147.185.221.26
                                                              hoho.m68k.elfGet hashmaliciousUnknownBrowse
                                                              • 147.168.203.72
                                                              FortVIP.batGet hashmaliciousUnknownBrowse
                                                              • 147.185.221.22
                                                              sryxen-built.exeGet hashmaliciousUnknownBrowse
                                                              • 147.185.221.26
                                                              XWCTtOuD5e.exeGet hashmaliciousPython Stealer, Exela Stealer, NjratBrowse
                                                              • 147.185.221.26
                                                              Planck Scale Lantern.exeGet hashmaliciousPureLog Stealer, XWorm, zgRATBrowse
                                                              • 147.185.221.17
                                                              Installer.exeGet hashmaliciousXWormBrowse
                                                              • 147.185.221.26
                                                              ExLoader_Installer.exeGet hashmaliciousPython Stealer, Blank Grabber, Umbral Stealer, XWormBrowse
                                                              • 147.185.221.26
                                                              HUGESERVER-NETWORKSUSOutput.exeGet hashmaliciousXWormBrowse
                                                              • 185.172.175.125
                                                              SolaraExecutor.exe.bin.exeGet hashmaliciousXWormBrowse
                                                              • 185.172.175.125
                                                              Output.exeGet hashmaliciousXWormBrowse
                                                              • 185.172.175.125
                                                              COMSurrogate.exe.bin.exeGet hashmaliciousXWormBrowse
                                                              • 185.172.175.125
                                                              Nexol.exeGet hashmaliciousLummaC Stealer, PureLog Stealer, XWormBrowse
                                                              • 185.172.175.147
                                                              mBBBgvD.exeGet hashmaliciousAsyncRAT, BitCoin Miner, XWorm, XmrigBrowse
                                                              • 185.172.175.125
                                                              5BADc9D4Ir.exeGet hashmaliciousAmadey, SystemBCBrowse
                                                              • 185.133.35.21
                                                              https://share.hsforms.com/1_vnkKmfHQN2JeD59Dlknqg2nxhoGet hashmaliciousHTMLPhisherBrowse
                                                              • 62.192.173.178
                                                              FW Luis Quezada Signed.msgGet hashmaliciousHTMLPhisherBrowse
                                                              • 62.192.173.178
                                                              XWorm RAT V2.1.exeGet hashmaliciousNjrat, XWormBrowse
                                                              • 185.172.175.125
                                                              FASTLYUSView Remittance_18032025.PDF J8TLBF6.9 KB for Accounting.svgGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                                              • 151.101.2.137
                                                              https://keap.app/contact-us/4633654512405098Get hashmaliciousHTMLPhisherBrowse
                                                              • 151.101.65.195
                                                              https://events.trustifi.com/api/o/v1/click/67dad74fb2bfca7f680103d6/fff2f3/37054a/3dc20b/bc3eb8/514a43/16c432/a397cb/c8b81b/e8666a/ef542d/85972d/627493/9a11d6/1f4096/1d247f/d2da7c/c26085/879bf6/b9ad54/7012c4/c2ddf0/f14a04/f15e41/3e8fb9/f68741/4e8474/638fa1/9fe1a5/94169e/8e265a/8c4565/9f3267/7b0314/ff3404/33714b/38592e/663c1b/a68c06/81bdb9/55f3ba/3227ca/c52e0b/b3d81e/bc87ef/3e01c3/c02f2b/c10125/292594/59440a/f95efa/c47b2d/efc862/6e4696/d1168d/15aeae/b08591/00048b/55ff70/8ef30d/c73e6f/a52719/597b28/f8c802/04d13e/1f0114/53ccda/d5b926/2701b7/b4e6e7/2cab45/4bd167/f78947/7376ee/dc5bca/d9ca29/561603/a2a34f/16b832/a0bef7/b19c1f/882ca6/785df3/b44f89/80e8cf/1476d8/0ae1f4/2fa66b/a79097/427216/4c3807/51198a#someaddress@gmail.comGet hashmaliciousInvisible JS, Tycoon2FABrowse
                                                              • 151.101.2.137
                                                              b9bdbc2d.emlGet hashmaliciousHTMLPhisherBrowse
                                                              • 151.101.2.137
                                                              VM Transcript Caller Left (2) CALL-MSG (010758Secs) 0dca046e198529fd52f5c8ffd061f84a.msgGet hashmaliciousUnknownBrowse
                                                              • 199.232.214.172
                                                              https://oncontact.nercon.com/crm10/api/public/runworkflow?workflow=ClickThru&profile=nercon&activityid=https://gamma.app/docs/SharePoint-File-Received-lb8vste5j00wp3ymode=doc&drivingentityid=O7YVGH9H2E&entityname=Contact&contactid=O7YVGH9H2E&includecrmkeys=True&eventcode=CLICKSITE&redirecturl=https://gamma.app/docs/SharePoint-File-Received-lb8vste5j00wp3yGet hashmaliciousUnknownBrowse
                                                              • 151.101.129.140
                                                              Message.emlGet hashmaliciousInvisible JS, Tycoon2FABrowse
                                                              • 151.101.130.137
                                                              View Remittance_18_032025.PDF J8TLBF6.9 KB for Tomdrackett.svgGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                                              • 151.101.2.137
                                                              vRecording__118sec__Inwg00990__098.svgGet hashmaliciousUnknownBrowse
                                                              • 151.101.129.229
                                                              Final Contract document.htmlGet hashmaliciousHTMLPhisherBrowse
                                                              • 199.232.196.193

                                                              JA3 Fingerprints

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              3b5074b1b5d032e5620f69f9f700ff0ebopwadthjjawds.exeGet hashmaliciousQuasarBrowse
                                                              • 185.199.108.133
                                                              Talksy (1).exeGet hashmaliciousMeduza Stealer, RHADAMANTHYSBrowse
                                                              • 185.199.108.133
                                                              PO-31925.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 185.199.108.133
                                                              Doc93847023000200009.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 185.199.108.133
                                                              CONFIDENTIAL_PAYMENT_CONFIRMATION_TRANSACTION_DETAILS_03224.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 185.199.108.133
                                                              ADEX YACHTING Kft. REF HU03192025.vbsGet hashmaliciousGuLoaderBrowse
                                                              • 185.199.108.133
                                                              fattura_AR00881673_pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                              • 185.199.108.133
                                                              4FdCaLY.exeGet hashmaliciousXmrigBrowse
                                                              • 185.199.108.133
                                                              random(1).exeGet hashmaliciousUnknownBrowse
                                                              • 185.199.108.133
                                                              imv-corp(ref0467) #U3010#U6ce8#U6587#U66f8#U3011sales Agreement WP2501001152 WP2501001159.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 185.199.108.133

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\btoawpdtjhjawd.exe.log

                                                              Download File
                                                              Process:C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exe
                                                              File Type:CSV text
                                                              Category:dropped
                                                              Size (bytes):654
                                                              Entropy (8bit):5.380476433908377
                                                              Encrypted:false
                                                              SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                              MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                              SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                              SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                              SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                              Malicious:true
                                                              Reputation:moderate, very likely benign file
                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe

                                                              Download File
                                                              Process:C:\Users\user\Desktop\btoawpdtjhjawd.exe
                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):43008
                                                              Entropy (8bit):5.537126868090147
                                                              Encrypted:false
                                                              SSDEEP:768:RL3Ug+dm8Mlbov04ypZhvfsQhJOgRXQr:RIgH8M/7bOgXQr
                                                              MD5:2FB952BB97197CCBEFAB03689724ABF4
                                                              SHA1:113FB94EDB9B11363C4C1390EDA86176767EC76F
                                                              SHA-256:4CD99A0C6B436EE6423A6E366F67A60FB41D1BB23943B19F354DE8D9D0E4BE0E
                                                              SHA-512:DD82C9583C4B92A56F129DE0D585CE4FB95CA9A3B07E8FBBDF36B7F63288DAF2C77740BD4836D5056D49CD53332D632A6B4F6D85AC31537273058547020ACF82
                                                              Malicious:true
                                                              Yara Hits:
                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe, Author: Joe Security
                                                              • Rule: rat_win_xworm_v2, Description: Finds XWorm v2 samples based on characteristic strings, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe, Author: Sekoia.io
                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe, Author: ditekSHen
                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe, Author: ditekSHen
                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe, Author: ditekSHen
                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe, Author: ditekSHen
                                                              Antivirus:
                                                              • Antivirus: Avira, Detection: 100%
                                                              • Antivirus: Avira, Detection: 100%
                                                              • Antivirus: ReversingLabs, Detection: 75%
                                                              Reputation:low
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:.g................................. ........@.. ....................................@.................................L...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......hn...M............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe:Zone.Identifier

                                                              Download File
                                                              Process:C:\Users\user\Desktop\btoawpdtjhjawd.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):26
                                                              Entropy (8bit):3.95006375643621
                                                              Encrypted:false
                                                              SSDEEP:3:ggPYV:rPYV
                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                              Malicious:true
                                                              Reputation:high, very likely benign file
                                                              Preview:[ZoneTransfer]....ZoneId=0

                                                              C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exe

                                                              Download File
                                                              Process:C:\Users\user\Desktop\btoawpdtjhjawd.exe
                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):43008
                                                              Entropy (8bit):5.537126868090147
                                                              Encrypted:false
                                                              SSDEEP:768:RL3Ug+dm8Mlbov04ypZhvfsQhJOgRXQr:RIgH8M/7bOgXQr
                                                              MD5:2FB952BB97197CCBEFAB03689724ABF4
                                                              SHA1:113FB94EDB9B11363C4C1390EDA86176767EC76F
                                                              SHA-256:4CD99A0C6B436EE6423A6E366F67A60FB41D1BB23943B19F354DE8D9D0E4BE0E
                                                              SHA-512:DD82C9583C4B92A56F129DE0D585CE4FB95CA9A3B07E8FBBDF36B7F63288DAF2C77740BD4836D5056D49CD53332D632A6B4F6D85AC31537273058547020ACF82
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 75%
                                                              Reputation:low
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:.g................................. ........@.. ....................................@.................................L...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......hn...M............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                                              C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exe:Zone.Identifier

                                                              Download File
                                                              Process:C:\Users\user\Desktop\btoawpdtjhjawd.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):26
                                                              Entropy (8bit):3.95006375643621
                                                              Encrypted:false
                                                              SSDEEP:3:ggPYV:rPYV
                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                              Malicious:true
                                                              Reputation:high, very likely benign file
                                                              Preview:[ZoneTransfer]....ZoneId=0

                                                              Static File Info

                                                              General

                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Entropy (8bit):5.537126868090147
                                                              TrID:
                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                              • Windows Screen Saver (13104/52) 0.07%
                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                              File name:btoawpdtjhjawd.exe
                                                              File size:43'008 bytes
                                                              MD5:2fb952bb97197ccbefab03689724abf4
                                                              SHA1:113fb94edb9b11363c4c1390eda86176767ec76f
                                                              SHA256:4cd99a0c6b436ee6423a6e366f67a60fb41d1bb23943b19f354de8d9d0e4be0e
                                                              SHA512:dd82c9583c4b92a56f129de0d585ce4fb95ca9a3b07e8fbbdf36b7f63288daf2c77740bd4836d5056d49cd53332d632a6b4f6d85ac31537273058547020acf82
                                                              SSDEEP:768:RL3Ug+dm8Mlbov04ypZhvfsQhJOgRXQr:RIgH8M/7bOgXQr
                                                              TLSH:9E1319C927D84105C7FD7BF16DB7964202B1DAA30D6BE7DE08C545CB2B67B918A00AE3
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:.g................................. ........@.. ....................................@................................

                                                              File Icon

                                                              Icon Hash:90cececece8e8eb0

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x40bc9e
                                                              Entrypoint Section:.text
                                                              Digitally signed:false
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                              Time Stamp:0x67D83AA1 [Mon Mar 17 15:07:13 2025 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:
                                                              OS Version Major:4
                                                              OS Version Minor:0
                                                              File Version Major:4
                                                              File Version Minor:0
                                                              Subsystem Version Major:4
                                                              Subsystem Version Minor:0
                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                              Instruction
                                                              jmp dword ptr [00402000h]
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xbc4c0x4f.text
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x4e8.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000xc.reloc
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x20000x9ca40x9e006fca5ce38d3284cf55146c72361f7f30False0.4299347310126582data5.643904854237853IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                              .rsrc0xc0000x4e80x60062719f3ac3c1df93131e6a843ae4f0e1False0.3776041666666667data3.7448249742341515IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .reloc0xe0000xc0x200a20f5402e8839ffaa92afd27d9615b45False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                              RT_VERSION0xc0a00x254data0.46812080536912754
                                                              RT_MANIFEST0xc2f80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041
                                                              DLLImport
                                                              mscoree.dll_CorExeMain
                                                              DescriptionData
                                                              Translation0x0000 0x04b0
                                                              FileDescription
                                                              FileVersion1.0.0.0
                                                              InternalNameMasonClient.exe
                                                              LegalCopyright
                                                              OriginalFilenameMasonClient.exe
                                                              ProductVersion1.0.0.0
                                                              Assembly Version1.0.0.0

                                                              Network Behavior

                                                              Download Network PCAP: filteredfull

                                                              Network Port Distribution

                                                              • Total Packets: 74
                                                              • 31732 undefined
                                                              • 505 undefined
                                                              • 443 (HTTPS)
                                                              • 53 (DNS)
                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Mar 19, 2025 20:33:41.524853945 CET4969231732192.168.2.8147.185.221.25
                                                              Mar 19, 2025 20:33:42.210135937 CET49693443192.168.2.8185.199.108.133
                                                              Mar 19, 2025 20:33:42.210180998 CET44349693185.199.108.133192.168.2.8
                                                              Mar 19, 2025 20:33:42.210339069 CET49693443192.168.2.8185.199.108.133
                                                              Mar 19, 2025 20:33:42.238147974 CET49693443192.168.2.8185.199.108.133
                                                              Mar 19, 2025 20:33:42.238167048 CET44349693185.199.108.133192.168.2.8
                                                              Mar 19, 2025 20:33:42.432277918 CET44349693185.199.108.133192.168.2.8
                                                              Mar 19, 2025 20:33:42.432385921 CET49693443192.168.2.8185.199.108.133
                                                              Mar 19, 2025 20:33:42.436582088 CET49693443192.168.2.8185.199.108.133
                                                              Mar 19, 2025 20:33:42.436609030 CET44349693185.199.108.133192.168.2.8
                                                              Mar 19, 2025 20:33:42.436882973 CET44349693185.199.108.133192.168.2.8
                                                              Mar 19, 2025 20:33:42.489336014 CET49693443192.168.2.8185.199.108.133
                                                              Mar 19, 2025 20:33:42.495527983 CET49693443192.168.2.8185.199.108.133
                                                              Mar 19, 2025 20:33:42.520606995 CET4969231732192.168.2.8147.185.221.25
                                                              Mar 19, 2025 20:33:42.536325932 CET44349693185.199.108.133192.168.2.8
                                                              Mar 19, 2025 20:33:42.619465113 CET44349693185.199.108.133192.168.2.8
                                                              Mar 19, 2025 20:33:42.619544029 CET44349693185.199.108.133192.168.2.8
                                                              Mar 19, 2025 20:33:42.619633913 CET44349693185.199.108.133192.168.2.8
                                                              Mar 19, 2025 20:33:42.619703054 CET49693443192.168.2.8185.199.108.133
                                                              Mar 19, 2025 20:33:42.619723082 CET44349693185.199.108.133192.168.2.8
                                                              Mar 19, 2025 20:33:42.619807959 CET49693443192.168.2.8185.199.108.133
                                                              Mar 19, 2025 20:33:42.622297049 CET44349693185.199.108.133192.168.2.8
                                                              Mar 19, 2025 20:33:42.625241041 CET44349693185.199.108.133192.168.2.8
                                                              Mar 19, 2025 20:33:42.625274897 CET44349693185.199.108.133192.168.2.8
                                                              Mar 19, 2025 20:33:42.625376940 CET49693443192.168.2.8185.199.108.133
                                                              Mar 19, 2025 20:33:42.625399113 CET44349693185.199.108.133192.168.2.8
                                                              Mar 19, 2025 20:33:42.625482082 CET49693443192.168.2.8185.199.108.133
                                                              Mar 19, 2025 20:33:42.628371954 CET44349693185.199.108.133192.168.2.8
                                                              Mar 19, 2025 20:33:42.631169081 CET44349693185.199.108.133192.168.2.8
                                                              Mar 19, 2025 20:33:42.631268024 CET49693443192.168.2.8185.199.108.133
                                                              Mar 19, 2025 20:33:42.631282091 CET44349693185.199.108.133192.168.2.8
                                                              Mar 19, 2025 20:33:42.634861946 CET44349693185.199.108.133192.168.2.8
                                                              Mar 19, 2025 20:33:42.634922028 CET49693443192.168.2.8185.199.108.133
                                                              Mar 19, 2025 20:33:42.634932041 CET44349693185.199.108.133192.168.2.8
                                                              Mar 19, 2025 20:33:42.637485981 CET44349693185.199.108.133192.168.2.8
                                                              Mar 19, 2025 20:33:42.637590885 CET49693443192.168.2.8185.199.108.133
                                                              Mar 19, 2025 20:33:42.637602091 CET44349693185.199.108.133192.168.2.8
                                                              Mar 19, 2025 20:33:42.640382051 CET44349693185.199.108.133192.168.2.8
                                                              Mar 19, 2025 20:33:42.640453100 CET49693443192.168.2.8185.199.108.133
                                                              Mar 19, 2025 20:33:42.640460968 CET44349693185.199.108.133192.168.2.8
                                                              Mar 19, 2025 20:33:42.647041082 CET44349693185.199.108.133192.168.2.8
                                                              Mar 19, 2025 20:33:42.647079945 CET44349693185.199.108.133192.168.2.8
                                                              Mar 19, 2025 20:33:42.647119999 CET49693443192.168.2.8185.199.108.133
                                                              Mar 19, 2025 20:33:42.647129059 CET44349693185.199.108.133192.168.2.8
                                                              Mar 19, 2025 20:33:42.647178888 CET49693443192.168.2.8185.199.108.133
                                                              Mar 19, 2025 20:33:42.651416063 CET44349693185.199.108.133192.168.2.8
                                                              Mar 19, 2025 20:33:42.654334068 CET44349693185.199.108.133192.168.2.8
                                                              Mar 19, 2025 20:33:42.654376984 CET44349693185.199.108.133192.168.2.8
                                                              Mar 19, 2025 20:33:42.654391050 CET49693443192.168.2.8185.199.108.133
                                                              Mar 19, 2025 20:33:42.654411077 CET44349693185.199.108.133192.168.2.8
                                                              Mar 19, 2025 20:33:42.654454947 CET44349693185.199.108.133192.168.2.8
                                                              Mar 19, 2025 20:33:42.654464960 CET49693443192.168.2.8185.199.108.133
                                                              Mar 19, 2025 20:33:42.654501915 CET49693443192.168.2.8185.199.108.133
                                                              Mar 19, 2025 20:33:42.687639952 CET49693443192.168.2.8185.199.108.133
                                                              Mar 19, 2025 20:33:44.520571947 CET4969231732192.168.2.8147.185.221.25
                                                              Mar 19, 2025 20:33:48.520556927 CET4969231732192.168.2.8147.185.221.25
                                                              Mar 19, 2025 20:33:48.816066027 CET49694505192.168.2.8185.172.175.125
                                                              Mar 19, 2025 20:33:49.817500114 CET49694505192.168.2.8185.172.175.125
                                                              Mar 19, 2025 20:33:51.817560911 CET49694505192.168.2.8185.172.175.125
                                                              Mar 19, 2025 20:33:55.817441940 CET49694505192.168.2.8185.172.175.125
                                                              Mar 19, 2025 20:33:56.520720959 CET4969231732192.168.2.8147.185.221.25
                                                              Mar 19, 2025 20:34:03.833112955 CET49694505192.168.2.8185.172.175.125
                                                              Mar 19, 2025 20:34:06.803570032 CET4970031732192.168.2.8147.185.221.25
                                                              Mar 19, 2025 20:34:07.801867962 CET4970031732192.168.2.8147.185.221.25
                                                              Mar 19, 2025 20:34:09.801870108 CET4970031732192.168.2.8147.185.221.25
                                                              Mar 19, 2025 20:34:11.460272074 CET49703505192.168.2.8185.172.175.125
                                                              Mar 19, 2025 20:34:12.473761082 CET49703505192.168.2.8185.172.175.125
                                                              Mar 19, 2025 20:34:13.801954985 CET4970031732192.168.2.8147.185.221.25
                                                              Mar 19, 2025 20:34:14.473731995 CET49703505192.168.2.8185.172.175.125
                                                              Mar 19, 2025 20:34:18.473738909 CET49703505192.168.2.8185.172.175.125
                                                              Mar 19, 2025 20:34:21.802222967 CET4970031732192.168.2.8147.185.221.25
                                                              Mar 19, 2025 20:34:26.473849058 CET49703505192.168.2.8185.172.175.125
                                                              Mar 19, 2025 20:34:30.616316080 CET4979731732192.168.2.8147.185.221.25
                                                              Mar 19, 2025 20:34:31.630009890 CET4979731732192.168.2.8147.185.221.25
                                                              Mar 19, 2025 20:34:33.630048037 CET4979731732192.168.2.8147.185.221.25
                                                              Mar 19, 2025 20:34:35.006577969 CET49835505192.168.2.8185.172.175.125
                                                              Mar 19, 2025 20:34:36.020674944 CET49835505192.168.2.8185.172.175.125
                                                              Mar 19, 2025 20:34:37.645648956 CET4979731732192.168.2.8147.185.221.25
                                                              Mar 19, 2025 20:34:38.020783901 CET49835505192.168.2.8185.172.175.125
                                                              Mar 19, 2025 20:34:42.036290884 CET49835505192.168.2.8185.172.175.125
                                                              Mar 19, 2025 20:34:45.661273956 CET4979731732192.168.2.8147.185.221.25
                                                              Mar 19, 2025 20:34:50.051939964 CET49835505192.168.2.8185.172.175.125
                                                              Mar 19, 2025 20:34:54.741426945 CET4995931732192.168.2.8147.185.221.25
                                                              Mar 19, 2025 20:34:55.755059004 CET4995931732192.168.2.8147.185.221.25
                                                              Mar 19, 2025 20:34:57.755100965 CET4995931732192.168.2.8147.185.221.25
                                                              Mar 19, 2025 20:35:00.928666115 CET49960505192.168.2.8185.172.175.125
                                                              Mar 19, 2025 20:35:01.770690918 CET4995931732192.168.2.8147.185.221.25
                                                              Mar 19, 2025 20:35:01.927041054 CET49960505192.168.2.8185.172.175.125
                                                              Mar 19, 2025 20:35:03.926908016 CET49960505192.168.2.8185.172.175.125
                                                              Mar 19, 2025 20:35:07.927084923 CET49960505192.168.2.8185.172.175.125
                                                              Mar 19, 2025 20:35:09.770638943 CET4995931732192.168.2.8147.185.221.25
                                                              Mar 19, 2025 20:35:15.927015066 CET49960505192.168.2.8185.172.175.125
                                                              Mar 19, 2025 20:35:19.459734917 CET4996131732192.168.2.8147.185.221.25
                                                              Mar 19, 2025 20:35:20.458251953 CET4996131732192.168.2.8147.185.221.25
                                                              Mar 19, 2025 20:35:22.473799944 CET4996131732192.168.2.8147.185.221.25
                                                              Mar 19, 2025 20:35:26.472847939 CET49962505192.168.2.8185.172.175.125
                                                              Mar 19, 2025 20:35:26.473856926 CET4996131732192.168.2.8147.185.221.25
                                                              Mar 19, 2025 20:35:27.473829031 CET49962505192.168.2.8185.172.175.125
                                                              Mar 19, 2025 20:35:29.473834038 CET49962505192.168.2.8185.172.175.125
                                                              Mar 19, 2025 20:35:33.473817110 CET49962505192.168.2.8185.172.175.125
                                                              Mar 19, 2025 20:35:34.473787069 CET4996131732192.168.2.8147.185.221.25
                                                              Mar 19, 2025 20:35:41.473934889 CET49962505192.168.2.8185.172.175.125
                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Mar 19, 2025 20:33:41.249505997 CET6535253192.168.2.81.1.1.1
                                                              Mar 19, 2025 20:33:41.518312931 CET53653521.1.1.1192.168.2.8
                                                              Mar 19, 2025 20:33:42.112526894 CET6032253192.168.2.81.1.1.1
                                                              Mar 19, 2025 20:33:42.204415083 CET53603221.1.1.1192.168.2.8
                                                              Mar 19, 2025 20:33:48.709896088 CET6010253192.168.2.81.1.1.1
                                                              Mar 19, 2025 20:33:48.815407038 CET53601021.1.1.1192.168.2.8

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                              Mar 19, 2025 20:33:41.249505997 CET192.168.2.81.1.1.10xa4c1Standard query (0)questions-when.gl.at.ply.ggA (IP address)IN (0x0001)false
                                                              Mar 19, 2025 20:33:42.112526894 CET192.168.2.81.1.1.10x7591Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                              Mar 19, 2025 20:33:48.709896088 CET192.168.2.81.1.1.10xac59Standard query (0)abolhb.comA (IP address)IN (0x0001)false

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                              Mar 19, 2025 20:33:41.518312931 CET1.1.1.1192.168.2.80xa4c1No error (0)questions-when.gl.at.ply.gg147.185.221.25A (IP address)IN (0x0001)false
                                                              Mar 19, 2025 20:33:42.204415083 CET1.1.1.1192.168.2.80x7591No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                              Mar 19, 2025 20:33:42.204415083 CET1.1.1.1192.168.2.80x7591No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                              Mar 19, 2025 20:33:42.204415083 CET1.1.1.1192.168.2.80x7591No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                              Mar 19, 2025 20:33:42.204415083 CET1.1.1.1192.168.2.80x7591No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                              Mar 19, 2025 20:33:48.815407038 CET1.1.1.1192.168.2.80xac59No error (0)abolhb.com185.172.175.125A (IP address)IN (0x0001)false

                                                              HTTP Request Dependency Graph

                                                              • raw.githubusercontent.com

                                                              HTTPS Proxied Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.2.849693185.199.108.1334436760C:\Users\user\Desktop\btoawpdtjhjawd.exe
                                                              TimestampBytes transferredDirectionData
                                                              2025-03-19 19:33:42 UTC101OUTGET /76bh/img/main/Imagenep.png HTTP/1.1
                                                              Host: raw.githubusercontent.com
                                                              Connection: Keep-Alive
                                                              2025-03-19 19:33:42 UTC877INHTTP/1.1 200 OK
                                                              Connection: close
                                                              Content-Length: 31476
                                                              Cache-Control: max-age=300
                                                              Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                              Content-Type: image/png
                                                              ETag: "0aee22d8b1a8775302266ace0e8334efbe5be1447d6735d7fc3415ee954bc813"
                                                              Strict-Transport-Security: max-age=31536000
                                                              X-Content-Type-Options: nosniff
                                                              X-Frame-Options: deny
                                                              X-XSS-Protection: 1; mode=block
                                                              X-GitHub-Request-Id: 26B9:162056:EAB75E:1228CDC:67DB0211
                                                              Accept-Ranges: bytes
                                                              Date: Wed, 19 Mar 2025 19:33:42 GMT
                                                              Via: 1.1 varnish
                                                              X-Served-By: cache-lga21934-LGA
                                                              X-Cache: HIT
                                                              X-Cache-Hits: 0
                                                              X-Timer: S1742412823.564850,VS0,VE9
                                                              Vary: Authorization,Accept-Encoding,Origin
                                                              Access-Control-Allow-Origin: *
                                                              Cross-Origin-Resource-Policy: cross-origin
                                                              X-Fastly-Request-ID: 5e74cff07ec6c0d2be791d1408da437f4b64cd70
                                                              Expires: Wed, 19 Mar 2025 19:38:42 GMT
                                                              Source-Age: 0
                                                              2025-03-19 19:33:42 UTC1378INData Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 b8 00 00 00 00 01 08 06 00 00 00 15 9f 30 71 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 00 09 70 48 59 73 00 00 0e c3 00 00 0e c3 01 c7 6f a8 64 00 00 7a 89 49 44 41 54 78 5e ed dd 79 e0 77 dd d7 d0 f3 27 b9 cd 43 48 78 cc b3 50 99 33 67 4c 86 c8 2c 25 f3 3c 66 96 0c a5 90 29 b3 48 14 32 97 24 44 28 95 cc 43 91 84 a8 cc 19 43 32 25 e7 d5 ef fb ae f5 2c e7 9c cf e7 73 5d d7 7d dd f7 f3 b8 fe 58 df 73 ce da 6b de 6b af bd cf 3e e7 7c be 5f f5 ad bf ea ab 7e f6 1f 7a c0 5f 7f c0 57 1d f0 f5 df 8e c1 cf bf ae 8f 3f 3f 07 ba fe a1 e3 fc 0c 7e 87 13 dc 17 09 7f e9 ba fe 25 0e f8 55 0f f8 67 df ce e1 7e c8 01 bf f0 01 ff e6 01 bf fa 01 7c fc 7a 07 fc 5e 03 f7
                                                              Data Ascii: PNGIHDR0qsRGBgAMAapHYsodzIDATx^yw'CHxP3gL,%<f)H2$D(CC2%,s]}Xskk>|_~z_W??~%Ug~|z^
                                                              2025-03-19 19:33:42 UTC1378INData Raw: 2b 3e 3c 47 c3 cf fe 69 07 6c 7d 3f f6 80 2b 3e 3e 7c db 03 cc 65 f1 fd 8d 07 c8 55 be cf fa a6 0f d5 c0 bf e3 00 e3 9f ad b5 19 ff df f0 00 fa fe db 03 a6 be 6f 74 80 7c ae 0e 01 ba d0 07 e4 92 89 3f 1a 35 48 4d 99 be 90 d3 9a 6d fb 82 5f bd eb de 76 f2 fd bd 07 5c f1 fd d4 03 8c 1b 79 b7 6b 82 fb a2 2b 3e fd a8 b6 fd 8e 07 7c 76 c0 e4 13 f3 2b be 7f ee 00 6b 68 eb 9d 5d 13 fe 9b 03 ae f8 7e b7 03 d8 43 f6 ee e3 e2 79 c6 a7 de 7d a7 03 fe ce 03 b6 3e fb ce 57 7c 72 c9 bd b5 79 7d 8f 5f 73 e4 15 df f7 3b e0 0f 3f 40 ad d1 3e f9 8c d1 2b 3e f3 80 78 aa 45 db 3f fb 1d 57 7c 72 d7 5e b9 31 b7 f9 fe 92 03 ce f8 b4 59 1f 5f b5 99 97 ae f4 c9 cb 7f f2 80 f6 78 26 9f da 7c c5 a7 5f cd 8f 67 f9 a2 56 5c f1 fd bb 07 b8 4f d4 ef 5b df ff 72 c0 95 0f f6 bb bb c7 d8
                                                              Data Ascii: +><Gil}?+>>|eUot|?5HMm_v\yk+>|v+kh]~Cy}>W|ry}_s;?@>+>xE?W|r^1Y_x&|_gV\O[r
                                                              2025-03-19 19:33:42 UTC1378INData Raw: 3e bb fe df 3a f8 27 2e d6 61 ee b3 ee ee 49 f0 7f 51 6b da 33 dd 62 71 b6 c6 ed 3d b3 47 39 61 4c f1 f5 3f 3c 80 5d ae ff fd 03 9e bd ef 32 56 ca f5 b3 58 5f e5 14 bb e7 fb 6b ec a6 cf 7b 26 e1 c0 2b 72 c5 8d 5c ef 9c d4 56 dc ce 72 c8 7b 4a 9b 6e c7 47 4e 58 bb ce be 9a f7 85 f5 d5 7c ff e1 4e e7 d9 d8 98 ef b1 c3 e9 bf 47 39 78 26 fb 5d c7 84 3e 7f a5 bf dd 37 9c c5 ea d9 38 cb b5 0f 91 77 f6 dd f4 bb f6 5d 67 dd 8f 58 0b b2 e9 6b c3 78 65 af f9 e5 43 de 8f 99 a7 ae da 9c ef fd 1e f3 fb 7c 87 76 c3 be df b1 af 3c eb 8b be 9b d7 fc e9 1c ec fb af e6 d3 ee c3 e4 40 ed 60 c6 4e 8d 69 7d eb 3d 84 f0 62 cf 1f 31 b9 8a 1d 78 26 0e 6c 9a 39 bd 41 be b5 d7 4b df 95 3f ad 0f e6 1e 30 98 b2 ab 99 fa 34 9c be 34 7e 1c b5 d7 b7 de a9 89 86 dd 78 d0 59 47 44 27 6f
                                                              Data Ascii: >:'.aIQk3bq=G9aL?<]2VX_k{&+r\Vr{JnGNX|NG9x&]>78w]gXkxeC|v<@`Ni}=b1x&l9AK?044~xYGD'o
                                                              2025-03-19 19:33:42 UTC1378INData Raw: a5 6f 11 e7 bb fa 33 96 be c5 7c 25 96 ee 83 be ec b1 e4 b3 3a 70 e5 b3 f7 77 5e f1 d9 bd d7 33 76 7f e7 03 26 bf fd 88 67 62 e4 1e 75 f2 d9 1b ed 39 97 f7 95 ba f7 a4 cb fc a0 ee 69 53 c7 c0 e4 25 6f ee 7f d1 6f 2e 17 13 be 5c c5 c4 6f 0d bc 12 13 fb 05 cf f8 76 b5 2e f7 0e e2 d4 87 e7 d9 75 f9 33 7d 31 9f 71 a2 87 9b f4 7c 99 6b e5 39 8f 34 96 d8 39 e9 8b a3 df 96 98 df db cc 38 fa be f7 95 38 7a ae a7 dd 77 c8 b3 9d 2c bf 7b 32 65 3d 13 ef fd fb 1f e2 87 c6 da cd 5a 77 b7 f5 2c d9 f1 51 5c d1 b9 b6 de f0 0e c0 94 55 1b 1b 3c 5f 9b 6d c5 cd fe ce 55 dc 7c bb fc 4a dc b4 9d f1 7d 91 73 bb 71 77 e5 9f 9c 79 c5 3f fb d2 67 7c 57 fe ed bd c6 67 72 e5 ee f7 19 b6 ad ef ba f6 fa b2 ec a9 ea 1f df c2 5b a7 84 9f fd f3 33 0e 78 a5 7f 8c 9d 67 62 7c 35 16 dc 77
                                                              Data Ascii: o3|%:pw^3v&gbu9iS%oo.\ov.u3}1q|k94988zw,{2e=Zw,Q\U<_mU|J}sqwy?g|Wgr[3xgb|5w
                                                              2025-03-19 19:33:42 UTC1378INData Raw: 2e dc fc 1f 61 e9 99 cf 21 b6 1e f7 6e fa c4 9a 72 f6 c9 a4 51 cf a7 2d bb e6 d3 b1 d7 54 93 df 33 a2 47 3a 7c ef 36 75 bc ab bf 53 a6 df 1f a5 d7 fb 20 57 7a d9 ee 7a ca 28 b7 9e a9 ef be ef d5 76 55 df e9 91 5b f2 c1 ef 72 95 8f e1 1d e5 60 bf a7 23 df cc 33 07 f3 cf 85 b3 31 f3 ec 3d 04 f9 8d 93 dd f6 ac 0c 74 fa 65 d2 7d 1e b5 65 eb 85 7b b6 de b8 df 75 af 1c 9e df d5 1b 6b b4 19 bb bb 7a a3 9e ca 45 f4 8f ee 4b cf de ab f7 7b b5 13 27 47 fd 4f a7 89 63 2f dc 95 bd d6 45 af d8 0b 3e 4f 7b 3d f7 f3 bf dc 66 0d c6 3b df 7d 47 77 65 83 3c c9 86 f9 5e 17 1e b1 f0 7b 2f 57 b1 30 c7 be 12 0b b9 f1 b5 25 16 57 ef b2 aa 5b 57 f1 60 e3 2b f1 d0 76 c6 f7 45 ae 0d fc 1f c9 f9 bf 87 a6 7f f6 74 5e f1 af f7 ba 37 df b3 b5 0d cf a3 5c b9 da 7f fa c7 df ae e1 b3 f5
                                                              Data Ascii: .a!nrQ-T3G:|6uS Wzz(vU[r`#31=te}e{ukzEK{'GOc/E>O{=f;}Gwe<^{/W0%W[W`+vEt^7\
                                                              2025-03-19 19:33:42 UTC1378INData Raw: c3 d9 ff 4a 43 e7 88 86 2e f4 64 c3 15 93 b3 f9 7c 7f c3 ae ce 36 8f 5c f1 5d f9 d9 fc fb 48 e7 0f 3f c1 9d 7d 8b f0 23 16 ee 91 5c ef ed 4c 1c 5f fa fe 61 ce fd ec 3f 5b 5b 7f d1 3e cb 13 76 fd c8 37 5c 78 f7 77 8f de d1 2d 87 ee de d1 95 1b 74 f4 8e ae eb f0 8e 72 68 be a3 eb 3b 86 83 f9 e7 82 dc b3 b7 79 35 7e ec f3 7d d9 c6 8f 3a d5 f8 61 ff d5 f8 41 e7 a8 bd f1 43 2f 9c 23 f9 67 fd 7a 37 7e ae f8 9e c9 a5 3b 9d cf 8e 9f 1f b5 70 8f e4 7e 88 f1 f3 45 fa 8c 9f 5d 3f fa 0d 17 fe 99 f1 c3 0e 6d 77 e3 47 6e d0 d1 f8 71 1d de 51 0e 3d 1a 3f 9e 71 93 91 0e 7c 8d 1f ef bf 3f 3b 7e 5a 53 9d f1 5d dd 0b be eb 9e 17 dc 59 9f 9c dd 0b fa 86 fb ca 3f fb 22 af f8 d7 7b af 9b ef 43 de cb 5f ad a7 fc 96 e7 b6 f5 d1 7a 8a bc fd de eb e7 d1 17 ef 73 af 6e 1c f1 25 fc
                                                              Data Ascii: JC.d|6\]H?}#\L_a?[[>v7\xw-trh;y5~}:aAC/#gz7~;p~E]?mwGnqQ=?q|?;~ZS]Y?"{C_zsn%
                                                              2025-03-19 19:33:42 UTC1378INData Raw: 4b ba f2 47 7f bc e2 8f 5c 7c 64 27 fe 7f eb 80 c9 2f 3f d8 e2 37 fc e6 1e d0 b4 c5 6f 82 7e ec d8 16 bb 47 3e 91 f9 6f 1f 50 1b 99 fc f1 9b 31 57 fe f8 ff 72 cf fa a3 d6 fd df 6f b8 e0 99 38 5f d5 3a f3 c4 d4 6d 1f ed 8b a8 75 6c bd 93 f7 ea ff 8a a5 f3 4e 9e ff dd 81 d6 d1 5e 33 9c df 43 86 73 dc f2 b4 9f d5 e2 e2 f5 79 ee 8f bb e6 a3 fe 4a 47 63 65 ca ff 32 d6 ec e9 c3 b6 ef cb f0 ff 68 b3 4f dc b7 7d e5 48 79 c1 be ea c0 c7 b2 4f ed f0 fb 3f b3 76 b1 85 6e f9 e0 7b ed 57 6a 87 df 9d 23 bb 36 f3 a7 f5 71 d7 d5 0d 75 f3 b3 03 e8 df ff a3 55 bb 7d de cd f7 3e 75 68 7f 8b f6 ca b3 36 72 f7 dc 3e c7 2e fd cf d6 82 6a d5 5d 2d 78 54 5b 66 ed ab 56 dd d5 3e 34 77 f2 66 ed ab 56 f1 19 ce 71 cb 43 73 27 cf fa 06 ad a3 38 c3 f9 9f c5 70 8e 5b 9e f6 b3 da f7 ca
                                                              Data Ascii: KG\|d'/?7o~G>oP1Wro8_:mulN^3CsyJGce2hO}HyO?vn{Wj#6quU}>uh6r>.j]-xT[fV>4wfVqCs'8p[
                                                              2025-03-19 19:33:42 UTC1378INData Raw: 7c d8 b9 ef 6d d5 3d cf 3d 27 0e 58 93 79 bf 4b cc e0 ad c9 c4 87 fd de 13 9b df 26 a2 67 4f 73 4a fd c4 67 df cf d0 af cd 11 de fa 4d dc c4 9a 1e f7 69 8d 4f 7a ac a1 e9 30 47 4e 1d ec 3f 5b 3b fa 1f 04 93 ff 8c 0e 6e df eb f3 27 9b ca 81 6c 0f 9f ed fd 1f 20 63 c2 f7 74 6c 3f 8b 27 3b ea 6b eb b3 d6 93 bb bf e6 fe 19 98 7b 18 74 7e c8 fe d2 f6 53 0e 98 31 12 5f fe 4e 39 57 7d 68 2d 5c 1c 8a cb ec c3 fa eb 27 1c 30 e5 d1 eb 79 ec a3 be 89 df 78 9b 78 36 b0 df f8 76 c4 fb 13 0f 98 34 67 f2 9e d5 0b f7 a1 72 c2 f1 95 9c a8 5e 92 07 3f ff b7 0b 98 f3 2d 7d 67 fd 9b 0f f3 3e a0 f1 b9 ff 97 17 9c f7 12 37 ce f7 ca 13 a7 4f ed 6d ed ff c5 51 1f f9 ae 73 d2 f3 8d 7e 6d f6 9d 66 9b 9c fe b6 07 d8 63 ce ee 60 d6 33 b0 e7 3f bf 95 31 af c5 6b 5e 8b e7 1f 75 40 f9
                                                              Data Ascii: |m=='XyK&gOsJgMiOz0GN?[;n'l ctl?';k{t~S1_N9W}h-\'0yxx6v4gr^?-}g>7OmQs~mfc`3?1k^u@
                                                              2025-03-19 19:33:42 UTC1378INData Raw: f7 9e 64 35 0d cf b3 63 cb de e2 ac 6d f0 62 a9 46 18 5b f2 84 cc f0 5f f6 fa e6 1b 2e e0 fc ae 3f f9 05 37 7f 83 0d a8 29 9d d7 9f f6 83 66 8c d8 b9 f7 4e d0 d9 fb d8 74 7f ca db f5 a4 33 7e 40 74 c6 23 ff e6 38 d3 97 f0 fb 9e 5b 6c c5 ca d8 74 9c 3c 70 6a e1 c4 35 6f eb 4b c0 3e d7 68 ad 0f 26 ad 3a 8e 1f 9e 9d df e6 80 69 27 1e 74 5b e7 8c 59 b8 b3 7b f4 ea b4 3d 8d 2d f7 ee 9e 5e bb 78 4c bd 9e 4f 7b cf 4f 7e 88 49 b4 6a a7 b8 4c de b3 67 13 6c d1 b6 ef fb e1 c8 9b ba 1a 33 d9 af 4f a7 fd 68 d8 61 3f fc 4a 2e 19 b5 89 f3 94 ef 1e c6 33 3e 6d 7b 9f 21 d9 72 df d1 35 ff f8 29 67 ca 85 33 1f d1 db 4f bd 1a a7 ad 1f af 7c 7a df b1 ea 9c 9f 68 a3 6b 7e 69 9e f2 8c b1 67 b9 d5 bd 09 d1 b7 4f f2 97 1f f0 fd df ce e9 8c ee 0a fe f1 37 70 2e 16 bb 1e 88 c1 9c
                                                              Data Ascii: d5cmbF[_.?7)fNt3~@t#8[lt<pj5oK>h&:i't[Y{=-^xLO{O~IjLgl3Oha?J.3>m{!r5)g3O|zhk~igO7p.
                                                              2025-03-19 19:33:42 UTC1378INData Raw: b8 e7 89 de da 4d 5b df b1 84 f7 bc 86 de e4 84 f7 6c 47 3e 6e bc 35 15 f9 d9 93 5e f7 6b f4 79 67 c3 dc 1a 3d 1a 31 de 76 7a 1f d4 3d e1 a6 97 eb 67 fe 1a b7 78 c3 9b 6f e1 c9 26 f7 3b 1e a0 de 87 6f df c5 f3 ae 69 bf 35 87 73 fb 55 68 c3 7b 8e 62 ec 6d bc fe 3b a3 ff d1 6f e7 1b ff 27 1f 70 26 c7 fb e0 67 f4 ec 74 6e 4e d8 79 72 86 f7 6e 92 fa 43 de c4 8b 83 f3 e4 17 e7 f6 4e c4 62 f6 d7 77 3a 80 9c 8d d7 4f e8 d5 32 79 91 7c ef 62 c2 d7 5f e5 ed 77 3d 00 de 77 0e ec 09 6f fe 83 d7 cf c6 50 f2 8d 47 78 cf 50 f4 69 f4 ee 2b e9 8a 3e bd 6a 32 fa ed ef 0f 3e 80 fd 3b 4f 8c 3b f8 1d 37 f9 79 46 4f ce f4 2b bc 35 91 f3 2d e7 1f 79 3b df f4 f6 d1 be fa 80 4d ef 7d 72 35 6b eb fd 9e 07 e0 0f 5f 7c e4 aa 98 6c f9 de 2d 3d 1b 8f fa 48 1c b7 7c ef b7 d3 bb e9 ed
                                                              Data Ascii: M[lG>n5^kyg=1vz=gxo&;oi5sUh{bm;o'p&gtnNyrnCNbw:O2y|b_w=woPGxPi+>j2>;O;7yFO+5-y;M}r5k_|l-=H|


                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              • File
                                                              • Registry
                                                              • Network

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Target ID:0
                                                              Start time:15:33:34
                                                              Start date:19/03/2025
                                                              Path:C:\Users\user\Desktop\btoawpdtjhjawd.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Users\user\Desktop\btoawpdtjhjawd.exe"
                                                              Imagebase:0x230000
                                                              File size:43'008 bytes
                                                              MD5 hash:2FB952BB97197CCBEFAB03689724ABF4
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.863086546.0000000000232000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.863086546.0000000000232000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2113634911.000000001AF20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                              • Rule: rat_win_xworm_v2, Description: Finds XWorm v2 samples based on characteristic strings, Source: 00000000.00000002.2113634911.000000001AF20000.00000004.08000000.00040000.00000000.sdmp, Author: Sekoia.io
                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2113634911.000000001AF20000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2112230386.0000000002718000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2112230386.0000000002718000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2112230386.0000000002610000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2112230386.0000000002610000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                              Reputation:low
                                                              Has exited:false
                                                              Show Windows behavior

                                                              File Activities

                                                              Show Windows behavior

                                                              Section Activities

                                                              Show Windows behavior

                                                              Registry Activities

                                                              Show Windows behavior

                                                              Mutex Activities

                                                              Show Windows behavior

                                                              Process Activities

                                                              Show Windows behavior

                                                              Thread Activities

                                                              Show Windows behavior

                                                              Memory Activities

                                                              Show Windows behavior

                                                              System Activities

                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                              Network Activities

                                                              Process Token Activities

                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                              General

                                                              Target ID:2
                                                              Start time:15:33:46
                                                              Start date:19/03/2025
                                                              Path:C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exe"
                                                              Imagebase:0x8c0000
                                                              File size:43'008 bytes
                                                              MD5 hash:2FB952BB97197CCBEFAB03689724ABF4
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Antivirus matches:
                                                              • Detection: 75%, ReversingLabs
                                                              Reputation:low
                                                              Has exited:true
                                                              Show Windows behavior

                                                              File Activities

                                                              Show Windows behavior

                                                              Section Activities

                                                              Show Windows behavior

                                                              Registry Activities

                                                              Show Windows behavior

                                                              Mutex Activities

                                                              Show Windows behavior

                                                              Process Activities

                                                              Show Windows behavior

                                                              Thread Activities

                                                              Show Windows behavior

                                                              Memory Activities

                                                              Show Windows behavior

                                                              System Activities

                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                              Process Token Activities

                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                              General

                                                              Target ID:4
                                                              Start time:15:33:54
                                                              Start date:19/03/2025
                                                              Path:C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Users\user\AppData\Roaming\btoawpdtjhjawd.exe"
                                                              Imagebase:0xd10000
                                                              File size:43'008 bytes
                                                              MD5 hash:2FB952BB97197CCBEFAB03689724ABF4
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:low
                                                              Has exited:true
                                                              Show Windows behavior

                                                              File Activities

                                                              Show Windows behavior

                                                              Section Activities

                                                              Show Windows behavior

                                                              Registry Activities

                                                              Show Windows behavior

                                                              Mutex Activities

                                                              Show Windows behavior

                                                              Process Activities

                                                              Show Windows behavior

                                                              Thread Activities

                                                              Show Windows behavior

                                                              Memory Activities

                                                              Show Windows behavior

                                                              System Activities

                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                              Process Token Activities

                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                              General

                                                              Target ID:6
                                                              Start time:15:34:02
                                                              Start date:19/03/2025
                                                              Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe"
                                                              Imagebase:0xe10000
                                                              File size:43'008 bytes
                                                              MD5 hash:2FB952BB97197CCBEFAB03689724ABF4
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe, Author: Joe Security
                                                              • Rule: rat_win_xworm_v2, Description: Finds XWorm v2 samples based on characteristic strings, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe, Author: Sekoia.io
                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe, Author: ditekSHen
                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe, Author: ditekSHen
                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe, Author: ditekSHen
                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btoawpdtjhjawd.exe, Author: ditekSHen
                                                              Antivirus matches:
                                                              • Detection: 100%, Avira
                                                              • Detection: 100%, Avira
                                                              • Detection: 75%, ReversingLabs
                                                              Reputation:low
                                                              Has exited:true
                                                              Show Windows behavior

                                                              File Activities

                                                              Show Windows behavior

                                                              Section Activities

                                                              Show Windows behavior

                                                              Registry Activities

                                                              Show Windows behavior

                                                              Mutex Activities

                                                              Show Windows behavior

                                                              Process Activities

                                                              Show Windows behavior

                                                              Thread Activities

                                                              Show Windows behavior

                                                              Memory Activities

                                                              Show Windows behavior

                                                              System Activities

                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                              Process Token Activities

                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                              Disassembly

                                                              Executed Functions

                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2114907182.00007FF936870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936870000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff936870000_btoawpdtjhjawd.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: L_^
                                                              • API String ID: 0-925995230
                                                              • Opcode ID: e9a14520a49f62c58468ed9ec46af6ed2c7c670b341a58446453516097183e4c
                                                              • Instruction ID: 29332ab6d565c69e0f558feadf0673d97928295863faab488b5b66331d56fd17
                                                              • Opcode Fuzzy Hash: e9a14520a49f62c58468ed9ec46af6ed2c7c670b341a58446453516097183e4c
                                                              • Instruction Fuzzy Hash: BB913872E0CA8A4FF7A9DB2854557A97FE4FF59314B44017AC099C32D3EDA8B8068741
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2114907182.00007FF936870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936870000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff936870000_btoawpdtjhjawd.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: =L_^
                                                              • API String ID: 0-3950360236
                                                              • Opcode ID: 54f8cb84ec141bae0294fac6091912a3cf94bc3bdbbf01c4ace411507727ed64
                                                              • Instruction ID: a1c678b820097ab70d5e3676e53fe9708d88b7e8946a9b6986913e8c771d9dbe
                                                              • Opcode Fuzzy Hash: 54f8cb84ec141bae0294fac6091912a3cf94bc3bdbbf01c4ace411507727ed64
                                                              • Instruction Fuzzy Hash: 33614A71E1CA894FE7A9DB2884587A97BE5FF69318B44017DC08EC3692DD787806C741
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2114907182.00007FF936870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936870000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff936870000_btoawpdtjhjawd.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0zv6
                                                              • API String ID: 0-1054245330
                                                              • Opcode ID: 16b76e30dbc84355045d2ebd0bd3caeb378b9f24936d778f1847b0f4f7e4cd59
                                                              • Instruction ID: 0af21c0e953dea65863528886cc4a2b5ca6404bef29713b18b065de32f75e265
                                                              • Opcode Fuzzy Hash: 16b76e30dbc84355045d2ebd0bd3caeb378b9f24936d778f1847b0f4f7e4cd59
                                                              • Instruction Fuzzy Hash: 77F0BB72D1864A4FF748DB6484656E97BE1FF94350F84017AC115D72C2DE7CB9068741
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2114907182.00007FF936870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936870000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff936870000_btoawpdtjhjawd.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e3c622f43bbba18726fe4f2e08788908b3e3127ee8e381ba9b9dfc9278fb64c4
                                                              • Instruction ID: bc76995b4c8384e54709f17492714f21538302b5515317bad0e6177e171b7534
                                                              • Opcode Fuzzy Hash: e3c622f43bbba18726fe4f2e08788908b3e3127ee8e381ba9b9dfc9278fb64c4
                                                              • Instruction Fuzzy Hash: 12811631A1CA494FF758EF289459BB97BE5FF99311F04017EE04EC3292DEA5B8018781
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2114907182.00007FF936870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936870000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff936870000_btoawpdtjhjawd.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 03bb4b0de9888e88612f1802b2e667f10c0e007dc7aec4e47f4be31eec999e7b
                                                              • Instruction ID: 5a70b647c2ec2ba76e2d8cb4c2647e8649e33320a95547bfccbe873bd574cc53
                                                              • Opcode Fuzzy Hash: 03bb4b0de9888e88612f1802b2e667f10c0e007dc7aec4e47f4be31eec999e7b
                                                              • Instruction Fuzzy Hash: 0161F432E1C94E4FEBA8EB2C94957B9B7D5FF9C314B500679D00ED3292ED6868028781
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2114907182.00007FF936870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936870000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff936870000_btoawpdtjhjawd.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fe9746a604eafef9962f4ee580d83147b2ce679cd98d58dc9351548a78e48010
                                                              • Instruction ID: e4e3eb67d3c8862a97953fd3e1d79d97b9043ebe55e2989f1e21141eeb9855dc
                                                              • Opcode Fuzzy Hash: fe9746a604eafef9962f4ee580d83147b2ce679cd98d58dc9351548a78e48010
                                                              • Instruction Fuzzy Hash: D1611771E1894A4FE7A8EB2C90557B9BBE5FFAC314F540139D08ED3682DDB878068781
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2114907182.00007FF936870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936870000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff936870000_btoawpdtjhjawd.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: af897dd588748e67e0f8afed415bbe56644cf4ad654afb0cb9394c0ca58eece5
                                                              • Instruction ID: 80fbf179ff32c76d6509bc2bbf6a5fe5be12d9e2b88823d61a1f3536569d791b
                                                              • Opcode Fuzzy Hash: af897dd588748e67e0f8afed415bbe56644cf4ad654afb0cb9394c0ca58eece5
                                                              • Instruction Fuzzy Hash: D3611271B1C99A0FE3A9EB2C44957B9B7D6EF98304F1401B9D00DC32E7DDA9B8468781
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2114907182.00007FF936870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936870000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff936870000_btoawpdtjhjawd.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1b7472e13e3f0b3f9e2007eb84359b3c4b2532599b7cdd7ba424744506186c89
                                                              • Instruction ID: d4e50856cee59aaf0df742ef8276d5ea3d3b9b4a6403c11b4abf75a656c3bea4
                                                              • Opcode Fuzzy Hash: 1b7472e13e3f0b3f9e2007eb84359b3c4b2532599b7cdd7ba424744506186c89
                                                              • Instruction Fuzzy Hash: 5F51E431E1CA4D4FEBA8EB2C84987B9ABD5FF9C314B50067AD04DD3292ED7868418781
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2114907182.00007FF936870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936870000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff936870000_btoawpdtjhjawd.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 200e2c0e7506cd0ec8b45d2d0d7b29ccfb02d56bf64f093f3d29898ffa925885
                                                              • Instruction ID: de11f23673b465bafd5294f9f86f79878c9c5b9e554aec71caa6607b4b0e674d
                                                              • Opcode Fuzzy Hash: 200e2c0e7506cd0ec8b45d2d0d7b29ccfb02d56bf64f093f3d29898ffa925885
                                                              • Instruction Fuzzy Hash: F5512771E18D494BE7A8DB2880587A9BBE5FFAC314F54017DD08ED3682DDB87806C781
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2114907182.00007FF936870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936870000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff936870000_btoawpdtjhjawd.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5d2deaa092519a41755f593feb99df8bead7804e92040c816c4b4fc3002c8d9b
                                                              • Instruction ID: ae79a8a26bd833ce394bb030927ac071c1bf7274d86b94d41fe4cfcf47d3bb33
                                                              • Opcode Fuzzy Hash: 5d2deaa092519a41755f593feb99df8bead7804e92040c816c4b4fc3002c8d9b
                                                              • Instruction Fuzzy Hash: CB41B470908A4D8FEB98EF68D495BA97BE0FB69311F04416ED04EC3A92DB75E841CB41
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2114907182.00007FF936870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936870000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff936870000_btoawpdtjhjawd.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a548182025d0fb712c80e9f3a8adf9b03956a360a7b4f523cd359e6b829b61dd
                                                              • Instruction ID: 0b31174917be1b2c9a9706c0da0e47a71d0c3f1b3b14c527631040fba11f633a
                                                              • Opcode Fuzzy Hash: a548182025d0fb712c80e9f3a8adf9b03956a360a7b4f523cd359e6b829b61dd
                                                              • Instruction Fuzzy Hash: C4419330919A5D8FEB98EF68C499BA977E5FF59311F00017ED00AD3292EB75E841CB41
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2114907182.00007FF936870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936870000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff936870000_btoawpdtjhjawd.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: eb88c25db1e1a764abd189731784d2620d8eb0dda3d18d79a5aa9939b9ea5729
                                                              • Instruction ID: 8df5e07f2ba93f621f252218c7011b2858ca0d08c143cb1f3ab3726d5eddc666
                                                              • Opcode Fuzzy Hash: eb88c25db1e1a764abd189731784d2620d8eb0dda3d18d79a5aa9939b9ea5729
                                                              • Instruction Fuzzy Hash: 5B41A370A08A4D8FEB98EF58D495BA9B7E0FB69315F10016ED04AD3A91DB75E841CF40
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2114907182.00007FF936870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936870000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff936870000_btoawpdtjhjawd.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 317736cd4f7eb7e2c61f5af826b12b5f5fa7c7ed842587769dbe15e3741d8be3
                                                              • Instruction ID: 8bd26219e36a9cc3fb36781b644c707b97a1ebc9e41afd45454c56b72401e612
                                                              • Opcode Fuzzy Hash: 317736cd4f7eb7e2c61f5af826b12b5f5fa7c7ed842587769dbe15e3741d8be3
                                                              • Instruction Fuzzy Hash: 0D418F30918A5D8FEB98EF68C489BA9B7E5FB68311F10417EE00ED3291DB75E841CB41
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2114907182.00007FF936870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936870000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff936870000_btoawpdtjhjawd.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b1b4a61f4d3649d79e58f22cb7a21c5b2ac89f9d84480f74dba44d4310e0070a
                                                              • Instruction ID: 73bc5fb48d0908983a910ff82501016d2b84698c8c7366d53f1c392220dc406a
                                                              • Opcode Fuzzy Hash: b1b4a61f4d3649d79e58f22cb7a21c5b2ac89f9d84480f74dba44d4310e0070a
                                                              • Instruction Fuzzy Hash: E32178A2D4E6C61FF355DB341C547E8BFA0BF4A20479800BAD0C8C65E7DDB8A806E381
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2114907182.00007FF936870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936870000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff936870000_btoawpdtjhjawd.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dd851d294e1d1cd457cdc72e82d34662db06c2ba4261294ce3155baa18b4785a
                                                              • Instruction ID: eac442f2f5553f81cb07c19b08eaa75714e1207ba540c307f6a9ac9628619a32
                                                              • Opcode Fuzzy Hash: dd851d294e1d1cd457cdc72e82d34662db06c2ba4261294ce3155baa18b4785a
                                                              • Instruction Fuzzy Hash: D8110022E0DDC60FF3AAD72C14557687BC5EF99260B4842BAC058C71D7DD5CB8468395
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2114907182.00007FF936870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936870000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff936870000_btoawpdtjhjawd.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b2a393b25540811e7915b6fc835047f207ac2e4b64a905adc11e01a687ff82e1
                                                              • Instruction ID: 66ed20d8c202e3a25b3b4fc84e5dab2c1d567b0c038f0224effd4694878410f5
                                                              • Opcode Fuzzy Hash: b2a393b25540811e7915b6fc835047f207ac2e4b64a905adc11e01a687ff82e1
                                                              • Instruction Fuzzy Hash: C5210731E4818B5BE3A5FB6854953E97BE5EF88218FA41075D40CC7387EDB8B449C750
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2114907182.00007FF936870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936870000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff936870000_btoawpdtjhjawd.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 829215355f1a1154ee9bd57318e7e0580f6235a89205f04a8678df715a5c69f9
                                                              • Instruction ID: 25fedd54d8abe93693b7c8c0f08796cd6aed55ad09a8292bfd9ffa2b91ad6255
                                                              • Opcode Fuzzy Hash: 829215355f1a1154ee9bd57318e7e0580f6235a89205f04a8678df715a5c69f9
                                                              • Instruction Fuzzy Hash: A701C431A5858B5BD798FB2850D12E9BBE1FF882087E04478E40EC3787ED78B904CB51
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2114907182.00007FF936870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936870000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff936870000_btoawpdtjhjawd.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c766d11cdf7b343098a0a486ba1bb312d9041d10cb866cd0deb04d7278a3aad0
                                                              • Instruction ID: 5cf7b9f418e32a44c8ef07b8e32fec7cb8819832212e5ca72abc08db88b35ab2
                                                              • Opcode Fuzzy Hash: c766d11cdf7b343098a0a486ba1bb312d9041d10cb866cd0deb04d7278a3aad0
                                                              • Instruction Fuzzy Hash: 4A01BC21E1E78A0FFB6AE33858A57692B99AF99314F0501FAD04EC71D3DD9D7C009352
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2114907182.00007FF936870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936870000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff936870000_btoawpdtjhjawd.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6c7a83566eea761e1b04b980f10148cf636bab296651cb64bd2c4c01fe9a76fe
                                                              • Instruction ID: eb393ba1cae452598c3f861772053035a265c7342eb4edc9c8fef9fb4b16e743
                                                              • Opcode Fuzzy Hash: 6c7a83566eea761e1b04b980f10148cf636bab296651cb64bd2c4c01fe9a76fe
                                                              • Instruction Fuzzy Hash: A4F0B450E2C64A4AFAA9F77C50A277D1AC9AF98340F5400B8E05EC22D3DCDDB8419342
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2114907182.00007FF936870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936870000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff936870000_btoawpdtjhjawd.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 23a1b61fc3bdba2a9ccb74e4f16f4d846d3b7bd386d1a6b258da4600d5835a4a
                                                              • Instruction ID: 2d5c4370011854ce430194c96682186ae4d1d54518fbd7304eea0a8f4dab4582
                                                              • Opcode Fuzzy Hash: 23a1b61fc3bdba2a9ccb74e4f16f4d846d3b7bd386d1a6b258da4600d5835a4a
                                                              • Instruction Fuzzy Hash: 05E0CD2061895507E758F6185441EB9B7C5EB98758B840474F40DD3291DD28FA814791

                                                              Executed Functions

                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.996230544.00007FF936870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936870000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7ff936870000_btoawpdtjhjawd.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0zv6
                                                              • API String ID: 0-1054245330
                                                              • Opcode ID: 7b9825410050a45770ea6c969bf5bbd3143d910384ba18323bdf16771c711fc5
                                                              • Instruction ID: d7c4951a0a8c06c87deb1292dfb0a4b4b40248ed9bd3b12dc9e3a777ad697f7b
                                                              • Opcode Fuzzy Hash: 7b9825410050a45770ea6c969bf5bbd3143d910384ba18323bdf16771c711fc5
                                                              • Instruction Fuzzy Hash: DEF0BB72D18A4A4FF748DB6484656E97BA1FF94350F84017AC115D72C2DE7CB9068741
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.996230544.00007FF936870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936870000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7ff936870000_btoawpdtjhjawd.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5c8b0c6c2c051b678dffe4c7e02c484d3b643a0876197c0ad4a9a4e8f3de91c7
                                                              • Instruction ID: 9bb3258f71cece92e4b9400aa7db480281c2516bb13f8d87d0465a374a777e4d
                                                              • Opcode Fuzzy Hash: 5c8b0c6c2c051b678dffe4c7e02c484d3b643a0876197c0ad4a9a4e8f3de91c7
                                                              • Instruction Fuzzy Hash: AE610F71B1C94A0FE3A9EB2C94957A977D6EF98344F1801B9D00DC32D7DDA9B8428381
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.996230544.00007FF936870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936870000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7ff936870000_btoawpdtjhjawd.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 04ea56ec1e718baa33749be5b59000f1cba802db435c1519129875f3974d5985
                                                              • Instruction ID: da90ac09ddf7f41314506d5f318db8a8e874b2d931216d36979daaf36f7f7f7c
                                                              • Opcode Fuzzy Hash: 04ea56ec1e718baa33749be5b59000f1cba802db435c1519129875f3974d5985
                                                              • Instruction Fuzzy Hash: 3B018471B5960A8FD758FB28B0912AA3FA6FF882047D44578E40DC7386DD78B905C761
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.996230544.00007FF936870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936870000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7ff936870000_btoawpdtjhjawd.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dfa8b04cc89db3dc9af30ff89484c59733c0d650c5d087a413df96293c90f54c
                                                              • Instruction ID: 0f09f20419ecd99b51152502cc8d8d7c2478524c4be14b02a0271c032cbaa6fa
                                                              • Opcode Fuzzy Hash: dfa8b04cc89db3dc9af30ff89484c59733c0d650c5d087a413df96293c90f54c
                                                              • Instruction Fuzzy Hash: EDE0CD2061851507E758F618A441E7A77C5EB88794B840474F40CD7291CD28FA814391

                                                              Executed Functions

                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1078449164.00007FF936860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936860000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_7ff936860000_btoawpdtjhjawd.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: M_^
                                                              • API String ID: 0-921959145
                                                              • Opcode ID: 250ad08f0e15006c1339f41e7e1914dffa30109bb151c2244085dbf6d3f7d3a5
                                                              • Instruction ID: 6c0da3f55f0a2e34ce65874d38927107c84771dc0375f1427b54ce3572a372d4
                                                              • Opcode Fuzzy Hash: 250ad08f0e15006c1339f41e7e1914dffa30109bb151c2244085dbf6d3f7d3a5
                                                              • Instruction Fuzzy Hash: D5210522E4D24A5FE759EB2C54686B97FA0FF88304F8504B9D148C3283EEB97805C711
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1078449164.00007FF936860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936860000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_7ff936860000_btoawpdtjhjawd.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: =M_^
                                                              • API String ID: 0-3937918107
                                                              • Opcode ID: e65fa91fd7cd6ddd1984cb57507c11b3e8975ef52d9108cfae0a642bb216ca8f
                                                              • Instruction ID: 405093764f65c5a80e00c2bb2ceb75ae2cedc57f469c16eaf98e483a6d5e7440
                                                              • Opcode Fuzzy Hash: e65fa91fd7cd6ddd1984cb57507c11b3e8975ef52d9108cfae0a642bb216ca8f
                                                              • Instruction Fuzzy Hash: 24210231E4D24A4FD759EB2840695A97FB1FF89308B8508B9E10DC7387DEB8B808C721
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1078449164.00007FF936860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936860000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_7ff936860000_btoawpdtjhjawd.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0zu6
                                                              • API String ID: 0-368824849
                                                              • Opcode ID: bcfb12775a57702ee00fcc7597e23718feb7d6c594fca39a7425357abc77997d
                                                              • Instruction ID: fbb70ab80bf0b6b6cb342efe9ae15b810fbb88666be07b6ce26cbac36cb47ba6
                                                              • Opcode Fuzzy Hash: bcfb12775a57702ee00fcc7597e23718feb7d6c594fca39a7425357abc77997d
                                                              • Instruction Fuzzy Hash: 9FF09632D1864A4FF744EB6485656E97BA2FF84310F8101BAC216D7282DF6869068741
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1078449164.00007FF936860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936860000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_7ff936860000_btoawpdtjhjawd.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f611d959e31a470a12765b1e9307c549d54a726bef3985739591ff779f550631
                                                              • Instruction ID: 8a8466d343565ab139c0453a6060d4dfcb676dac26f517a71984a5bd9b6e0a6d
                                                              • Opcode Fuzzy Hash: f611d959e31a470a12765b1e9307c549d54a726bef3985739591ff779f550631
                                                              • Instruction Fuzzy Hash: FF416723E0E24A4FE715EB2C64695E97FA0FF85319B4505BBC188C7283DEA97805C761
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1078449164.00007FF936860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936860000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_7ff936860000_btoawpdtjhjawd.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2cd7040cb68d11cfeb5ec9e5034f50afa8393a6ad4423460d396320d5606073e
                                                              • Instruction ID: b2b52b6dd3a219db77082f72f55548589c4d57f8958e3d633eca93e0975f428e
                                                              • Opcode Fuzzy Hash: 2cd7040cb68d11cfeb5ec9e5034f50afa8393a6ad4423460d396320d5606073e
                                                              • Instruction Fuzzy Hash: 58611631B1D9594FE3A9EB2C44957A9B7D6EF98350F0541B9D00EC32D3CEA9BC428781
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.1078449164.00007FF936860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936860000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_7ff936860000_btoawpdtjhjawd.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f4d7b8b30fc2d70d9e216d882d9b58ebe9b928f2f9e6d7ed59af4ac21a5b6935
                                                              • Instruction ID: a1c1320a41c05d75ffe990ab1b1df7ac0be988fb2e0748c0a594111080add704
                                                              • Opcode Fuzzy Hash: f4d7b8b30fc2d70d9e216d882d9b58ebe9b928f2f9e6d7ed59af4ac21a5b6935
                                                              • Instruction Fuzzy Hash: 9DE0CD10A1851507E758F6185455E7D77C5EB887A4F840478F40CD3291CE68BA814381

                                                              Executed Functions

                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.1161376322.00007FF936860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936860000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ff936860000_btoawpdtjhjawd.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: M_^
                                                              • API String ID: 0-921959145
                                                              • Opcode ID: f8905006b841b890913cc6a7eb2600b0b4be26195319b73ac02114aa034fd8d4
                                                              • Instruction ID: 447f673112294be16da4834a85379d145348dfa6a73dac801635dadd19d7e70c
                                                              • Opcode Fuzzy Hash: f8905006b841b890913cc6a7eb2600b0b4be26195319b73ac02114aa034fd8d4
                                                              • Instruction Fuzzy Hash: E321E521E4C68A4FE399EB2844A56B93FE4EF89205B8141B9D148C32D3EEBE7805C311
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.1161376322.00007FF936860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936860000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ff936860000_btoawpdtjhjawd.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: =M_^
                                                              • API String ID: 0-3937918107
                                                              • Opcode ID: c7da6594fac44c4fb83f3d9e33fb160cafbc79729a7d6598143b44e41b550a3c
                                                              • Instruction ID: 504085d12e31c4b0e9786bdcd217a5a182e810ff310e25d57c66957c9e2c006c
                                                              • Opcode Fuzzy Hash: c7da6594fac44c4fb83f3d9e33fb160cafbc79729a7d6598143b44e41b550a3c
                                                              • Instruction Fuzzy Hash: 0E21C330A4C68A8FD755FB2844A52A93FF1BF8A20979144B5D049C7397DE7DA804C721
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.1161376322.00007FF936860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936860000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ff936860000_btoawpdtjhjawd.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0zu6
                                                              • API String ID: 0-368824849
                                                              • Opcode ID: 1a8b7ef9bc5fe1a1a3ec3b9832e6fd3b3fd93167d035a9cc17eaec28ddf90762
                                                              • Instruction ID: 8109840516de3eaa1daa8e099c4b3dd35de3df8252ebb3bb14f5ae2bf2e8a3fa
                                                              • Opcode Fuzzy Hash: 1a8b7ef9bc5fe1a1a3ec3b9832e6fd3b3fd93167d035a9cc17eaec28ddf90762
                                                              • Instruction Fuzzy Hash: 34F09631D18A4A4FF744EB6485656E97BE2FF85310F8101BAC215D7292DE6868069741
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.1161376322.00007FF936860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936860000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ff936860000_btoawpdtjhjawd.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f0c346f5e7c45bfe0249cc6e9363684f983960c8a3ad937527e65075caeba82a
                                                              • Instruction ID: d79ea04c73cc157997d0edf84bc43afe31f386b50c770d34b08c0aa606b4b2c2
                                                              • Opcode Fuzzy Hash: f0c346f5e7c45bfe0249cc6e9363684f983960c8a3ad937527e65075caeba82a
                                                              • Instruction Fuzzy Hash: 2C411322E0D68A4FE765FB2C54A51EA3FE0FF8621974542B6C188C7293DE7D78058361
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.1161376322.00007FF936860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936860000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ff936860000_btoawpdtjhjawd.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7e8a46f7b0f389ba1ac942ef0151e106cb344330e83f16d6c3d83f2720588b12
                                                              • Instruction ID: dd99323be46fae11c2aadcee3feeb7b2ac8cb9eb06cc41bee4355f4444a1a60f
                                                              • Opcode Fuzzy Hash: 7e8a46f7b0f389ba1ac942ef0151e106cb344330e83f16d6c3d83f2720588b12
                                                              • Instruction Fuzzy Hash: 4361F131B1C94A4FE7A9FB2C44957A977D6EF98344F0541BAD00EC32D3DEA9B8428381
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.1161376322.00007FF936860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF936860000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ff936860000_btoawpdtjhjawd.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 666c62732febfd3c14f40ffcd4e031141cb362c9c9357e7a4f2723364bcd46a8
                                                              • Instruction ID: 1b394c94fbc644fd7710e05e77c65bca6009ca817c025fdc7440698ff40c569c
                                                              • Opcode Fuzzy Hash: 666c62732febfd3c14f40ffcd4e031141cb362c9c9357e7a4f2723364bcd46a8
                                                              • Instruction Fuzzy Hash: D7E0C220A1892A4BE758F6189441EBA77C5EB887A8B840478F80CD32A2CD7CBA814381